Privacy Policy

Last updated: 3 June 2026

VerifyDoc is operated by Nimble Tech Ltd ("we", "us", or "our"). This privacy policy explains how we collect, use, and protect your personal data when you use our document verification service.

1. Information We Collect

Waitlist Information: When you join our waitlist, we collect:

• Your full name
• Your firm name
• Your email address
• An optional indication of whether you would like to be considered for early-access beta testing
• The date and time you joined the waitlist

Account and Billing Information: When you purchase credits, we collect:

• Your firm name
• Your billing email address
• Payment information (processed securely by Stripe; we do not store your card details)
• Your licence key usage and credit balance
• Your credit expiry date (refreshed on every top-up; used to trigger reminder emails 30 days before expiry per terms.html section 5)

Contact and Support Enquiries: When you contact us through our contact form or by email, we collect:

• Your name and email address
• Your firm name (optional)
• The subject and content of your message

Document Processing: When you use VerifyDoc to verify a document:

• The draft document, source pack, and any prior verification schedule you upload are processed in temporary, session-only storage
• Extracted statement text and candidate source passages are sent to AWS Bedrock, where Claude classifies each statement and proposes a citation on our behalf. AWS is the data processor under the AWS Data Processing Addendum (see section 3 for detail)
• All uploaded files, intermediate artefacts, and exports are permanently deleted when your session ends
• We do not retain or store document content, and we do not log document content, filenames, statement text, or source extracts. Our operational logs contain only counts, processing times, and a server-issued session identifier.

Security and Abuse-Detection Logs: For each sign-in, session creation, and verification run we log:

• The event type (e.g. licence-validate, session-create, verify-run) and its outcome (success, failure, denied)
• Your source IP address
• An irreversible 16-character hash of your licence key, used to correlate events for the same firm without ever recording the key itself
• Small per-event metadata such as statement counts and remaining credits

These logs never contain document content, filenames, statement text, or your raw licence key. We retain them for 90 days and they are then automatically deleted. Legal basis: legitimate interests (security monitoring, fraud and abuse prevention).

2. How We Use Your Information

We use the information we collect to:

• Notify waitlist members when VerifyDoc launches
• Process payments and manage licence keys
• Provide the document verification service
• Track credit usage against your licence key
• Send essential service communications (e.g. credit balance notifications)
• Respond to support requests

We will never:

• Sell or share your personal data with third parties for marketing purposes
• Use your document content for any purpose other than providing the service
• Retain your document content after your session ends
• Allow AI providers to train models on your documents

3. Zero Data Retention (ZDR)

VerifyDoc is built with law firm security requirements in mind. We do not send your document text to the Claude API directly. AI calls are routed through AWS Bedrock, the same AWS account in which our application and database run, so that AWS is the data processor for those calls under the AWS Data Processing Addendum that already governs the rest of our infrastructure. Anthropic, as the underlying model provider, does not receive your content directly under this arrangement.

Under the AWS DPA covering our Bedrock calls:

• AWS does not retain the prompts we send or the completions Claude returns
• Your document content is not used to train, fine-tune, or evaluate any model
• AWS does not log the content of your requests; the Usage-Policy and safety-classifier carve-outs from Anthropic's direct-API ZDR terms do not apply on this path

The Claude API itself is not invoked directly from VerifyDoc at any point, and every regression test on every code change verifies this. If a future code change accidentally tried to bypass Bedrock, the automated test suite would fail before the change could ship.

Independent of AWS's retention, on our own systems:

• All temporary files are permanently deleted at the end of each session
• No document content is stored in any database
• No verification work product is stored in any database. The verification schedule .docx is yours, kept in your DMS, and acts as the resume mechanism for the next draft
• Our application logs record counts, processing times, and a server-issued session identifier only, never document content, statement text, or source extracts

4. Data Storage and Security

We implement appropriate security measures to protect your information:

• All data transmission uses HTTPS/TLS encryption
• Documents are processed in temporary, session-scoped storage only
• Services are hosted on AWS infrastructure in accordance with industry standards
• Payment processing is handled by Stripe, a PCI-compliant payment processor
• Access to systems is restricted and logged

5. Data Sharing

We share your information only with trusted service providers who help us operate VerifyDoc:

• Amazon Web Services (AWS): To host our application, store licence-key records, and run statement verification and OCR through AWS Bedrock. Application and database run in the UK (London region, eu-west-2). AI processing runs on AWS Bedrock in the UK for statement verification, and within AWS EU regions for OCR of image-only PDFs (see section 9 for the routing detail).
• Anthropic: The underlying model provider for the Claude language model. With our AI calls routed via AWS Bedrock, AWS is the data processor and Anthropic does not receive VerifyDoc traffic directly (see section 3).
• Stripe: To process payments securely
• Amazon SES: To send transactional email (licence-key delivery, top-up receipts, the 30-day credit-expiry reminder under our Terms of Service, and other service notifications). Hosted in the EU (Ireland, eu-west-1).
• Netlify: To host the VerifyDoc marketing site and receive waitlist and contact-form submissions
• Google Fonts: To serve the typefaces used on our pages. Google receives your IP address when fonts are loaded but does not receive any other personal data through this load.
• Cloudflare: Domain registrar and authoritative DNS for our domains. Cloudflare does not sit in the application request path; TLS termination, DDoS protection, and the application itself are all served by AWS, but DNS lookups for our domains do route through Cloudflare's DNS network.

The full table, with purpose, data, and region for each, lives on our Sub-processors page and is updated when sub-processors change.

These providers are contractually obligated to protect your data and use it only for the purposes we specify.

6. Your Rights

Under UK data protection law (UK GDPR), you have the right to:

• Access your personal data
• Correct inaccurate personal data
• Request deletion of your personal data
• Object to processing of your personal data
• Request restriction of processing your personal data
• Request transfer of your personal data (data portability)
• Withdraw consent at any time

To exercise any of these rights, please contact us at privacy@verifydoc.co.uk.

7. Data Retention

• Waitlist data: Retained until launch, then for 90 days, then deleted unless you become a customer
• Account and billing data: Retained for the duration of your licence, plus 6 years afterwards to meet UK statutory tax record-keeping requirements
• Document content: Deleted at the end of your session (typically within minutes of the session ending)
• Verification work product: Not retained on our systems at any point. The verification schedule .docx is delivered to you and the only persistent copy is the one you keep in your DMS
• Operational logs: Counts, processing times, and session identifiers are retained for 90 days, then automatically deleted. Logs never contain document content or statement text.
• Security and abuse-detection logs: Event type, outcome, source IP address, and an irreversible hash of your licence key are retained for 90 days, then automatically deleted. These logs never contain document content or your raw licence key.
• Credit usage records: Retained for the life of your licence plus the 6-year tax retention period described above

8. Cookies, Browser Storage, and Tracking

VerifyDoc is designed to minimise client-side state:

• The VerifyDoc application itself sets no cookies and uses no browser storage. Your licence key, session identifier, and any in-progress work live only in the page while it is open and are cleared when you close the tab.
• Marketing site forms (waitlist and contact): our forms are processed by Netlify, which sets a small number of essential cookies to detect spam and prevent duplicate submissions. These are not used for analytics or advertising.
• Web fonts: our pages load fonts from Google Fonts. Google receives your IP address when fonts are requested, but no cookies are set by this load.

We do not use tracking cookies, analytics cookies, or advertising cookies.

9. International Transfers

VerifyDoc is hosted entirely on AWS in the United Kingdom (London region, eu-west-2), and your licence and billing data does not leave the UK.

Document processing also runs inside AWS, with the following routing:

• Statement verification runs in the UK. The Claude Sonnet model is invoked through AWS Bedrock in the London region; the call does not leave the United Kingdom.
• OCR for image-only PDFs in the source pack uses the Claude Haiku model, which is currently invoked through AWS Bedrock's EU geo profile. AWS routes the call to one of its EU regions (London, Dublin, Frankfurt, Stockholm, Milan, Madrid, or Paris). The call stays within the EU; AWS chooses the specific EU region per request based on capacity. When AWS adds Haiku in-region to London, these calls will become UK-only.

The AWS Data Processing Addendum covers all of this AI processing. Document text is not transferred to the United States as part of VerifyDoc processing.

Stripe processes payment information under its own international transfer safeguards; we never see or store your card details.

10. Children's Privacy

VerifyDoc is not intended for use by individuals under 18 years of age. We do not knowingly collect personal data from children.

11. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of significant changes by email (if you have provided one) or by posting a notice on our website. The "Last updated" date at the top of this policy indicates when it was last revised.

12. Contact Us

If you have questions about this privacy policy or how we handle your data, please contact us:

Nimble Tech Ltd
Please contact us using our contact form
Website: verifydoc.co.uk

If you are not satisfied with our response, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.