Privacy Policy

Effective date: March 1, 2026 · Last updated: March 23, 2026

Veridien Technologies Ltd. ("Veridien," "we," "us," or "our") is committed to protecting your privacy and the privacy of your guests. This Privacy Policy explains how we collect, use, store, share, and protect personal information when you use the Veridien platform, our website, mobile applications, and related services (collectively, the "Service").

This policy applies to all users of the Service, including property owners, staff members (Authorized Users), and guests whose data is processed through the Service. By using the Service, you acknowledge that you have read and understood this Privacy Policy.

1. Data Controller and Processor Roles

Under the General Data Protection Regulation (GDPR) and applicable data protection laws:

• Veridien as Data Processor: When you use the Service to manage guest records, reservations, and property operations, you (the Customer) are the data controller and Veridien acts as the data processor. We process guest personal data strictly on your behalf and in accordance with your instructions.
• Veridien as Data Controller: For data we collect directly from you as a customer or website visitor — such as your account registration information, billing details, and website analytics — Veridien acts as the data controller.

A Data Processing Agreement (DPA) is available upon request for customers subject to GDPR, the UK GDPR, or other applicable data protection regulations. Contact [email protected] to request a copy.

2. Information We Collect

We collect information in the following categories:

2.1 Account Information. When you register for the Service, we collect your name, email address, phone number, job title, property name, property address, and billing information. This data is necessary to create and maintain your account and process payments.

2.2 Guest Data (Processed on Your Behalf). As a data processor, we process guest personal data that you or your Authorized Users enter into the Service. This may include guest names, email addresses, phone numbers, national ID or passport numbers, payment details, stay history, preferences, and communication records. You are responsible for ensuring that you have a lawful basis for collecting and processing this data.

2.3 Usage Data. We automatically collect information about how you interact with the Service, including pages visited, features used, session duration, browser type, device information, IP address, and referring URLs. This data helps us improve performance and user experience.

2.4 Communication Data. When you contact us via email, the contact form, or support channels, we collect your name, email address, and the content of your communications.

2.5 Cookies and Similar Technologies. We use essential cookies required for authentication, session management, and security. We use analytics cookies to understand usage patterns. We do not use third-party advertising or tracking cookies. See Section 9 for full details.

3. Legal Basis for Processing (GDPR)

We process personal data under the following legal bases as defined by GDPR Article 6:

• Performance of a Contract (Art. 6(1)(b)): Processing necessary to provide the Service under our Terms of Service, including account management, billing, and feature delivery.
• Legitimate Interests (Art. 6(1)(f)): Processing necessary for our legitimate business interests, including improving the Service, preventing fraud, ensuring security, and conducting analytics. We balance these interests against your rights and freedoms.
• Consent (Art. 6(1)(a)): Where we rely on consent (e.g., for optional marketing communications), you may withdraw consent at any time by contacting us or using the unsubscribe mechanism provided.
• Legal Obligation (Art. 6(1)(c)): Processing necessary to comply with applicable laws, regulations, or legal proceedings.

4. How We Use Your Information

We use collected information for the following purposes:

• Providing, operating, and maintaining the Service
• Processing transactions and sending billing-related communications
• Authenticating users and managing account security
• Providing customer support and responding to inquiries
• Analyzing usage patterns to improve features and performance
• Detecting, preventing, and addressing fraud, abuse, and security incidents
• Sending product updates and service-related notifications
• Complying with legal obligations and enforcing our Terms of Service
• Generating anonymized, aggregated analytics for benchmarking (no individual identification)

We do not sell, rent, or trade your personal information to third parties for their marketing purposes.

5. Data Sharing and Sub-Processors

We share personal data only in the following circumstances and with the following categories of recipients:

5.1 Infrastructure Providers. We use Sevalla, a SOC 2 Type II and ISO 27001 certified cloud platform built on Google Cloud, to host and operate the Service. Data may be stored in regions within the European Union or the United States, depending on your selected data residency.

5.2 Payment Processors. Payment transactions are handled by PCI DSS Level 1 certified third-party processors. We do not store, process, or have access to full credit card numbers.

5.3 Email and Communication Services. We use third-party email delivery services to send transactional emails (account verification, password resets, billing notifications). These providers process email addresses and message content solely for delivery purposes.

5.4 Channel Manager Integrations. If you enable the Channel Manager add-on, reservation data is synchronized with the OTA platforms you connect (e.g., Booking.com, Expedia). Data shared with OTAs is governed by their respective privacy policies.

5.5 AI Services. If you enable the Hera AI add-on, guest communication data may be processed by third-party AI providers to generate responses. We use providers that offer data processing agreements and do not use your data to train their models.

5.6 Legal Requirements. We may disclose personal data if required by law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of Veridien, our customers, or others.

5.7 Business Transfers. In the event of a merger, acquisition, or sale of assets, personal data may be transferred to the acquiring entity. We will notify affected customers before their data becomes subject to a different privacy policy.

A complete list of our current sub-processors is available upon request at [email protected].

6. International Data Transfers

Veridien operates globally, and your data may be transferred to and processed in countries outside your country of residence, including countries that may not provide the same level of data protection.

For transfers of personal data from the European Economic Area (EEA), the United Kingdom, or Switzerland to countries not deemed to provide adequate data protection, we rely on:

• Standard Contractual Clauses (SCCs) approved by the European Commission, incorporated into our Data Processing Agreement
• Adequacy decisions where the European Commission has determined that a country provides adequate data protection
• Supplementary measures including encryption and access controls where required by data transfer impact assessments

7. Data Storage and Security

Your data is safe with us. As a SaaS company dedicated to serving the hospitality industry, we take data security extremely seriously. Protecting your data and your guests' data is critical to our mission, and we continuously monitor and improve our security posture.

7.1 Infrastructure Security. The Service is hosted on Sevalla, a SOC 2 Type II certified cloud platform powered by Google Cloud infrastructure. All servers reside within isolated networks with enterprise-grade security. No direct connection is possible from outside without proper authentication. Sevalla maintains Cloudflare-level DDoS protection and Web Application Firewall (WAF) coverage across all endpoints.

7.2 Encryption. All data in transit is protected using TLS 1.2 or higher. All data at rest is encrypted using AES-256 encryption, including database storage and backups. Encryption keys are managed with automatic rotation.

7.3 Compliance Standards. All of our critical service providers — including infrastructure (Sevalla/Google Cloud), payment processing, email delivery, and data storage — maintain SOC 2 and GDPR compliance certifications. Veridien is actively in the process of obtaining SOC 2 Type II certification and formal GDPR compliance certification for our own operations. Our compliance program is designed to meet the Trust Services Criteria of Security, Availability, Processing Integrity, Confidentiality, and Privacy. We will update this section as our certifications are completed.

7.4 Network Security. We deploy firewalls, intrusion detection and prevention systems (IDS/IPS), and anti-malware solutions across our infrastructure. All access to production systems requires multi-factor authentication and is logged and monitored. We conduct regular vulnerability assessments and penetration testing.

7.5 Access Control. Access to Customer Data is restricted on a need-to-know basis. All Veridien employees undergo background checks and security awareness training. Access is granted through role-based access control (RBAC) and is periodically reviewed and audited.

7.6 PCI DSS. Veridien does not directly store, process, or transmit cardholder data. All payment processing is delegated to PCI DSS Level 1 certified third-party processors. We maintain PCI DSS SAQ-A compliance for our integration architecture.

7.7 Backup and Disaster Recovery. To prevent loss of data due to any unforeseen situation, Customer Data is continuously backed up with point-in-time recovery capabilities. Backups are automatically replicated to geographically separate regions. Our disaster recovery procedures are tested quarterly, with a Recovery Time Objective (RTO) of 4 hours and a Recovery Point Objective (RPO) of 1 hour.

7.8 Device Independence. Because the Service is entirely cloud-based, your data remains safe even if your local machine is compromised by malware or experiences a hardware failure. You can always access the Service from a different device. Your property data is never stored locally on your computer.

7.9 IP Restriction. For properties requiring additional access control, Veridien supports IP address allowlisting. When enabled, users can only access the Service from approved IP addresses. This feature can be configured by the property administrator in the settings panel.

8. Incident Response and Breach Notification

We maintain a documented incident response plan that is reviewed and updated regularly. In the event of a confirmed security incident or data breach that affects your personal data:

• We will notify affected customers within 72 hours of confirmation, in compliance with GDPR Article 33 requirements
• We will provide details about the nature of the breach, the categories of data affected, the likely consequences, and the measures taken to address the breach
• We will cooperate with relevant supervisory authorities as required by applicable law
• We will take immediate steps to contain the breach, mitigate any harm, and prevent recurrence

9. Cookies and Tracking Technologies

We use the following categories of cookies:

Essential Cookies. Required for the Service to function. These include session cookies for authentication, security tokens (CSRF protection), and user preference cookies (language, theme). These cookies cannot be disabled.

Analytics Cookies. Used to understand how visitors interact with our website and Service. These cookies collect aggregated, anonymized data about page visits, feature usage, and performance metrics. You may opt out of analytics cookies through your browser settings.

No Advertising Cookies. We do not use third-party advertising cookies, retargeting pixels, or cross-site tracking technologies. We do not participate in ad networks or sell data to advertisers.

10. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes described in this policy, unless a longer retention period is required by law:

• Account Data: Retained for the duration of your active account. Upon account deletion, personal data is permanently deleted within 30 days, except as required by law.
• Guest Data: Retained for as long as you maintain your account. You are responsible for managing guest data retention in accordance with your own privacy obligations and applicable laws.
• Billing Records: Retained for 7 years after the end of the relevant billing period, as required by tax and accounting regulations.
• Audit Logs: Retained for 2 years to support security investigations and compliance requirements.
• Communication Data: Support correspondence is retained for 3 years after the last interaction.
• Suspended Accounts: If your account is suspended due to non-payment, we retain your data for 60 days to allow for payment resolution. After 60 days, we reserve the right to permanently delete your data.

11. Your Rights Under GDPR

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have the following rights under the GDPR:

• Right of Access (Art. 15): You have the right to request a copy of the personal data we hold about you, along with information about how it is processed.
• Right to Rectification (Art. 16): You have the right to request correction of inaccurate or incomplete personal data.
• Right to Erasure (Art. 17): You have the right to request deletion of your personal data, subject to certain exceptions (e.g., legal retention requirements).
• Right to Restriction (Art. 18): You have the right to request that we restrict processing of your personal data in certain circumstances.
• Right to Data Portability (Art. 20): You have the right to receive your personal data in a structured, commonly used, machine-readable format, and to transmit it to another controller.
• Right to Object (Art. 21): You have the right to object to processing based on legitimate interests, including profiling. You may also object to processing for direct marketing purposes at any time.
• Right to Withdraw Consent (Art. 7): Where processing is based on consent, you have the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
• Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority in your member state of residence, place of work, or place of the alleged infringement.

To exercise any of these rights, contact us at [email protected]. We will respond to your request within 30 days. We may ask you to verify your identity before processing your request.

Guest Data Rights. If you are a guest whose data has been processed through the Service by a property using Veridien, please direct your rights request to the property (data controller) directly. We will assist the property in fulfilling your request in accordance with our Data Processing Agreement.

12. Additional Regional Rights

California Residents (CCPA/CPRA). If you are a California resident, you have the right to know what personal information we collect, the right to delete your personal information, the right to opt out of the sale of personal information (we do not sell personal information), and the right to non-discrimination for exercising your privacy rights. To exercise these rights, contact [email protected].

Brazilian Residents (LGPD). If you are a resident of Brazil, you have rights under the Lei Geral de Proteção de Dados (LGPD) that are substantially similar to those described in Section 11. Contact [email protected] to exercise your rights.

13. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal data from a child without appropriate consent, we will take steps to delete that information promptly. If you believe we may have collected data from a minor, please contact us at [email protected].

14. Reporting Security Issues

We are always working to improve our security systems and safeguard your data. If you have found any issues or vulnerabilities impacting the data security or privacy of Veridien users, please report them immediately to [email protected] with the relevant details so we can investigate right away.

Your report will be reviewed immediately. We may ask for your guidance in identifying or replicating the issue and understanding any means to resolve the threat. Please be clear and specific about any information you provide. We deeply appreciate your help in detecting and fixing security issues, and will acknowledge your contribution (with your permission) once the vulnerability is resolved.

We kindly request that you allow us reasonable time to investigate and remediate the issue before disclosing it publicly.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. If we make material changes, we will notify you at least 30 days before the changes take effect by:

• Sending an email to the address associated with your account
• Posting a prominent notice within the Service
• Updating the "Last updated" date at the top of this policy

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after the effective date of a revised policy constitutes your acceptance of the changes.

16. Data Protection Officer

Veridien has appointed a Data Protection Officer (DPO) to oversee compliance with applicable data protection laws. You can contact our DPO at:

• Email: [email protected]
• Subject line: "DPO Inquiry"

17. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• Privacy inquiries: [email protected]
• Data Protection Officer: [email protected]
• Security issues: [email protected]
• General support: [email protected]

We will respond to all privacy-related inquiries within 30 days.