Effective date: June 26, 2026 · Last updated: June 26, 2026
VERIDIEN (SP08022026) ("Veridien," "we," "us," or "our") is committed to protecting your privacy and the privacy of your guests. This Privacy Policy explains how we collect, use, store, share, and protect personal information when you use the Veridien platform, our website, mobile and desktop applications, and related services (collectively, the "Service").
This policy applies to all users of the Service, including property owners, staff members (Authorized Users), and guests whose data is processed through the Service. It does not apply to anonymized, de-identified, or aggregated data. By using the Service, you acknowledge that you have read and understood this Privacy Policy.
1. Data Controller and Processor Roles
Under the General Data Protection Regulation (GDPR) and applicable data protection laws:
- Veridien as Data Processor: When you use the Service to manage guest records, reservations, and property operations, you (the Customer) are the data controller and Veridien acts as the data processor. We process guest personal data strictly on your behalf and in accordance with your instructions. You are responsible for having a lawful basis and any required consents for the guest data you make available to the Service.
- Veridien as Data Controller: For data we collect directly from you as a customer or website visitor — such as your account registration information, billing details, and website analytics — Veridien acts as the data controller.
A Data Processing Agreement (DPA) is available upon request for customers subject to the GDPR, the UK GDPR, or other applicable data protection regulations. Contact [email protected] to request a copy.
2. Information We Collect
We collect information in the following categories:
2.1 Account Information. When you register, we collect your name, email address, phone number, job title, business and professional details, property name, property address, account credentials, and billing information. This is necessary to create and maintain your account and process payments.
2.2 Guest Data (Processed on Your Behalf). As a data processor, we process guest personal data that you or your Authorized Users enter into the Service. This may include guest names, email addresses, phone numbers, national ID or passport numbers, payment details, reservation and stay history, preferences, and communication records. We do not sell guest or employee data we process on your behalf, and we use it only to provide the Service.
2.3 Payment Data. When you pay for the Service or collect payments from guests, card and bank details are processed by a PCI DSS-certified payment processor on our behalf. We do not store full card numbers. We may process billing addresses, transaction metadata (amount, date, method), and IP address for security and fraud prevention.
2.4 Usage and Technical Data. We automatically collect information about how you interact with the Service, including pages viewed, features used, clicks, session duration and frequency, log files and error reports, referring URLs, and search terms.
2.5 Device and Location Data. We collect device type, model, operating system, browser type and version, device identifiers, IP address, and general (country/region) location, which we may use for security and fraud risk assessment.
2.6 Communication Data. When you contact us via email, the contact form, or support channels, we collect your name, email address, and the content of your communications.
2.7 Marketing Data. Where you opt in, we process your email address, name, communication preferences, marketing-consent status, and engagement data (such as email opens and clicks).
2.8 Security and Fraud Data. We process login and authentication data, access logs, usage patterns, device fingerprints, and anomaly-detection data to verify accounts, prevent unauthorized access, and detect fraud and abuse.
2.9 Cookies and Similar Technologies. We use essential cookies for authentication, session management, and security, and analytics cookies to understand usage. See Section 11 for details.
3. Legal Basis for Processing (GDPR)
We process personal data under the following legal bases as defined by GDPR Article 6:
- Performance of a Contract (Art. 6(1)(b)): Processing necessary to provide the Service under our Terms of Service, including account management, billing, support, and feature delivery. Certain AI-enabled and automated features operate as part of performing our contractual obligations.
- Legitimate Interests (Art. 6(1)(f)): Processing necessary for our legitimate business interests, including improving and securing the Service, preventing fraud, and conducting analytics, balanced against your rights and freedoms.
- Consent (Art. 6(1)(a)): Where we rely on consent (e.g., optional marketing communications), you may withdraw it at any time.
- Legal Obligation (Art. 6(1)(c)): Processing necessary to comply with applicable laws, tax and accounting requirements, and lawful requests.
4. How We Use Your Information
We use collected information to:
- Provide, operate, and maintain the Service
- Process transactions and send billing-related communications
- Authenticate users and manage account security
- Provide customer support and respond to inquiries, including via automated tools and AI assistants
- Analyze usage patterns to improve features, performance, and user experience
- Detect, prevent, and address fraud, abuse, and security incidents
- Send product updates and service-related notifications
- Conduct internal research and develop new features
- Comply with legal obligations and enforce our Terms of Service
- Generate anonymized, aggregated analytics for benchmarking (no individual identification)
We do not sell, rent, or trade your personal information to third parties for their own marketing purposes.
5. Use of Artificial Intelligence
We use AI and machine-learning technologies — including our Vesper AI assistant and third-party AI providers — to power features such as guest communication, support, search, content generation, workflow automation, and fraud prevention. Where personal data is processed by these technologies, it is processed solely to provide and improve the Service, under appropriate contractual, organizational, and technical safeguards.
We do not use AI for solely automated decision-making that produces legal or similarly significant effects on individuals without meaningful human involvement. Where AI supports recommendations, classifications, or other outputs that may affect individuals, final decisions are made or meaningfully reviewed by authorized personnel. We do not use your data to train third-party providers' general models except as permitted by our agreements with them.
6. Data Sharing and Sub-Processors
We share personal data only in the following circumstances and with the following categories of recipients, all of whom are bound by appropriate security and confidentiality obligations:
6.1 Infrastructure Providers. We use Sevalla, a SOC 2 Type II and ISO 27001 certified cloud platform built on Google Cloud, to host and operate the Service.
6.2 Payment Processors. Payments are handled by PCI DSS Level 1 certified processors. We do not store or have access to full card numbers.
6.3 Email and Communication Services. We use third-party providers to deliver transactional and, where applicable, marketing emails and messages.
6.4 Channel Manager and Industry Partners. If you enable the Channel Manager, availability, rates, and reservation data are synchronized with Third-Party Channels (such as Booking.com, Airbnb, and Expedia) through our integration with Channex. Data shared with those channels is governed by their respective privacy policies.
6.5 AI Providers. If you use Vesper AI or other AI features, certain data may be processed by AI providers (such as OpenAI) under data processing agreements, solely to provide the feature.
6.6 Analytics and Support Tools. We use analytics and customer-support tools to understand usage and assist you, processing usage data, device information, and support communications.
6.7 Affiliates and Business Transfers. We may share data among our affiliates and subsidiaries for the purposes described here, and, in connection with a merger, acquisition, financing, or sale of assets, with the relevant party. We will notify affected customers before their data becomes subject to a different privacy policy.
6.8 Legal Requirements. We may disclose personal data if required by law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of Veridien, our customers, or others.
A complete and current list of our sub-processors is available upon request at [email protected].
7. International Data Transfers
Veridien operates globally, and your data may be transferred to and processed in countries outside your country of residence, including countries that may not provide the same level of data protection. For transfers from the European Economic Area (EEA), the United Kingdom, or Switzerland, we rely on:
- Standard Contractual Clauses (SCCs) approved by the European Commission, incorporated into our DPA
- Adequacy decisions where applicable
- Supplementary measures including encryption and access controls where required by a transfer impact assessment
8. Data Storage and Security
Your data is safe with us. As a SaaS company dedicated to serving the hospitality industry, we take data security extremely seriously and continuously monitor and improve our security posture. No method of transmission or storage is completely secure, so we cannot guarantee absolute security, but we apply robust safeguards.
8.1 Infrastructure Security. The Service is hosted on Sevalla, a SOC 2 Type II certified platform powered by Google Cloud. All servers reside within isolated networks with enterprise-grade security and DDoS and Web Application Firewall (WAF) protection across all endpoints.
8.2 Encryption. All data in transit is protected using TLS 1.2 or higher. All data at rest is encrypted using AES-256, including database storage and backups. Encryption keys are managed with automatic rotation.
8.3 Compliance Standards. Our critical service providers — infrastructure (Sevalla/Google Cloud), payment processing, email delivery, and data storage — maintain SOC 2 and GDPR compliance. Veridien is actively pursuing SOC 2 Type II and formal GDPR certification for its own operations, designed to meet the Trust Services Criteria of Security, Availability, Processing Integrity, Confidentiality, and Privacy. We will update this section as our certifications are completed.
8.4 Network Security. We deploy firewalls, intrusion detection and prevention systems (IDS/IPS), and anti-malware across our infrastructure. Access to production systems requires multi-factor authentication and is logged and monitored. We conduct regular vulnerability assessments and penetration testing.
8.5 Access Control. Access to Customer Data is restricted on a need-to-know basis through role-based access control (RBAC), periodically reviewed and audited. Veridien employees undergo background checks and security awareness training.
8.6 PCI DSS. Veridien does not directly store, process, or transmit cardholder data; all payment processing is delegated to PCI DSS Level 1 certified processors, and we maintain PCI DSS SAQ-A compliance for our integration architecture.
8.7 Backup and Disaster Recovery. Customer Data is continuously backed up with point-in-time recovery, replicated to geographically separate regions. Recovery procedures are tested quarterly, with a Recovery Time Objective (RTO) of 4 hours and a Recovery Point Objective (RPO) of 1 hour.
8.8 Device Independence. Because the Service is cloud-based, your data remains safe even if your local machine is compromised or fails. Your property data is never stored locally on your computer.
8.9 IP Restriction. For properties requiring additional access control, Veridien supports IP address allowlisting, configurable by the property administrator. You are responsible for maintaining the confidentiality of your account credentials and for activity under your account.
9. Incident Response and Breach Notification
We maintain a documented incident response plan that is reviewed and updated regularly. In the event of a confirmed security incident or data breach affecting your personal data:
- We will notify affected customers within 72 hours of confirmation, in compliance with GDPR Article 33
- We will provide details about the nature of the breach, the categories of data affected, the likely consequences, and the measures taken
- We will cooperate with relevant supervisory authorities as required
- We will take immediate steps to contain the breach, mitigate harm, and prevent recurrence
10. Data Retention
We retain personal data only for as long as necessary to fulfill the purposes described in this policy, unless a longer retention period is required by law:
- Account Data: For the duration of your active account; deleted within 30 days of account deletion, except as required by law.
- Guest Data: For as long as you maintain your account. You are responsible for managing guest-data retention under your own obligations.
- Billing Records: Retained for 7 years, as required by tax and accounting regulations.
- Audit Logs: Retained for 2 years to support security investigations and compliance.
- Communication Data: Support correspondence retained for 3 years after the last interaction.
- Suspended Accounts: Retained for 60 days following suspension for non-payment, after which we may permanently delete the data.
Where we no longer need data, we delete it or anonymize/aggregate it; anonymized and aggregated data may be retained indefinitely for research, analytics, and service improvement.
11. Cookies and Tracking Technologies
We use the following categories of cookies:
Essential Cookies. Required for the Service to function, including authentication, security tokens (CSRF protection), and preference cookies (language, theme). These cannot be disabled.
Analytics Cookies. Used to understand how visitors interact with our website and Service, collecting aggregated, anonymized usage and performance data.
No Advertising Cookies. We do not use third-party advertising cookies, retargeting pixels, or cross-site tracking, and we do not participate in ad networks or sell data to advertisers.
Managing Cookies. You can control cookies through your browser settings (to refuse, accept, or be notified about cookies), and manage tracking on mobile devices through your device settings. You can opt out of Google Analytics using the Google Analytics Opt-Out Browser Add-on. Blocking or deleting certain cookies may affect the functionality of the Service.
12. Marketing Communications
Where you have opted in, we may send you product updates and marketing emails. You can opt out at any time using the unsubscribe link in those emails or by contacting [email protected]. Opting out of marketing does not affect service, transactional, or administrative messages relating to your account.
13. Your Rights Under GDPR
If you are located in the EEA, the United Kingdom, or Switzerland, you have the following rights under the GDPR:
- Right of Access (Art. 15) — request a copy of the personal data we hold about you.
- Right to Rectification (Art. 16) — request correction of inaccurate or incomplete data.
- Right to Erasure (Art. 17) — request deletion of your data, subject to legal exceptions.
- Right to Restriction (Art. 18) — request that we restrict processing in certain circumstances.
- Right to Data Portability (Art. 20) — receive your data in a structured, machine-readable format and transmit it to another controller.
- Right to Object (Art. 21) — object to processing based on legitimate interests or for direct marketing.
- Right to Withdraw Consent (Art. 7) — withdraw consent at any time without affecting prior lawful processing.
- Right to Lodge a Complaint — complain to your local supervisory authority.
To exercise any of these rights, contact [email protected]. We will respond within 30 days and may ask you to verify your identity first.
Guest Data Rights. If you are a guest whose data was processed by a property using Veridien, please direct your request to that property (the data controller). We will assist the property in accordance with our DPA.
14. California Privacy Rights (CCPA/CPRA)
If you are a California resident, you have the following rights with respect to personal information we process as a "business," subject to applicable exceptions. Where we process personal information on behalf of customers as a "service provider," we do so under contractual restrictions and do not sell or share it for our own purposes.
- Right to Know — request the categories and specific pieces of personal information we have collected, the sources, the purposes, and the categories of third parties with whom we share it.
- Right to Delete — request deletion of your personal information, subject to exceptions (e.g., completing transactions, security, legal compliance).
- Right to Correct — request correction of inaccurate personal information.
- Right to Opt Out of Sale or Sharing — we do not sell your personal information for monetary consideration and do not use third-party advertising or cross-site tracking. To the extent any sharing qualifies as a "sale" or "sharing" under the CCPA, you may opt out by contacting [email protected].
- Right to Non-Discrimination — we will not discriminate against you for exercising your rights.
Authorized Agents. You may use an authorized agent to submit a request, with proof of authorization. Verification. We will verify your identity before responding, typically by confirming information we already hold (such as your account email). We cannot fulfill requests we are unable to verify.
15. Other Regional Rights
Brazilian Residents (LGPD). If you are a resident of Brazil, you have rights under the Lei Geral de Proteção de Dados that are substantially similar to those in Section 13. Contact [email protected].
Residents of other jurisdictions may have additional rights under local law; contact us and we will honor applicable rights.
16. Children's Privacy
The Service is a business tool intended for individuals 18 years of age or older, and is not directed to children. We do not knowingly collect personal information from anyone under 16. If we become aware that we have collected personal data from a child without appropriate consent, we will delete it promptly. If you believe we may have collected data from a minor, contact [email protected].
17. Reporting Security Issues
If you have found any issues or vulnerabilities impacting the data security or privacy of Veridien users, please report them immediately to [email protected] with the relevant details so we can investigate right away. We will review your report promptly, may ask for your help in replicating the issue, and will acknowledge your contribution (with your permission) once resolved. We kindly request reasonable time to investigate and remediate before public disclosure.
18. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you at least 30 days before they take effect by emailing the address associated with your account, posting a notice within the Service, and updating the "Last updated" date above. Where required for legal reasons, changes may take effect immediately. Your continued use after the effective date constitutes acceptance.
19. Data Protection Officer and EU Representative
Veridien has appointed a Data Protection Officer (DPO) to oversee compliance with applicable data protection laws. You can contact our DPO at [email protected] with the subject line "DPO Inquiry."
For questions regarding the processing of personal data of individuals in the European Union, you may also contact our designated EU representative at [email protected].
20. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
- Privacy inquiries: [email protected]
- Data Protection Officer: [email protected]
- EU Representative: [email protected]
- Security issues: [email protected]
- General support: [email protected]
We will respond to all privacy-related inquiries within 30 days.