Privacy Policy
Effective Date: April 16, 2025 · Last Updated: April 16, 2025
GYANMATRIX ACADEMY PRIVATE LIMITED
India
privacy@veril.ai
Veril.ai
About This Policy
- This Privacy Policy explains how GYANMATRIX ACADEMY PRIVATE LIMITED (“Company”, “we”, “us”, or “our”) collects, uses, stores, discloses, and protects information when you access or use the Veril.ai platform (“Platform”, “Service”).
- By accessing or using Veril.ai, you acknowledge that you have read and understood this Privacy Policy and agree to its terms. If you do not agree, please discontinue use of the Platform immediately.
- This Policy applies to all users — individuals, teams, and business customers — who create an account and use the Veril.ai Service.
1. Definitions
The following terms have the meanings set out below throughout this Privacy Policy:
| Term | Definition |
|---|---|
| Personal Data | Any information that identifies or can reasonably identify a natural person, including name, email address, device identifiers, or usage patterns. |
| Processing | Any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion. |
| Controller | The entity that determines the purposes and means of processing Personal Data. GYANMATRIX ACADEMY PRIVATE LIMITED is the Data Controller for Veril.ai. |
| Processor | A third party that processes Personal Data on behalf of the Controller under a written agreement. |
| User | Any individual or authorised representative of a business entity who creates an account and uses the Veril.ai Platform. |
| Uploaded Content | Documents, files, prompts, datasets, images, or other materials that Users upload or submit to the Platform for processing. |
| Output | AI-generated responses, analyses, summaries, or other results produced by the Platform in response to User inputs. |
| DPDP Act | The Digital Personal Data Protection Act, 2023 (India). |
| GDPR | The General Data Protection Regulation (EU) 2016/679. |
| CCPA / CPRA | The California Consumer Privacy Act (2018) as amended by the California Privacy Rights Act (2020). |
2. Who We Are & How to Contact Us
GYANMATRIX ACADEMY PRIVATE LIMITED is the Data Controller responsible for your Personal Data. Our flagship SaaS product, Veril.ai, is an AI-powered platform that enables users to leverage large language model (LLM) capabilities to create, analyse, summarise, and manage content — including documents, assessments, curriculum, knowledge bases, and related materials — through an intelligent, conversation-driven interface.
| Legal Entity | GYANMATRIX ACADEMY PRIVATE LIMITED |
| Product | Veril.ai |
| Country of Incorporation | India |
| Privacy Contact | privacy@veril.ai |
| Grievance Officer (India) | Reachable at privacy@veril.ai — responses within 30 days per DPDP Act |
3. Data We Collect
We collect information in three primary ways: data you actively provide, data collected automatically as you use the Platform, and data derived from Uploaded Content you submit.
3.1 Account & Registration Data
When you create an account on Veril.ai, we collect:
- Full name and display name
- Business email address
- Password (stored as a one-way cryptographic hash; we never store plaintext passwords)
- Organisation name and role (for business accounts)
- Billing name and address (for paid plans; payment card details are processed exclusively by our payment processor and are not stored on our servers)
- Country and preferred language settings
3.2 Usage & Interaction Data
As you use the Platform, we automatically collect:
- Log data: IP address, browser type and version, operating system, referring URL, pages visited, timestamps, and session duration
- Feature interaction logs: which modules, prompts, and AI functions you use, button clicks, and workflow events
- Device identifiers: device type, screen resolution, and similar technical metadata
- AI interaction history: your prompts/inputs and the Outputs generated during a session, stored to enable conversation continuity
- Error and performance telemetry: crash logs, latency metrics, and system health data used solely for debugging and service improvement
3.3 Uploaded Content
Users may upload documents, datasets, PDFs, images, spreadsheets, and other files to the Platform for AI-assisted processing. This Uploaded Content is stored temporarily on our servers for the duration of the processing task unless the User explicitly saves it to their workspace.
Important notices regarding Uploaded Content:
- You retain full ownership of all Uploaded Content.
- We do not use Uploaded Content to train, fine-tune, or improve any underlying AI model without your explicit, opt-in consent.
- Uploaded Content is stored in encrypted form and is logically isolated by account.
- You may delete Uploaded Content at any time through the Platform dashboard.
3.4 Cookies & Analytics Technologies
| Category | Tool / Provider | Purpose | Duration |
|---|---|---|---|
| Strictly Necessary | Internal session cookies | Authentication, CSRF protection, session management | Session |
| Functional | Internal preference cookies | User settings, language, theme preferences | 12 months |
| Analytics | PostHog (self-hosted) | Product analytics, feature usage, funnel analysis | 12 months |
| Analytics | Google Analytics 4 | Aggregate traffic analysis and audience insights | 24 months |
| Error Monitoring | Sentry | Real-time error tracking and performance monitoring | 90 days |
You can manage cookie preferences at any time via our Cookie Preference Centre, accessible from the footer of the Platform. Strictly Necessary cookies cannot be disabled as they are essential for the Platform to function.
3.5 Data We Do Not Collect
We do not intentionally collect or process:
- Sensitive personal data (health, biometric, genetic, racial or ethnic origin, sexual orientation, political opinions, religious beliefs, or financial account numbers) — users must not upload such data to the Platform
- Personal data of children under 18 years of age (see Section 13)
- Raw payment card numbers, CVVs, or bank account credentials
4. How We Use Your Data
We process your data only where we have a valid legal basis. The table below maps our processing activities to their legal bases under applicable law:
| Purpose of Processing | Data Involved | Legal Basis |
|---|---|---|
| Provide and operate the Veril.ai Service | Account data, usage data, Uploaded Content, Outputs | Performance of contract (GDPR Art. 6(1)(b)); DPDP Act legitimate use |
| Authenticate users and secure accounts | Account data, device data, session cookies | Legitimate interest; legal obligation |
| Process payments and manage subscriptions | Billing data (via payment processor) | Performance of contract |
| Send transactional emails | Email address, account status | Performance of contract; legitimate interest |
| Provide customer support | Account data, support ticket content | Legitimate interest; performance of contract |
| Improve Platform features and UX | Anonymised/aggregated usage data | Legitimate interest (GDPR Art. 6(1)(f)) |
| Send product updates and marketing (opt-in) | Email address, usage segment | Consent (GDPR Art. 6(1)(a)) |
| Comply with legal obligations | Any data required by law | Legal obligation (GDPR Art. 6(1)(c)); DPDP Act |
| Detect, prevent, and investigate fraud | Log data, account data, IP address | Legitimate interest; legal obligation |
| AI model inference | Prompts and Uploaded Content per session | Performance of contract |
5. AI Processing & Model Usage Policy
Veril.ai is an AI-powered platform. This section explains precisely how your inputs and content interact with AI systems.
5.1 Model Infrastructure
The AI capabilities of Veril.ai are powered by large language models (LLMs) provided through APIs from trusted third-party AI providers. We do not operate our own foundational AI models. Our AI providers process prompts through secure, enterprise-grade API agreements that include data processing addenda.
5.2 Data Storage & Session Retention
- Your prompts and AI Outputs within a session are stored to enable session continuity and conversation history within the Platform.
- Stored conversation history can be reviewed, exported, or permanently deleted by you at any time from the Platform settings.
- Uploaded Content submitted to the Platform is stored for the duration needed to complete the processing task. Users may configure automatic deletion timelines from their account dashboard.
5.3 AI Model Training — Our Commitment
Our Commitment: Your Data Is Not Used to Train AI Models
- We do NOT use your personal data, prompts, Uploaded Content, or Outputs to train, fine-tune, retrain, or otherwise improve any AI model — our own or those of third-party providers — without your explicit, separate, written opt-in consent.
- Our AI API providers are contractually bound under their enterprise terms not to use API-submitted data for model training.
- Aggregate, fully anonymised, and de-identified analytics may be used internally to improve the Platform experience — never AI model weights.
5.4 Output Privacy
AI Outputs generated for your account are private by default and are not shared with other users or third parties. Outputs are only accessible to: (a) you and authorised members of your workspace; (b) our technical team for debugging, with access strictly logged and controlled; and (c) legal or regulatory bodies when required by applicable law.
6. How We Share Your Data
We do not sell, rent, or trade your Personal Data. We share data only in the following limited circumstances:
6.1 Sub-Processors & Third-Party Service Providers
| Category | Provider | Data Processed |
|---|---|---|
| Cloud Infrastructure | AWS / Google Cloud | All Platform data — stored in encrypted form |
| AI API Provider | OpenAI / Anthropic | Prompts and Uploaded Content for inference |
| Payment Processing | Stripe / Razorpay | Billing name, address, and payment token |
| Email Delivery | SendGrid / Postmark | Email address and transactional email content |
| Product Analytics | PostHog (self-hosted) | Anonymised usage events |
| Error Monitoring | Sentry | Error stack traces and limited log context |
| Customer Support | Intercom / Freshdesk | Support ticket content and account identifiers |
6.2 Legal Disclosures
We may disclose your data where required to do so by applicable law, regulation, court order, or government authority. We will, where legally permissible, notify you of such requests before disclosure.
6.3 Business Transfers
In the event of a merger, acquisition, restructuring, or sale of substantially all our assets, your data may be transferred to the acquiring entity. We will notify you by email and/or a prominent notice on the Platform prior to such transfer.
6.4 Aggregated & De-identified Data
We may share aggregate, de-identified, and anonymised data (from which individual identities cannot reasonably be derived) with partners, researchers, or the public for analytical, benchmarking, or promotional purposes.
7. International Data Transfers
GYANMATRIX ACADEMY PRIVATE LIMITED is incorporated in India. Your data may be processed in countries other than your own. When we transfer Personal Data outside of India, the EEA, or the UK, we rely on appropriate safeguards including:
- Standard Contractual Clauses (SCCs) approved by the European Commission (for EEA data)
- UK International Data Transfer Agreements (IDTAs) (for UK data)
- Adequacy decisions where applicable
- Data Processing Agreements with sub-processors requiring equivalent protections
Users in the EU/EEA may request a copy of the applicable transfer safeguards by contacting privacy@veril.ai.
8. Data Retention Policy
We retain your data only for as long as necessary to fulfil the purposes described in this Policy. The following table outlines our standard retention schedules:
| Data Category | Retention Period | Basis / Notes |
|---|---|---|
| Account & Registration Data | Duration of account + 3 years | Contract performance; legal obligation |
| AI Conversation History | User-controlled (default: 1 year) | User may delete at any time |
| Uploaded Content (processed) | 30 days post-processing | User may configure shorter periods |
| Usage & Interaction Logs | 13 months | Analytics continuity; fraud detection |
| Billing Records | 7 years | Indian tax and accounting; GST compliance |
| Support Ticket Content | 3 years from ticket closure | Quality assurance and dispute resolution |
| Security & Audit Logs | 2 years | Legal obligation; security investigation |
| Marketing Preferences | Until opt-out + 1 year | Consent record keeping |
| Anonymised Analytics | Indefinite | No personal data — aggregate improvement |
Upon account deletion, we will permanently delete or anonymise your Personal Data within 90 days, except where retention is required by law. Backups are purged on a rolling 30-day schedule.
9. Your Privacy Rights
Depending on your jurisdiction, you may have the following rights with respect to your Personal Data:
| Your Right | What It Means | How to Exercise |
|---|---|---|
| Right to Access | Obtain a copy of the Personal Data we hold about you | Submit a request to privacy@veril.ai |
| Right to Rectification | Correct inaccurate or incomplete Personal Data | Update via account settings or contact us |
| Right to Erasure | Request deletion of your Personal Data | Account settings > Delete Account, or email us |
| Right to Restriction | Restrict our processing of your data | Contact privacy@veril.ai |
| Right to Portability | Receive your data in a structured, machine-readable format | Export via dashboard or contact us |
| Right to Object | Object to processing based on legitimate interests | Unsubscribe link in emails, or contact us |
| Right to Withdraw Consent | Withdraw consent at any time | Cookie Centre or privacy@veril.ai |
| Right to Non-Discrimination | Not receive inferior service for exercising your rights (CCPA) | Automatic — no action needed |
| Right to Correction (DPDP) | Correct inaccurate personal data (India DPDP Act) | Account settings or privacy@veril.ai |
| Right to Grievance Redressal | Lodge a complaint with our Grievance Officer (India DPDP Act) | Email privacy@veril.ai — responded within 30 days |
We will respond to verified rights requests within 30 days. We may require identity verification before processing requests. There is no fee for exercising your rights.
California Residents: You have the additional right to opt out of the ‘sale’ or ‘sharing’ of personal information. Veril.ai does not sell or share personal information for cross-context behavioural advertising.
To exercise any rights, contact us at privacy@veril.ai with the subject line “Privacy Rights Request — [Your Right]”.
10. Security Measures
We implement technical and organisational security measures designed to protect your data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.
10.1 Technical Safeguards
- Encryption in transit: All data transmitted between your browser/client and our servers is encrypted using TLS 1.2 or higher
- Encryption at rest: All stored Personal Data and Uploaded Content is encrypted using AES-256
- Password security: Passwords are hashed using bcrypt with a unique salt; we never store plaintext passwords
- Access controls: Role-based access control (RBAC) with the principle of least privilege; privileged access requires multi-factor authentication (MFA)
- Vulnerability management: Regular automated dependency scanning, penetration testing, and code security reviews
- Infrastructure security: Network segmentation, Web Application Firewall (WAF), DDoS mitigation, and intrusion detection systems
- Audit logging: All access to Personal Data by internal personnel is logged, timestamped, and regularly reviewed
10.2 Organisational Safeguards
- Security awareness training for all personnel with access to Personal Data
- Data Processing Agreements with all sub-processors
- Background verification for personnel handling sensitive data
- Incident response plan tested at least annually
- Data Protection Impact Assessments (DPIAs) for high-risk processing activities
10.3 Data Breach Notification
In the event of a personal data breach that poses a risk to your rights and freedoms, we will: (a) notify the relevant supervisory authority within 72 hours of becoming aware of the breach (where required under GDPR); and (b) notify affected Users without undue delay where the breach is likely to result in high risk.
11. Regulatory Compliance
11.1 GDPR (European Union / EEA)
For users in the European Union or EEA, we act as the Data Controller under GDPR. Our legal bases for processing are detailed in Section 4. You have the right to lodge a complaint with your local supervisory authority.
11.2 CCPA / CPRA (California, USA)
- Categories of personal information collected: identifiers, commercial information, internet/network activity, and inferences drawn from usage data
- We do not sell personal information and do not share it for cross-context behavioural advertising
- California residents have the right to limit use of sensitive personal information — Veril.ai does not process sensitive personal information as defined under CPRA
11.3 Digital Personal Data Protection Act, 2023 (India)
Veril.ai complies with the DPDP Act, 2023 as a Data Fiduciary incorporated in India. Our obligations include:
- Processing personal data only for lawful purposes with the Data Principal's consent or other permitted grounds
- Appointing a Grievance Officer accessible via privacy@veril.ai to address complaints within 30 days
- Implementing reasonable security safeguards (Section 10 of this Policy)
- Notifying the Data Protection Board of India and affected users of personal data breaches as required
- Ensuring cross-border data transfers comply with applicable Central Government notifications
- Respecting Data Principals' rights to access, correct, erase, and grieve data processing
12. Cookie Management
When you first visit Veril.ai, we display a Cookie Consent Banner that allows you to accept or decline non-essential cookies. Your preferences are saved and respected across sessions.
You may also manage cookie settings at any time by:
- Visiting the Cookie Preference Centre in the Platform footer or Settings menu
- Adjusting your browser settings to block or delete cookies — note this may affect Platform functionality
- Using browser extensions such as uBlock Origin or Privacy Badger
13. Children's Data
Children Under 18 Are Not Permitted to Use Veril.ai
- Veril.ai is designed for and directed at adults (18 years of age and older).
- We do not knowingly collect Personal Data from children under the age of 18.
- If you are a parent or guardian and believe your child has provided us with Personal Data, please contact us at privacy@veril.ai.
- If we discover that we have inadvertently collected data from a minor, we will immediately delete it.
14. Third-Party Links & Integrations
The Platform may contain links to third-party websites, services, or integrations. This Privacy Policy does not apply to third-party sites or services. We encourage you to review the privacy policies of any third-party services you access through Veril.ai.
When you connect third-party integrations (e.g., Google Drive, Notion, Slack), you authorise us to access the data you permit through those integrations. We process such data solely to provide you the requested feature and in accordance with this Policy.
15. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Post the updated Policy on this page with a revised "Last Updated" date
- Send an email notification to registered users at least 14 days before the changes take effect
- Display a prominent in-app notice for material changes affecting your rights
Your continued use of Veril.ai after the effective date constitutes your acceptance of the updated terms.
16. Contact Us & How to Complain
GYANMATRIX ACADEMY PRIVATE LIMITED
Attn: Privacy & Data Protection Officer
Email: privacy@veril.ai
We aim to respond to all enquiries within 10 business days, and all formal rights requests within 30 calendar days.
16.1 Right to Lodge a Complaint
If you are not satisfied with our response, you have the right to lodge a complaint with the relevant data protection authority:
- EU / EEA: Your local Data Protection Authority (DPA) — see https://edpb.europa.eu
- UK: Information Commissioner's Office (ICO) — https://ico.org.uk
- India: The Data Protection Board of India (once constituted under the DPDP Act, 2023)
- California: California Privacy Protection Agency (CPPA) — https://cppa.ca.gov
This Privacy Policy is effective as of April 16, 2025 and supersedes all prior versions.
GYANMATRIX ACADEMY PRIVATE LIMITED | Veril.ai | privacy@veril.ai