Legal

Privacy Policy

This Privacy Policy explains how Veritas ("Veritas", "we", "us") collects, uses, stores, and protects personal data when you use our photo verification platform, APIs, SDKs, dashboard, and related services.

DPDP Rules 2025 CompliantIndia-Only Data StorageMumbai Jurisdiction

Effective date: March 12, 2026Last updated: March 12, 2026

1. Overview 2. Information We Collect 3. How We Use Your Information 4. Legal Basis for Processing 5. Data Storage & Residency 6. Data Sharing & Disclosure 7. Payment Data & Financial Information 8. Security Measures 9. Cookies & Similar Technologies 10. Your Rights Under the DPDP Act 2023 11. Children's Data 12. Third-Party Links & Integrations 13. Changes to This Policy 14. Contact Us

1. Overview

1.1 Who We Are

•Veritas ("Veritas", "we", "us", "our") is a photo verification platform operated from Mumbai, Maharashtra, India. Veritas is a product brand — the operating entity details are provided in the Contact section below

•We operate a photo verification platform that provides hardware-backed cryptographic provenance, trust scoring, and compliance tooling for enterprises — primarily in the insurance, banking, NBFC, and government sectors

•Under the Digital Personal Data Protection Act, 2023 ("DPDP Act") and the DPDP Rules, 2025, Veritas acts as a Data Processor. Your organisation (the entity contracting with Veritas) acts as the Data Fiduciary

1.2 Scope of This Policy

•This Privacy Policy applies to all users of the Veritas platform, including: the marketing website (veritas.in), the dashboard (dashboard.veritas.in), the REST API, the Android SDK, and all related services

•This policy covers personal data of: account holders (enterprise admins, team members), end-users whose data is captured via the SDK (claimants, adjusters, field agents), and website visitors

•By accessing or using any Veritas service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy

•If you do not agree with this policy, please do not use our services. You may request deletion of any existing data by contacting our Data Protection Officer

2. Information We Collect

2.1 Data Collected Through Our Verification SDK

•Photographs captured through the Veritas SDK during the verification workflow

•GPS coordinates (latitude and longitude) at the time of photo capture

•Device identifiers: hardware model, OS version, Android hardware attestation key ID

•Motion sensor data (accelerometer, gyroscope) collected during the capture session for liveness verification

•Timestamps generated on-device and verified against server time

•Network metadata: connection type, approximate signal strength

•C2PA content credentials embedded in the photo manifest

•Consent records: timestamp of consent, version of consent notice shown, categories of data consented to

2.2 Data Collected Through Our Dashboard & Website

•Account registration details: full name, business email address, organisation name, designation, GST number (optional)

•Authentication credentials (passwords are hashed using bcrypt with salt — never stored in plaintext)

•API usage logs: endpoints called, timestamps, response codes, IP addresses

•Billing information: plan selected, billing cycle, invoice history. Payment card details are processed exclusively by our payment gateway (Razorpay/Stripe) and are never stored on Veritas servers

•UPI IDs and netbanking details are processed by Razorpay and never touch Veritas infrastructure

•Support and communication records: emails, support tickets, feature requests

2.3 Data Collected Automatically

•Server access logs: IP address, browser user-agent string, referring URL, pages visited

•Cookie identifiers for session management (see Section 9 below)

•Aggregated, anonymised analytics data (page views, feature usage) via privacy-respecting analytics — no cross-site tracking

•Device type, screen resolution, operating system, and browser version for optimising the dashboard experience

2.4 Data We Do NOT Collect

•We do not collect Aadhaar numbers, PAN numbers, or other government-issued ID numbers unless explicitly submitted by you

•We do not collect biometric data as defined under the Aadhaar Act — IMU sensor data is motion telemetry, not biometric identification

•We do not collect financial information such as bank account numbers, credit card numbers, or UPI PINs — all payment processing is handled by our PCI-DSS compliant payment gateway

•We do not read, access, or store the contents of your device's photo gallery, contacts, messages, or any other app data

3. How We Use Your Information

3.1 Primary Purposes (Contractual Necessity)

•To provide photo verification services as contracted by your organisation (the Data Fiduciary)

•To generate trust scores based on device attestation, GPS, motion, timestamp, and provenance signals

•To create tamper-evident audit logs and Merkle transparency proofs for each capture session

•To embed C2PA content credentials for downstream provenance verification by any compliant tool

•To deliver breach notification reports, compliance exports, and data residency certificates

•To process subscription payments, generate invoices, and manage your billing account

3.2 Operational Purposes (Legitimate Interest)

•To maintain, monitor, and improve our infrastructure, security posture, and service reliability

•To detect and prevent fraud, abuse, and unauthorised access to the platform

•To generate anonymised, aggregated analytics for product improvement — no individual can be identified from this data

•To communicate service updates, security advisories, scheduled maintenance, and contractual notices

•To respond to your support requests and provide technical assistance

•To comply with legal obligations under applicable Indian law, including tax filings and regulatory reporting

3.3 What We Do NOT Do With Your Data

•We do not sell, rent, or trade personal data to any third party — ever

•We do not use captured photo data or SDK data for AI/ML model training unless explicitly authorised in a separate written agreement

•We do not serve advertisements or share data with advertising networks

•We do not profile Data Principals (claimants, adjusters) for purposes beyond the contracted verification service

•We do not share your data with any entity for marketing purposes

•We do not use your data to build competitive intelligence or share it with your competitors

4. Legal Basis for Processing

4.1 Under the DPDP Act 2023 & Rules 2025

•Consent (Section 6, Rule 3): The Veritas SDK displays a clear, itemised consent notice in plain language before any data collection begins. Consent is granular — users are informed of each category of data collected and its purpose

•Contractual necessity: Processing is necessary for the performance of the service agreement between Veritas and your organisation

•Legal obligation: Certain processing is required to comply with Indian tax law, the IT Act 2000, and DPDP Rules 2025 (e.g., security log retention under Rule 6(1)(e))

•Legitimate interest: Limited processing for fraud detection, security monitoring, and service improvement where it does not override the rights of the Data Principal

4.2 Consent Management

•Consent can be withdrawn at any time by the Data Principal through their organisation (the Data Fiduciary)

•Withdrawal of consent does not affect the lawfulness of processing performed before withdrawal

•If consent is withdrawn, Veritas will cease processing and delete the associated personal data, subject to legal retention requirements

•The SDK records consent_given, consent_timestamp, consent_version, and data_categories_consented in the capture manifest for audit purposes

5. Data Storage & Residency

5.1 India-Only Data Storage (DPDP Rules 2025, Rule 14)

•All personal data is stored exclusively in Mumbai, Maharashtra, India

•Infrastructure hosted on Google Cloud Platform, asia-south1 (Mumbai) region only

•Zero data replication, backup, or CDN edge nodes outside Indian jurisdiction

•No foreign sub-processors have access to personal data at any point in the processing chain

•Data Residency Certificates (signed PDF/A with cryptographic proof) are available for Enterprise customers on request

•We do not transfer personal data outside India. In the event that cross-border transfer regulations are notified by the Central Government under the DPDP Act, we will comply with all applicable requirements

5.2 Retention Periods

•Photo data and associated metadata: retained per your subscription plan configuration — 7 days (Free), 30 days (Pro), 365 days (Enterprise), or custom

•Automatic hard-deletion of photo data and personal metadata upon retention period expiry

•48-hour advance webhook notification to your registered endpoint before auto-expiry (DPDP Rules 2025, Rule 8)

•Security audit logs: retained for a minimum of 1 year per DPDP Rules 2025, Rule 6(1)(e) — these logs do not contain photo content or personally identifiable metadata

•Account and billing records: retained for 8 years per Indian tax and accounting requirements (Income Tax Act, 1961; GST Act, 2017)

•Erasure certificates: retained for 7 years as proof of compliance with deletion requests

•Website cookies and analytics: session cookies expire on browser close; analytics data retained for 26 months in anonymised form

5.3 Data Deletion

•Upon expiry of the retention period, photo data is permanently and irrecoverably deleted using cryptographic erasure (key destruction)

•Deletion is verified through our Merkle transparency log — the absence of data is cryptographically provable

•Signed erasure certificates (PDF/A) are generated and made available to the Data Fiduciary

•Backup data is purged within 30 days of primary data deletion

7. Payment Data & Financial Information

7.1 How Payment Data Is Handled

•Veritas uses Razorpay and/or Stripe as its payment gateway partners. Both are PCI-DSS Level 1 compliant — the highest level of payment security certification

•When you make a payment, your card number, CVV, expiry date, UPI ID, or netbanking credentials are entered directly into the payment gateway's secure iframe/SDK. This data never touches Veritas servers

•Veritas stores only: transaction ID, payment status (success/failed/pending), amount, currency, invoice number, and the last 4 digits of your card (for display purposes only)

•We do not store full card numbers, CVVs, UPI PINs, or netbanking passwords — at any point, in any system

•Payment disputes and chargebacks are handled through the respective payment gateway's dispute resolution process

7.2 Billing Records

•Invoices are generated automatically and stored for 8 years per Indian tax law (GST Act, 2017; Income Tax Act, 1961)

•You can download all invoices from the dashboard at any time during your subscription or within 30 days of account closure

•Billing data includes: organisation name, billing address, GST number (if provided), plan details, amounts, and tax breakdowns

8. Security Measures

8.1 Technical Safeguards (DPDP Rules 2025, Rule 6)

•AES-256 encryption for all data at rest (Rule 6(1)(a))

•TLS 1.3 for all data in transit — no fallback to older protocols

•Hardware-backed Trusted Execution Environment (TEE) / StrongBox signing on supported devices

•Private keys generated and stored in device hardware keystore — never exported or extractable

•Role-based access control (RBAC) with principle of least privilege (Rule 6(1)(b))

•API key scoping: per-environment and per-permission granularity

•Rate limiting: sliding window algorithm, configurable per plan tier

•Full audit logging of every API call, dashboard action, and data access event (Rule 6(1)(c))

•Automated anomaly detection for unauthorised access attempts

•Nonce-based replay protection with 120-second expiry

8.2 Organisational Safeguards

•Background verification for all employees with access to production systems

•Annual security awareness training for all staff

•Incident response plan tested quarterly with tabletop exercises

•Third-party penetration testing conducted annually by CERT-In empanelled auditors

•SOC 2 Type II certification in progress; ISO 27001 certification planned

•Segregation of duties: no single employee can access production data, deploy code, and manage keys simultaneously

•All production access requires multi-factor authentication and is logged

8.3 Breach Notification (DPDP Rules 2025, Rule 7)

•In the event of a data breach affecting your data, Veritas will notify your organisation within the timeline specified in the DPA (and in any case within 72 hours of becoming aware of the breach)

•We will provide a pre-filled incident report template for your submission to the Data Protection Board of India

•The dashboard will display a countdown timer to the 72-hour notification deadline with a downloadable report

9. Cookies & Similar Technologies

9.1 Cookies We Use

•Strictly necessary cookies: session management, authentication state, CSRF protection. These cannot be disabled without breaking the dashboard

•Functional cookies: dashboard preferences (theme, timezone, language). These improve your experience but are optional

•Analytics cookies: privacy-respecting, anonymised usage analytics via self-hosted Plausible Analytics — no cross-site tracking, no personal data collected, no cookies shared with third parties

•We do NOT use: advertising cookies, remarketing pixels, social media tracking pixels, or any third-party analytics that track users across sites

9.2 Managing Cookies

•You can disable non-essential cookies through your browser settings at any time

•Disabling strictly necessary cookies may prevent the dashboard from functioning correctly

•Our SDK does not use cookies — it operates via API authentication tokens only

•Our marketing website uses only strictly necessary cookies and anonymised analytics

10. Your Rights Under the DPDP Act 2023

10.1 Rights of Data Principals

•Right to access (Section 11): Request a summary of all personal data processed by Veritas on your behalf, including the categories of data, purposes of processing, and any third parties with whom data has been shared

•Right to correction (Section 11): Request correction of inaccurate, incomplete, or misleading personal data

•Right to erasure (Section 12): Request permanent deletion of your personal data. Veritas provides a dedicated API endpoint (DELETE /v1/captures/erase-by-principal) and generates signed erasure certificates with Merkle proof of deletion

•Right to grievance redressal (Section 13): File a complaint with our Data Protection Officer if you believe your data has been processed in violation of the DPDP Act

•Right to nominate (Section 14): Nominate another person to exercise your rights in case of death or incapacity

10.2 How to Exercise Your Rights

•Data Fiduciaries (your organisation): Use the dashboard's Compliance section or the API to process Data Principal requests directly

•Data Principals (claimants, adjusters, field agents): Contact your organisation first, as they are the Data Fiduciary responsible for your data

•If your organisation is unresponsive within 30 days, you may contact our Data Protection Officer directly at dpo@veritas.in or support.veritas@gmail.com

•We acknowledge all valid requests within 72 hours and fulfil them within 30 days

•There is no fee for exercising your rights under the DPDP Act

•Erasure requests generate a signed erasure certificate (PDF/A) with cryptographic proof of deletion

10.3 Limitations on Erasure

•Security audit logs (not containing photo content) are retained for 1 year per DPDP Rules 2025, Rule 6(1)(e) — even after erasure of personal data. This is disclosed in the consent notice

•Billing records are retained for 8 years per Indian tax law — these contain only organisation-level data, not individual captures

•Data that has been anonymised and aggregated cannot be traced back to an individual and is therefore outside the scope of erasure rights

11. Children's Data

11.1 Policy on Minors

•Veritas services are designed for enterprise use by organisations (B2B). We do not knowingly offer services directly to individuals under 18 years of age

•If the SDK is used to capture data involving a minor (e.g., a minor claimant), the Data Fiduciary (your organisation) is responsible for obtaining verifiable consent from the minor's parent or legal guardian, as required by Section 9 of the DPDP Act 2023

•Veritas provides SDK configuration options to enforce parental consent workflows when minors may be involved

•If we become aware that personal data of a child has been processed without proper consent, we will delete it promptly and notify the Data Fiduciary

•Penalties for children's data violations under the DPDP Act can reach INR 200 crore — Data Fiduciaries must ensure compliance

12. Third-Party Links & Integrations

12.1 External Links

•Our website and documentation may contain links to third-party websites (e.g., regulatory bodies, standards organisations, payment gateways). We are not responsible for the privacy practices of these websites

•When you click on a third-party link, you leave our platform and are subject to that third party's privacy policy

•We recommend reviewing the privacy policy of any third-party service before providing personal data to it

12.2 API Integrations

•When you integrate the Veritas SDK or API into your application, data flows between your systems and ours as described in the Data Processing Agreement

•You are responsible for ensuring that your application's privacy notice accurately describes the data processed by Veritas on your behalf

•Webhooks sent to your registered endpoints contain verification data — you are responsible for securing your webhook endpoints

13. Changes to This Policy

13.1 How We Communicate Changes

•We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or regulatory guidance

•Material changes (changes to data collection, sharing, retention, or your rights) will be communicated via email to your registered account address at least 30 days before they take effect

•Non-material changes (typographical corrections, formatting) may be made without advance notice

•The "Last Updated" date at the top of this page reflects when the most recent changes were made

•Continued use of the Service after the effective date of changes constitutes acceptance of the updated policy

•If you do not agree with the changes, you may terminate your account and request deletion of your data before the changes take effect

14. Contact Us

Data Protection Officer

•Veritas — Photo Verification Platform

•Mumbai, Maharashtra, India

•Email: support.veritas@gmail.com

•Response time: acknowledgement within 72 hours, resolution within 30 days

Grievance Redressal

•If you are not satisfied with our response, you may file a complaint with the Data Protection Board of India

•Data Protection Board of India: https://www.meity.gov.in/data-protection-framework

•You may also approach the appropriate consumer forum or court of competent jurisdiction in Mumbai, Maharashtra

Regulatory References

•DPDP Act 2023: https://www.meity.gov.in/writereaddata/files/Digital%20Personal%20Data%20Protection%20Act%202023.pdf

•DPDP Rules 2025: https://egazette.gov.in/WriteReadData/2025/251163.pdf

•IT Act 2000: https://www.indiacode.nic.in/bitstream/123456789/13116/1/it_act_2000_updated.pdf

This policy is governed by Indian law. Any disputes arising from this Privacy Policy shall be subject to the exclusive jurisdiction of the courts in Mumbai, Maharashtra, India. This policy should be read together with our Terms of Service, Data Processing Agreement, and Refund & Cancellation Policy.

Privacy Policy

Contents

1. Overview

1.1 Who We Are

1.2 Scope of This Policy

2. Information We Collect

2.1 Data Collected Through Our Verification SDK

2.2 Data Collected Through Our Dashboard & Website

2.3 Data Collected Automatically

2.4 Data We Do NOT Collect

3. How We Use Your Information

3.1 Primary Purposes (Contractual Necessity)

3.2 Operational Purposes (Legitimate Interest)

3.3 What We Do NOT Do With Your Data

4. Legal Basis for Processing

4.1 Under the DPDP Act 2023 & Rules 2025

4.2 Consent Management

5. Data Storage & Residency

5.1 India-Only Data Storage (DPDP Rules 2025, Rule 14)

5.2 Retention Periods

5.3 Data Deletion

6. Data Sharing & Disclosure

6.1 Sub-Processors

6.2 Legal Disclosure

6.3 Business Transfers

7. Payment Data & Financial Information

7.1 How Payment Data Is Handled

7.2 Billing Records

8. Security Measures

8.1 Technical Safeguards (DPDP Rules 2025, Rule 6)

8.2 Organisational Safeguards

8.3 Breach Notification (DPDP Rules 2025, Rule 7)

9. Cookies & Similar Technologies

9.1 Cookies We Use

9.2 Managing Cookies

10. Your Rights Under the DPDP Act 2023

10.1 Rights of Data Principals

10.2 How to Exercise Your Rights

10.3 Limitations on Erasure

11. Children's Data

11.1 Policy on Minors

12. Third-Party Links & Integrations

12.1 External Links

12.2 API Integrations

13. Changes to This Policy

13.1 How We Communicate Changes

14. Contact Us

Data Protection Officer

Grievance Redressal

Regulatory References

Related Documents

Privacy Policy

Contents

1. Overview

1.1 Who We Are

1.2 Scope of This Policy

2. Information We Collect

2.1 Data Collected Through Our Verification SDK

2.2 Data Collected Through Our Dashboard & Website

2.3 Data Collected Automatically

2.4 Data We Do NOT Collect

3. How We Use Your Information

3.1 Primary Purposes (Contractual Necessity)

3.2 Operational Purposes (Legitimate Interest)

3.3 What We Do NOT Do With Your Data

4. Legal Basis for Processing

4.1 Under the DPDP Act 2023 & Rules 2025

4.2 Consent Management

5. Data Storage & Residency

5.1 India-Only Data Storage (DPDP Rules 2025, Rule 14)

5.2 Retention Periods

5.3 Data Deletion

6. Data Sharing & Disclosure

6.1 Sub-Processors

6.2 Legal Disclosure

6.3 Business Transfers

7. Payment Data & Financial Information

7.1 How Payment Data Is Handled

7.2 Billing Records

8. Security Measures