Privacy Policy

Last updated: June 2026

This Privacy Policy explains how ("we", "us") collects, uses, and protects personal data when you use our platform. We are committed to complying with UK GDPR and the Data Protection Act 2018.

1. Who We Are

is the data controller for personal data collected about business owners, staff, and visitors to our platform. For personal data that you (as a business owner) hold about your own clients via the platform, you are the data controller and we act as your data processor.

Contact us at: privacy@veroproject.co.uk

2. Data We Collect

2.1 Business account holders and staff

  • Name, email address, phone number — provided at registration
  • Business name, address, trading information — provided during onboarding
  • Payment information — card details processed and held by Stripe; we store only a payment method token
  • Usage data — pages visited, features used, timestamps (for security and product improvement)
  • Communications — support emails and messages sent to us

2.2 End clients (customers of businesses using the platform)

If a business uses to manage their customer relationships, we process the following data as a data processor on that business's behalf:

  • Name, email, phone number
  • Booking history and appointment notes
  • Health notes and allergy information (where provided by the client)
  • Payment records
  • Photos uploaded by the business or the client

2.3 Website visitors

  • IP address and browser information (server logs, retained 30 days)
  • No third-party analytics cookies are currently set

3. How We Use Your Data

PurposeLawful basis
Provide and operate the ServiceContract performance
Process payments and manage billingContract performance
Send transactional emails (booking confirmations, reminders)Contract performance / Legitimate interest
Provide customer supportLegitimate interest
Detect and prevent fraud and abuseLegitimate interest
Comply with legal obligations (tax, GDPR requests)Legal obligation
Improve and develop the ServiceLegitimate interest
Send product update emails (opt-out available)Legitimate interest

4. Who We Share Data With

We do not sell personal data. We share data only with the following sub-processors:

Sub-processorPurposeLocation
StripePayment processingUSA (SCCs)
ResendTransactional email deliveryUSA (SCCs)
RailwayBackend hosting and databaseEU (Germany)
VercelFrontend hostingUSA (SCCs)
Cloudflare R2File and media storageEU (SCCs)
AnthropicAI assistant (ARIA) processingUSA (SCCs)

SCCs = Standard Contractual Clauses, providing an adequate transfer mechanism under UK GDPR.

5. How Long We Keep Your Data

  • Active accounts: for as long as your account is active
  • After account cancellation: dormant state for 12 months, then permanently deleted
  • Payment records: 7 years (required by HMRC)
  • Server logs: 30 days
  • Support communications: 3 years

6. Your Rights

Under UK GDPR you have the right to:

  • Access — request a copy of personal data we hold about you
  • Correction — ask us to correct inaccurate data
  • Erasure — ask us to delete your data (subject to legal retention obligations)
  • Portability — receive your data in a machine-readable format
  • Objection — object to processing based on legitimate interest
  • Restriction — ask us to restrict processing in certain circumstances
  • Withdraw consent — where processing is based on consent

To exercise any right, contact us at privacy@veroproject.co.uk. We will respond within 30 days.

You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.

7. Security

We implement appropriate technical and organisational measures to protect your data, including encryption in transit (TLS), encryption at rest, access controls, and regular security reviews. We will notify you and the ICO within 72 hours of becoming aware of a personal data breach that is likely to result in risk to your rights and freedoms.

8. Cookies

We use a strictly necessary httpOnly session cookie for authentication. No consent is required for this cookie. See our Cookie Policy for details.

9. Changes to This Policy

We may update this policy. We will notify you of material changes by email at least 14 days before they take effect.