Data Protection & Privacy Compliance
Last Updated: January 26, 2026
Overview
VerifyStack is committed to protecting personal data in compliance with GDPR, CCPA, and other applicable privacy regulations. This page describes how we process data and your rights as a data subject.
Our Role in Data Processing
| Scenario | VerifyStack Role | Customer Role |
|---|---|---|
| Fraud detection API | Data Processor | Data Controller |
| Dashboard analytics | Data Processor | Data Controller |
| Account management | Data Controller | Data Subject |
Data Categories Processed
| Category | Examples | Purpose | Retention |
|---|---|---|---|
| Device Fingerprints | Canvas hash, WebGL, fonts | Fraud detection | 90 days |
| Behavioral Signals | Mouse patterns, typing | Bot detection | 30 days |
| Network Data | IP, ASN, geolocation | Risk scoring | 90 days |
| Transaction Data | User ID, email (hashed) | Decision logging | 1 year |
| Audit Logs | API calls, timestamps | Compliance | 7 years |
Data Minimization: We don't store raw PII — emails are hashed with SHA-256. We never receive or store payment card numbers.
GDPR Legal Basis
| Processing Activity | Legal Basis (Art. 6) |
|---|---|
| Fraud detection for customers | Legitimate interest (Art. 6(1)(f)) |
| Contract fulfillment | Contract (Art. 6(1)(b)) |
| Legal compliance (audit) | Legal obligation (Art. 6(1)(c)) |
CCPA Compliance (California)
We do NOT sell personal information. Ever.
Under CCPA, we act as a Service Provider when processing data on behalf of our customers.
| Category | Collected | Sold | Shared |
|---|---|---|---|
| Identifiers (IP, device ID) | ✓ | ✗ | ✗ |
| Internet activity | ✓ | ✗ | ✗ |
| Geolocation | ✓ | ✗ | ✗ |
Your Rights
Under GDPR and CCPA, you have the following rights:
Right to Access
Request a copy of your personal data
Right to Rectification
Correct inaccurate personal data
Right to Erasure
Request deletion of your data
Right to Portability
Receive your data in a machine-readable format
Right to Object
Opt-out of certain processing activities
Right to Restriction
Limit how we process your data
Response time: We respond to all requests within 30 calendar days.
International Data Transfers
For transfers outside the EEA, we use:
- EU Standard Contractual Clauses (2021 version)
- UK Addendum for UK transfers
- Swiss DPA approval for Swiss transfers
Enterprise customers can request EU-only processing.
Data Processing Agreement
Our standard DPA is incorporated into our Terms of Service. Enterprise customers can request a custom DPA.
Request DPA TemplateContact
Data Protection Officer: dpo@verifystack.io
Privacy Questions: privacy@verifystack.io