VeraisVerais

Privacy Policy

Last updated: May 8, 2026 Effective date: May 8, 2026

1. Introduction

This Privacy Policy explains how Verais ("Verais," "we," "us," or "our") collects, uses, shares, and protects information when you use our cash management software-as-a-service product, including our website at verais.io and any associated services (collectively, the "Service").

We respect your privacy. This policy is written in plain English wherever possible, and we explain any legal terms we have to use. If anything is unclear, email us at official@verais.io and we'll explain.

This policy applies to anyone who uses Verais — whether you're a visitor to our website, a registered user of the Service, or someone whose personal data is processed by a Verais customer using the Service on their own users' or employees' behalf.

2. Who we are (Data Controller)

The data controller responsible for your personal data is:

Anastasija K. Operating Verais as a sole proprietor Belgrade, Serbia Contact: official@verais.io

For any questions about this policy or how we handle your data, email official@verais.io. We aim to respond to all privacy-related requests within 30 days, in line with applicable law.

3. What personal data we collect

We only collect data we actually need. Here's exactly what we collect and when:

3.1 When you visit our website

  • Technical data: IP address, browser type and version, device type, operating system, time zone, referring URL.
  • Usage data: Pages visited, time spent, links clicked.

This is collected automatically through standard server logs and (where applicable) analytics tools. We use this to keep the Service secure, troubleshoot issues, and understand how people use our website.

3.2 When you create an account

  • Identity data: Email address, password (stored as a salted hash — we never see your actual password).
  • Profile data: First name, last name, role/job title (when you provide them during onboarding).
  • Workspace data: A default workspace name generated from your email, which you can change.

3.3 When you use the Service

  • Financial data you enter: Cash bucket names, balances, transaction descriptions, amounts, dates, vendor names, categories. This is data you input — we do not connect to your bank or read your accounts directly.
  • Audit log data: Records of actions taken in your account (e.g., bucket created, transaction added) including timestamps, the user who performed the action, and IP address. This exists for security and accountability.
  • AI feature data: When you use the Smart Bank Suggestions feature, your financial data is sent to our AI subprocessor (Anthropic) to generate suggestions. See Section 6 for details.

3.4 When you contact us

  • Email address, name, content of your message, and any other information you choose to share.

3.5 What we do NOT collect

To be clear about what we don't do:

  • We do not collect special category data (e.g., health, biometrics, political views, religion) — this isn't relevant to a cash management product.
  • We do not buy data from third-party data brokers.
  • We do not collect data from children under 16. The Service is for businesses and adults.
  • We do not track you across other websites for advertising purposes.

4. Why we collect this data (Lawful basis under GDPR)

Under the EU General Data Protection Regulation (GDPR) and equivalent laws, we must have a legal reason ("lawful basis") for processing your data. Our reasons are:

What we use the data forLawful basis
Creating and managing your accountContract — we need this data to provide the Service you signed up for (Article 6(1)(b))
Processing your financial data within the ServiceContract — this is the core of what you pay us to do
Sending you transactional emails (verification, password reset, account notifications)Contract — required to provide the Service
Keeping the Service secure and preventing fraudLegitimate interest — protecting our users and our business (Article 6(1)(f))
Improving the ServiceLegitimate interest — understanding how the Service is used so we can make it better
Sending marketing emails (only if you opt in)Consent — you can withdraw at any time (Article 6(1)(a))
Complying with legal obligations (e.g., tax records, responding to lawful requests)Legal obligation (Article 6(1)(c))

If we ever process your data for a new purpose, we'll update this policy and (where required) ask for your consent.

5. How long we keep your data (Retention)

We don't keep data forever. Specifically:

  • Account data (email, profile): For as long as your account is active. If you delete your account, we delete this data within 30 days, except where we're required to keep it for legal reasons (see below).
  • Financial data you enter: For as long as your account is active. Deleted within 30 days of account deletion.
  • Audit logs: Kept for 12 months for security purposes, then deleted.
  • Transactional email logs: Kept for 12 months.
  • Backup data: Our hosting providers (Supabase, Vercel) retain backups on rolling cycles of up to 30 days. Your deleted data may persist in backups for this period before being fully purged.
  • Records we're legally required to keep: Some data (e.g., financial records for tax purposes, records of consent) may be retained for up to 6 years as required by Serbian and applicable law, even after account deletion.

6. Who we share your data with (Subprocessors and third parties)

We do not sell your personal data. We do share data with a small number of trusted service providers ("subprocessors") who help us run the Service. Each is bound by data processing agreements requiring them to handle your data as carefully as we do.

Our current subprocessors

SubprocessorWhat they doWhere they're basedWhat data they process
Supabase (Supabase Inc., Delaware, USA)Database hosting, authenticationUSA, EUAll account and Service data
Vercel (Vercel Inc., Delaware, USA)Website and application hostingUSA, EU (data residency available)Website traffic, request logs
Anthropic (Anthropic, PBC, California, USA)AI features (Smart Bank Suggestions)USAFinancial data sent during AI requests, processed transiently and not used to train models

If we add or change subprocessors, we'll update this policy and (where required) notify users in advance.

Other parties we may share data with

  • Legal authorities when required by law, court order, or to protect rights, property, or safety.
  • Professional advisors (lawyers, accountants, auditors) under confidentiality obligations.
  • Successor entities if Verais is acquired, merged, or sold — you'll be notified, and the new entity must honor this policy.

7. International data transfers

Some of our subprocessors are located in the United States. When your data is transferred outside the EU/EEA or the United Kingdom, we rely on:

  • Standard Contractual Clauses (SCCs) — EU-approved contracts that bind the recipient to GDPR-equivalent protection.
  • Adequacy decisions where applicable.
  • Additional technical and organizational measures (encryption in transit and at rest).

You can request a copy of our SCCs by emailing official@verais.io.

8. Your rights

Depending on where you live, you have rights over your personal data. We honor these rights regardless of your location — even if local law doesn't strictly require it.

8.1 Rights under GDPR (EU/EEA, UK)

  • Right of access: Get a copy of the personal data we hold about you.
  • Right to rectification: Correct inaccurate or incomplete data.
  • Right to erasure ("right to be forgotten"): Ask us to delete your data. We provide an in-product account deletion option.
  • Right to restriction: Ask us to limit how we use your data in certain circumstances.
  • Right to data portability: Receive your data in a structured, machine-readable format (JSON or CSV).
  • Right to object: Object to processing based on legitimate interest, including any direct marketing.
  • Right to withdraw consent: Where we rely on consent, you can withdraw it at any time.
  • Right to lodge a complaint: With your local data protection authority. In Serbia, this is the Commissioner for Information of Public Importance and Personal Data Protection (poverenik.rs).

8.2 Rights under CCPA / CPRA (California residents)

If you are a California resident:

  • Right to know: What personal information we collect, use, and share.
  • Right to delete: Request deletion of your personal information.
  • Right to correct: Request correction of inaccurate information.
  • Right to opt out of sale or sharing: We do not sell your personal information. We do not share it for cross-context behavioral advertising.
  • Right to limit use of sensitive personal information: We don't process sensitive personal information for purposes beyond providing the Service.
  • Right to non-discrimination: We won't deny service or charge you more for exercising your rights.

To exercise any California rights, email official@verais.io with the subject line "California Privacy Request."

8.3 Rights under LGPD (Brazil)

If you are in Brazil, the Lei Geral de Proteção de Dados (LGPD) gives you similar rights to GDPR, including access, correction, anonymization, deletion, portability, and information about sharing. To exercise these rights, email official@verais.io.

8.4 How to exercise your rights

Email official@verais.io with:

  • The right you wish to exercise (e.g., "I'd like to access my data" or "Please delete my account")
  • Enough information for us to identify you (typically the email address on your account)

We will respond within 30 days. We may need to verify your identity before acting on your request — this protects you from someone else trying to access your data.

For account deletion specifically, you can also use the in-product Delete Account option in your settings.

We provide these services free of charge. We may charge a reasonable fee or refuse your request if it is manifestly unfounded or excessive — but this is rare.

9. Cookies and similar technologies

We use a small number of cookies and similar technologies. Specifically:

  • Strictly necessary cookies: Required for the Service to work (e.g., authentication session cookies). These cannot be disabled.
  • Functional cookies: Remember your preferences (e.g., language).
  • Analytics cookies: When we add analytics, we'll update this section and request your consent.

We will display a cookie consent banner before placing any non-essential cookies. You can change your preferences at any time through the banner or your browser settings.

10. Security

We take the security of your data seriously. Our measures include:

  • Encryption in transit: All connections to the Service use TLS 1.2 or higher.
  • Encryption at rest: Data stored in Supabase is encrypted at the database level.
  • Password hashing: Your password is hashed using bcrypt (we never see or store the original).
  • Row-Level Security: Each user's data is isolated at the database level — even our own application code can't accidentally show one user's data to another.
  • Audit logging: Sensitive actions are logged with timestamps, user identity, and IP address.
  • Limited access: Only authorized personnel can access production systems.
  • Regular updates: Our software dependencies are kept up to date with security patches.

No system is 100% secure. If we ever experience a data breach affecting your personal data, we will notify you and (where required) the relevant authorities within 72 hours of becoming aware, in line with GDPR Article 33.

11. Children's privacy

The Service is not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please email official@verais.io and we will delete it promptly.

12. Changes to this policy

We may update this policy from time to time. When we do:

  • We will update the "Last updated" date at the top.
  • For material changes, we will notify users via email or an in-product notice at least 30 days before the changes take effect.
  • Continued use of the Service after the effective date means you accept the updated policy.

You can always find the current version at verais.io/privacy.

13. Contact us

For any questions, requests, or concerns about this policy or your data:

Email: official@verais.io Subject line suggestion: "Privacy request" or "Privacy question"

If you are not satisfied with our response, you can lodge a complaint with the data protection authority in your country. In Serbia, this is the Commissioner for Information of Public Importance and Personal Data Protection (poverenik.rs).

This policy was last updated on May 8, 2026.