Privacy Policy

1. Data Controller

VeriBureau is a global verified review protocol operated by AIST Telecommunications (LLC «CS AIST», EDRPOU 30635430), registered in Odesa, Ukraine. For all privacy-related inquiries, contact the Data Protection Officer at privacy@veribureau.com.

2. Data We Collect

2.1 Reviewers (customers)

When you submit a verified review, we collect your email address solely for one-time verification (OTP code). After successful verification, your email is immediately and irreversibly converted to a one-way cryptographic hash (SHA-256). The original email address is never stored in our database and cannot be recovered from the hash.

We also collect: the review score (1\u2013100), optional free-text commentary, and optional industry-specific sub-scores you choose to provide. All review data is associated with the cryptographic hash of your email, not with your email itself.

2.2 Businesses

Upon registration, we collect: business name, URL slug, industry category, country, city (optional), website URL (optional), and contact email address. The contact email is stored in cleartext to enable account recovery, notifications, and communication. Your API key is stored exclusively as a SHA-256 hash; the plaintext key is shown once at registration and never stored.

2.3 Automatically collected data

We collect the minimum data necessary for service operation and security: IP addresses are processed in memory for rate limiting and abuse prevention but are not persisted to any database or log file. We do not collect browser fingerprints, device identifiers, geolocation data, or any data beyond what is required for HTTPS communication and service delivery.

We do not use third-party analytics services, advertising networks, social media plugins, or tracking pixels on any VeriBureau domain.

3. Cookies and Client-Side Storage

VeriBureau uses a single strictly necessary authentication cookie for the business dashboard. This cookie:

\u2014 Is an httpOnly, Secure, SameSite=Strict cookie that cannot be read by JavaScript and is only transmitted over encrypted HTTPS connections to the VeriBureau API origin.
\u2014 Contains an authentication credential (hashed on the server) and expires after 30 days.
\u2014 Is accompanied by a CSRF (Cross-Site Request Forgery) protection token stored in application memory (not in persistent browser storage) which is lost when you close the tab.
\u2014 Is set only when you explicitly log in to the business dashboard and is deleted when you log out.

This cookie is classified as a \u201cstrictly necessary\u201d cookie under the EU ePrivacy Directive (2002/58/EC) and GDPR Recital 49, as it is essential for the functioning of the authenticated dashboard service that you have explicitly requested. No consent banner is required for strictly necessary cookies.

We do not use any marketing, analytics, preference, or tracking cookies. We do not use localStorage, sessionStorage, IndexedDB, or any other persistent client-side storage mechanism.

4. Legal Basis for Processing

We process personal data on the following legal bases under GDPR Article 6(1):

Contract performance (Art. 6(1)(b)): Processing of business registration data and reviewer email verification is necessary for the performance of the service you have requested.

Legitimate interest (Art. 6(1)(f)): Rate limiting (IP address processing in memory), security monitoring, and abuse prevention. Our legitimate interest is protecting the service and its users from attacks, fraud, and abuse. This processing is proportionate as IP addresses are not persisted.

Legal obligation (Art. 6(1)(c)): Retention of audit log records where required by applicable law.

5. Purpose of Processing

Email verification: To ensure one review per person per transaction (Protocol Axiom 1: one entity, one review).

Business registration: To provide the service, enable account management, and facilitate communication.

Review content: To compute, display, and verify Trust Scores using the VeriBureau Protocol algorithm.

Audit chain: To maintain a cryptographically signed, immutable, publicly verifiable record of all protocol events (Protocol Axiom 3: immutability of the record).

Authentication cookie: To maintain your authenticated session in the business dashboard without requiring re-entry of credentials on each page load.

6. Data Retention

Reviewer email hashes: Retained indefinitely as part of the immutable audit chain. These are irreversible hashes from which the original email cannot be recovered.

Review content and scores: Retained indefinitely. The integrity of the Trust Score system depends on the permanence of the review record.

Business account data: Retained for the duration of the account, plus 90 days after account closure to allow for reactivation. After this period, contact email and business description are permanently deleted; public review data and audit chain entries are retained.

Audit log entries: Retained permanently. Each entry is cryptographically signed with Ed25519 and linked to the previous entry via SHA-256 hash chain. Deletion of any entry would invalidate the entire chain and is therefore technically infeasible without compromising the protocol\u2019s integrity guarantees.

Authentication cookies: Expire after 30 days or upon logout, whichever occurs first. Server-side session references are deleted immediately upon logout.

7. Data Sharing and Third Parties

We do not sell, rent, trade, license, or otherwise disclose personal data to any third party for any purpose. Specifically:

\u2014 We do not use third-party data processors for personal data.
\u2014 We do not share data with advertising or marketing platforms.
\u2014 We do not participate in data broker networks.
\u2014 We do not transfer personal data to any third-party analytics provider.

Review content and Trust Scores are publicly visible by design \u2014 this is the fundamental purpose of the service. Email addresses (stored only as irreversible hashes) and API keys (stored only as hashes) are never exposed in any public endpoint.

We may disclose data if required by law, court order, or binding regulatory request, and only to the minimum extent necessary to comply. We will notify affected users where legally permitted to do so.

8. Your Rights (GDPR Articles 15\u201322)

If you are located in the European Economic Area, you have the right to:

Access (Art. 15): Request a copy of all personal data we hold about you.

Rectification (Art. 16): Request correction of inaccurate personal data.

Erasure (Art. 17): Request deletion of your personal data. Due to the immutability principle of the audit chain (Protocol Axiom 3), we can mark audit records as \u201cwithdrawn\u201d and remove associated personal identifiers, but we cannot delete the cryptographic hashes or chain structure without compromising the integrity of the entire protocol. We will explain any limitations at the time of your request.

Restriction (Art. 18): Request restriction of processing of your personal data.

Portability (Art. 20): Receive your personal data in a structured, commonly used, machine-readable format (JSON).

Objection (Art. 21): Object to processing based on legitimate interest.

Complaint: You have the right to lodge a complaint with your local data protection supervisory authority. For Ukraine, this is the Ukrainian Parliament Commissioner for Human Rights.

To exercise any of these rights, contact privacy@veribureau.com. We will respond within 30 days as required by GDPR Article 12(3).

9. Data Security

We implement the following technical and organizational measures:

Encryption in transit: All connections use TLS 1.2 or higher. HSTS (HTTP Strict Transport Security) is enforced on all domains.

Encryption at rest: Database storage uses full-disk encryption.

Cryptographic hashing: Reviewer emails are hashed with SHA-256 before storage. API keys are hashed with SHA-256. Passwords are not used in the system (authentication is via API key only).

Digital signatures: All audit chain records are signed with Ed25519 to ensure tamper evidence.

Authentication security: Dashboard authentication uses httpOnly cookies with Secure and SameSite=Strict flags, combined with CSRF token validation on all state-changing operations. API key authentication for programmatic access uses constant-time comparison to prevent timing attacks.

Rate limiting: All endpoints are rate-limited with automatic fallback to prevent brute-force attacks.

Input validation: All user input is sanitized against XSS (cross-site scripting) attacks. CORS (Cross-Origin Resource Sharing) is restricted to VeriBureau domains only.

Backups: Database is backed up daily with 30-day retention. Backups are encrypted.

Access control: Access to production systems is restricted to authorized personnel only, using key-based SSH authentication.

10. International Data Transfers

Our primary infrastructure is located within the European Union (Germany). Data is processed and stored within the EU. If you access VeriBureau from outside the EU, your data will be transferred to and processed in the EU under European data protection standards, which are recognized as providing an adequate level of protection.

We do not transfer personal data to any country outside the EEA unless required by law or with your explicit consent.

11. Children\u2019s Privacy

VeriBureau is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child under 16, we will take steps to delete such data promptly. If you believe a child has provided us with personal data, please contact privacy@veribureau.com.

12. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33. If the breach poses a high risk to your rights and freedoms, we will also notify you directly without undue delay, as required by GDPR Article 34.

13. Changes to This Policy

We will notify registered businesses by email at least 30 days before any material changes to this policy. The \u201cLast updated\u201d date and version number at the top of this page indicate when the policy was last revised. Previous versions are available upon request.

14. Contact

Data Protection Officer: privacy@veribureau.com
General support: support@veribureau.com

AIST Telecommunications (LLC «CS AIST»)
Odesa, Ukraine
EDRPOU: 30635430