Privacy Policy

VeroFlag provides screening workflow software for business and professional users. The service helps users screen people and organisations against sanctions, PEP, watchlist, company, and related public-source risk data, record review decisions, and monitor records.

Legal name

VeroFlag

Trading name

VeroFlag

Contact email

support@veroflag.com

Privacy contact

support@veroflag.com

Privacy and DPO contact

support@veroflag.com

Registered jurisdiction

England and Wales

If you have a privacy question or want to exercise a data protection right, contact support@veroflag.com.

For account administration, website operation, security, billing, service analytics, support, and our public-source screening index, VeroFlag normally acts as a controller.

When a customer submits personal data about a person or organisation to run a screening, the customer normally decides why that screening is run and is responsible for having a lawful basis to do so. For that customer-submitted screening data, VeroFlag normally acts as the customer's processor or service provider, except where we need to use limited data as a controller for security, abuse prevention, service integrity, legal compliance, billing, or defence of legal claims.

• Account and workspace data, including names, email addresses, roles, group memberships, invitation status, MFA settings, and authentication events.
• Business contact data, including messages, support requests, sales enquiries, and product feedback.
• Screening inputs submitted by users, such as names, entity type, date of birth, country, identifiers, notes, assigned reviewer, group, and case context.
• Screening outputs, including candidate matches, match scores, source URLs, source dataset names, topics, aliases, identifiers, reviewer decisions, monitoring status, and audit events.
• Public-source data used for screening, including sanctions, PEP, watchlist, enforcement, company, maritime, securities, and related data made available by OpenSanctions and underlying source publishers.
• Usage, security, and diagnostic data, including IP address, device and browser data, timestamps, pages or routes used, request metadata, error logs, and rate-limit events.
• Payment and subscription metadata handled through Stripe, where billing is enabled. We do not store full card numbers.

• You, your employer, your workspace administrators, or other authorised users.
• Authentication, email, hosting, database, payment, and security providers used to run the service.
• OpenSanctions and the public, official, or third-party source datasets that OpenSanctions aggregates and normalises.
• Information produced by the VeroFlag service, such as review events, audit logs, monitoring changes, and match explanations.

• To provide, secure, maintain, and improve the VeroFlag service.
• To create and manage accounts, workspaces, groups, memberships, invitations, and authentication.
• To run screening, generate candidate matches, show source evidence, preserve audit history, and support monitoring workflows.
• To provide support, respond to enquiries, send service notices, and manage beta or paid access.
• To manage billing, subscriptions, usage limits, invoices, payment status, and related account administration.
• To prevent abuse, investigate security incidents, enforce our terms, comply with law, and protect legal rights.

Depending on the activity, we rely on one or more lawful bases under UK GDPR and EU GDPR:

• Contract: to provide the service, administer accounts, support users, and manage paid or beta access.
• Legitimate interests: to secure, maintain, improve, and monitor the service, prevent misuse, respond to business enquiries, and provide source-backed screening functionality in a proportionate way.
• Legal obligation: to comply with tax, accounting, company, sanctions, regulatory, court, law-enforcement, or data protection obligations that apply to us.
• Consent: where we ask for optional marketing, non-essential cookies, or similar consent-controlled processing.

Some public-source screening data may include sensitive, political, enforcement, criminal-offence, or allegation-related information. We process this data only for screening, source-provenance, audit, and service-integrity purposes, and customers remain responsible for confirming the lawful basis and any additional condition needed for their own screening use cases.

VeroFlag produces candidate matches, scores, source context, and workflow records. These outputs are decision-support information. They are not legal advice, do not guarantee that a subject is or is not a match, and do not replace human review. VeroFlag does not make solely automated decisions with legal or similarly significant effects about people. Customers and their authorised reviewers remain responsible for final decisions.

We use technologies that are necessary to operate the website and app, including authentication, security, session, preference, and service reliability technologies. We will ask for consent before setting non-essential analytics, advertising, or tracking technologies where consent is required.

• Service providers that host, store, secure, email, authenticate, monitor, and operate the service, including Supabase, Vercel, Google Cloud, Resend, Stripe, and security or observability providers we use from time to time.
• Workspace administrators and authorised users, according to account, group, and permission settings.
• Professional advisers, insurers, auditors, regulators, courts, law-enforcement bodies, or public authorities where reasonably necessary or required by law.
• A buyer, investor, successor, or professional adviser if we are involved in a merger, acquisition, financing, restructuring, or sale of assets.

We do not sell personal data.

We may use providers that process personal data outside the UK or EEA. Where required, we use appropriate safeguards such as adequacy regulations or decisions, standard contractual clauses, the UK International Data Transfer Addendum, the UK International Data Transfer Agreement, or equivalent safeguards.

We keep personal data only for as long as reasonably needed for the purposes described in this policy, unless a longer period is required for legal, regulatory, tax, accounting, security, audit, dispute, or backup reasons.

• Account and workspace records are normally kept while the account is active and for a reasonable period after closure.
• Screening, review, monitoring, and audit records are kept according to the customer workspace settings, contract, and audit needs, unless deletion is required or agreed.
• Billing and transaction records may be kept for statutory accounting and tax periods.
• Security logs, diagnostics, and backups are kept for limited operational periods and then deleted or overwritten according to our retention processes.

Depending on where you are and the lawful basis for processing, you may have rights to access, correct, erase, restrict, object to, or receive a portable copy of your personal data. You may also have the right to withdraw consent where consent is the lawful basis.

You can contact us at support@veroflag.com. If your request concerns data controlled by one of our customers, we may direct you to that customer or help them respond.

You can complain to the UK Information Commissioner's Office at ico.org.uk/make-a-complaint. If you are in the EEA, you may also contact your local supervisory authority.

We use technical and organisational measures designed to protect personal data, including access controls, authentication controls, encryption in transit, logging, monitoring, least-privilege access, and separation between customer workspaces. No system is perfectly secure, so customers should also protect their accounts, devices, and credentials.

VeroFlag is a business and professional service. It is not intended for children or for personal, household, or consumer use.

We may update this policy as the service, our providers, or legal requirements change. We will update the date above and, where required, notify users or customers before material changes take effect.