Privacy Policy

Dmytro Sirosh, sole trader ("we", "us", "our") operates the AI-powered idea validation platform Verdiccio at verdiccio.com. This Privacy Policy describes what personal data we collect, how we use it, how we protect it, and your rights regarding it.

This policy applies to all users of verdiccio.com and the Verdiccio platform. It does not apply to third-party services linked from our platform.

We collect the following categories of personal data:

Account data (provided by you via Clerk):

• —Email address
• —Display name (first and last name, if provided)
• —Clerk user ID (internal identifier)
• —Organization/workspace name and slug (if you create a team workspace)

Usage data (generated when you use the Service):

• —Idea descriptions and content you submit for validation
• —Validation run results, scores, and analysis outputs
• —Credit purchase history and balance
• —Timestamps of account activity (logins, runs initiated)

Technical data (collected automatically):

• —IP address (via Clerk and our hosting infrastructure)
• —Browser type and version
• —Device type
• —Pages visited and features used (session data)
• —Error logs and performance data

What we do NOT collect:

• —Payment card numbers or bank details (payments are processed by our payment processor; we only receive transaction confirmation and amount)
• —Sensitive personal data (health, biometric, political, religious data)
• —Data from minors under 18

We do not use your idea submissions or analysis results to train AI models. We do not sell your personal data to third parties.

When you submit an idea for validation, your idea description and related content are sent to third-party AI providers for processing:

• —Anthropic (Claude) — primary analysis engine
• —OpenAI (GPT-4o) — fallback analysis engine
• —xAI (Grok) — supplementary research and evidence collection

These providers process your content under their own privacy policies and data processing terms. We have data processing agreements in place with our AI providers. Your content is sent to these services for inference only; it is not used by default to train their models under our enterprise agreements.

We recommend that you do not include personally identifiable information about third parties (e.g., customer names, private business data) in your idea submissions.

We do not share your personal data (email, name) with evidence collection services (Serper, Reddit, GitHub). Only anonymized search queries derived from your idea content are used.

• —Account data: retained for the duration of your account, plus 90 days after deletion request.
• —Idea submissions and run results: retained while your account is active. You may delete individual ideas from your dashboard.
• —Generated PDF reports: retained in cloud storage for 12 months from generation date, then automatically deleted.
• —Payment records: retained for 7 years as required for accounting and tax compliance.
• —Error logs and technical data: retained for 30 days, then deleted.

We use a minimal set of cookies necessary for the Service to function:

• —Authentication cookies set by Clerk — necessary for keeping you logged in.
• —Session state cookies — necessary for the application to function correctly.

We do not currently use advertising cookies, third-party tracking pixels, or analytics cookies that track you across other websites. If we introduce analytics tools in the future, we will update this policy and obtain appropriate consent.

We implement technical and organizational measures to protect your data, including:

• —Row-level security (RLS) on our database — your data is isolated from other users at the database level.
• —All data in transit is encrypted via TLS/HTTPS.
• —Database data is encrypted at rest.
• —Access to production systems is restricted to authorized personnel only.
• —API authentication via short-lived JWT tokens.

No system is completely secure. In the event of a data breach that affects your personal data, we will notify you in accordance with applicable law.

Depending on your location, you may have the following rights regarding your personal data:

• —Access — request a copy of the personal data we hold about you.
• —Correction — request correction of inaccurate data.
• —Deletion — request deletion of your personal data (subject to retention obligations).
• —Portability — request your data in a machine-readable format.
• —Objection — object to certain processing of your data.
• —Restriction — request that we restrict processing while a dispute is resolved.

To exercise any of these rights, contact us at legal@verdiccio.com. We will respond within 30 days.

You may delete your account at any time by contacting us. Account deletion will trigger deletion of your personal data, subject to retention obligations described in Section 06.

Verdiccio operates infrastructure in the United States and Europe (Cloudflare R2 storage is EU-based). By using the Service, you acknowledge that your data may be processed in countries outside your own jurisdiction.

For users in the European Economic Area (EEA) or UK: where we transfer data outside the EEA/UK, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) or adequacy decisions.

The Service is not directed at children under 18 years of age. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately at legal@verdiccio.com and we will delete it promptly.

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by displaying a prominent notice in the Service at least 14 days before the changes take effect.

The date at the top of this page indicates when the policy was last updated.

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, contact us at:

Dmytro Sirosh, sole trader
Kyiv, Ukraine
legal@verdiccio.com