Privacy Policy
Last updated: April 1, 2026
1. Introduction
VeraCita is a product of MindtheGap Sarl (CHE-398.557.351), a company incorporated in Geneva, Switzerland ("MindtheGap", "we", "us", or "our"), operating under the VeraCita brand. We are committed to protecting your privacy and handling your personal data transparently and responsibly. This Privacy Policy explains what data we collect, how we use it, and what rights you have.
This policy applies to all users of the VeraCita platform, website, and related services. By using our services, you acknowledge that you have read and understood this policy.
2. Data We Collect
We collect and process the following categories of personal data:
2.1 Account Information
When you create an account, we collect your email address and, optionally, your name and organization. This information is used for authentication, communication, and credit allocation.
2.2 Uploaded Documents
Documents you upload for verification are processed client-side in your browser. Document content is sent to AI services for analysis but is never permanently stored on our servers. See Section 3 for details on how document processing works.
2.3 Verification Results
The results of your verification sessions (claim analyses, source assessments, risk profiles) are stored temporarily for the duration of your session. These results are not retained after you close your browser tab unless you explicitly choose to export or save them.
2.4 Payment Information
All payment processing is handled by Stripe. We never see, access, or store your full credit card number, CVV, or banking details. We receive only a transaction confirmation, the last four digits of your card, and billing address for invoicing purposes.
2.5 Usage Analytics
If you consent to analytics cookies, we collect anonymized usage data such as pages visited, features used, and session duration. No personal data is collected through analytics. You can opt out at any time via the cookie settings in the footer.
3. How We Process Documents
Your privacy during document verification is our highest priority. Here is exactly how document processing works:
- Client-side parsing: Your document is parsed and processed locally in your web browser. The raw file is never uploaded to our servers.
- Source extraction: When verifying cited sources, URLs are fetched via our Cloudflare Worker to extract page content. For sites that block automated access, requests may be routed through Bright Data residential proxies as a fallback. Only the target URL and standard HTTP headers are sent to these services.
- AI analysis: Extracted text (claims and source references) is sent to AI services for analysis via encrypted server-side proxies. We use Azure OpenAI (Microsoft) as our primary AI provider, with OpenAI and Anthropic as fallback providers. Data is transmitted over encrypted connections (TLS 1.2+) and is processed in real time.
- No permanent storage of document content: AI providers do not retain your document content after analysis. Azure OpenAI operates under a data processing agreement that prohibits data retention beyond the API call. OpenAI and Anthropic operate under zero-data-retention API agreements.
- Server-side session data: Source extraction metadata and verification session records are stored on our servers for up to 7 days to enable session continuity, after which they are automatically deleted. Verification results in your browser are cleared when you close the tab.
4. Third-Party Services
We use the following third-party services to operate VeraCita:
| Service | Purpose | Data Shared |
|---|---|---|
| Amazon Web Services (AWS) | Backend infrastructure hosting (Switzerland — Zurich, eu-central-2) | All server-side data (database, Lambda functions, storage) |
| PostgreSQL (Aurora Serverless v2) | Database, authentication, session management | Email, hashed password, session tokens, verification metadata |
| Azure OpenAI (Microsoft) | Primary AI provider — claim analysis and verification | Extracted text from documents (not stored beyond API call) |
| OpenAI | Fallback AI provider | Same as Azure OpenAI; used only when primary provider is unavailable |
| Anthropic | Fallback AI provider | Same as Azure OpenAI; used only when primary provider is unavailable |
| Cloudflare | Source content extraction via Cloudflare Workers | Target URLs, HTTP request metadata (IP address, headers) |
| Bright Data | Residential proxy for paywalled source extraction (fallback) | Target URLs, HTTP headers; used only when standard extraction fails |
| Stripe | Payment processing | Email, billing address, payment method (handled directly by Stripe) |
| Resend | Transactional email delivery (verification codes, receipts) | Email address, email content |
| Sentry | Error monitoring and diagnostics | User ID, error stack traces, endpoint names (no document content) |
| Google Fonts | Typography rendering | IP address (standard web request; no tracking cookies) |
Each third-party service operates under its own privacy policy and data processing agreements. We select partners that meet our standards for data protection and, where applicable, GDPR and Swiss FADP compliance. Our primary infrastructure is hosted in AWS data centers in Zurich, Switzerland (eu-central-2).
5. Data Storage and Location
MindtheGap Sarl is incorporated in Switzerland, which is recognized by the European Commission as providing an adequate level of data protection.
- Backend infrastructure is hosted on Amazon Web Services (AWS) in Zurich, Switzerland (eu-central-2), using Aurora Serverless v2, Lambda, and ECS Fargate.
- Authentication and session data is stored in our managed PostgreSQL database on the same Swiss infrastructure.
- Payment data is processed and stored by Stripe, which maintains EU-based infrastructure for European customers.
- AI processing occurs via Azure OpenAI endpoints deployed in EU data centers, with OpenAI and Anthropic as fallback providers.
- Source extraction is routed through Cloudflare Workers. For sites requiring proxy access, Bright Data residential proxies may be used.
- Document content is parsed client-side in your browser. In standard mode, source extraction metadata is stored server-side for up to 7 days. In private mode, all content remains exclusively in your browser.
6. Your Rights Under GDPR and Swiss FADP
If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have the following rights regarding your personal data under the EU General Data Protection Regulation (GDPR) and the Swiss Federal Act on Data Protection (FADP / nDSG):
- Right of access: You may request a copy of the personal data we hold about you.
- Right to rectification: You may request correction of inaccurate or incomplete personal data.
- Right to erasure: You may request deletion of your personal data. We will comply unless we are legally required to retain it (e.g., tax records).
- Right to data portability: You may request your data in a structured, commonly used, machine-readable format.
- Right to restriction: You may request that we limit the processing of your personal data in certain circumstances.
- Right to object: You may object to the processing of your personal data for certain purposes, including direct marketing.
- Right to withdraw consent: Where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, please contact us at admin@veracita.ai. We will respond to your request within 30 days.
You also have the right to lodge a complaint with a supervisory authority. For Switzerland, this is the Federal Data Protection and Information Commissioner (FDPIC / EDÖB). For the EU, contact your local Data Protection Authority.
Swiss FADP — Additional Information
As a Swiss company, we comply with the Swiss Federal Act on Data Protection (nDSG, in force since September 1, 2023). Under Swiss law:
- We process personal data based on legitimate interests, contractual necessity, or your explicit consent.
- In the event of a data breach that poses a high risk to your rights, we will notify the FDPIC without delay and inform affected individuals as required by Art. 24 nDSG.
- We do not engage in automated individual decision-making (profiling with legal effect) as defined under Art. 21 nDSG.
- Data transfers to countries without adequate data protection are safeguarded by standard contractual clauses or equivalent guarantees.
7. Cookies
VeraCita uses only essential cookies by default. Analytics cookies are activated only with your explicit consent. We do not use any marketing or advertising cookies or trackers.
For full details on the cookies we use and how to manage your preferences, please see our Cookie Policy.
8. Data Retention
- Browser session data: Verification results stored in your browser are deleted when you close the tab.
- Server-side session data: Source extraction metadata and verification session records stored on our servers are automatically deleted after 7 days.
- Source intelligence cache: Domain reputation and credibility data is cached for 30 days to improve verification speed, then refreshed or deleted.
- Account data: Retained for as long as your account is active. Upon account deletion request, all personal data is permanently removed within 30 days.
- Payment records: Transaction records are retained for 10 years as required by Swiss tax law (Swiss Code of Obligations, Art. 958f). These records contain only transaction metadata (amount, date, last four card digits), not full payment details.
- Error monitoring data: Diagnostic data sent to Sentry (error type, user ID, endpoint) is retained per Sentry's standard retention policy and does not include document content.
- Analytics data: Anonymized usage statistics are retained for up to 24 months. Because this data is anonymized, it cannot be linked back to individual users.
9. Data Security
We implement appropriate technical and organizational measures to protect your personal data, including:
- Encryption in transit (TLS 1.2+) for all data transmissions
- Encryption at rest for stored data
- Access controls and authentication for all internal systems
- Regular security reviews and dependency audits
- Minimal data collection — we only collect what is necessary to provide the service
10. Children's Privacy
VeraCita is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at admin@veracita.ai and we will promptly delete it.
11. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will notify registered users by email at least 14 days before the changes take effect. The "Last updated" date at the top of this page indicates when the policy was last revised.
12. Contact
If you have any questions about this Privacy Policy or our data practices, please contact us:
MindtheGap Sarl (operating as VeraCita)
Avenue Ernest-Hentsch 4
1207 Geneva, Switzerland
CHE-398.557.351
Email: admin@veracita.ai