Privacy Policy

Last updated: April 10, 2026

Introduction

VerifyWall ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and share your personal data when you use our fraud detection API service and website. We process data in accordance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

Data Controller

The data controller responsible for your personal data is:

  • Entity — BreiaDev, a Solo LLC operating VerifyWall as a SaaS product
  • Address — 468 Chemin de la Cassine, 73200 Albertville, France
  • Registration — SIRET [SIRET Number]
  • Contact [email protected]

Data Collection

We collect the following categories of data:

Account Information

When you register, we collect your name, email address, and payment information. This data is necessary to provide our service and manage your subscription.

API Request Data

When you make API calls, we receive the email addresses, IP addresses, and domains you submit for verification. This data is processed to provide risk scoring results and is retained according to your plan's retention period.

Usage Data

We collect information about how you interact with our service, including API call frequency, dashboard usage, and feature access. This helps us improve our service and monitor system performance.

Technical Data

We automatically collect your browser type, operating system, IP address, and referring URLs when you visit our website. This data is used for security and analytics purposes.

Data Processing

We process your data under the following legal bases as defined by GDPR Article 6:

  • Contract performance — Processing account and API data is necessary to deliver the verification service you subscribed to.
  • Legitimate interest — We analyze usage patterns to improve our fraud detection algorithms, maintain system security, and prevent abuse of our platform.
  • Legal obligation — We may process and retain data to comply with tax, accounting, and other legal requirements.
  • Consent — Where required, we obtain your explicit consent before processing, such as for marketing communications. You may withdraw consent at any time.

API request data (emails, IPs, domains) is processed in real time to generate risk scores. We do not sell or share this data with third parties for their own marketing purposes.

Third-Party Sub-Processors

We use the following third parties to help deliver and operate our service:

  • Stripe — Stripe acts as an independent data controller and Merchant of Record for payment processing. When you subscribe, you enter a direct billing relationship with Stripe, and your payment data is subject to Stripe's Privacy Policy. Stripe is not a sub-processor of VerifyWall.
  • Resend — Sub-processor for transactional email delivery (account confirmations, password resets, usage notifications).
  • Laravel Cloud — Sub-processor for application hosting and infrastructure.

Data Retention

We retain your data only for as long as necessary to fulfill the purposes outlined in this policy:

  • Account data — Retained for the duration of your account and up to 30 days after deletion to allow for account recovery.
  • API verification logs — Retained according to your plan tier: 7 days for Starter plans, 90 days for Sentinel plans.
  • Analytics data — Aggregated analytics are retained for up to 90 days depending on your plan. Individual records are purged according to your plan's retention period.
  • Billing records — Retained for 7 years as required by tax and accounting regulations.

When data reaches the end of its retention period, it is securely deleted or anonymized.

International Data Transfers

Some of our sub-processors operate outside the European Economic Area (EEA). When your personal data is transferred to countries that have not received an adequacy decision from the European Commission, we ensure appropriate safeguards are in place in accordance with GDPR Article 46:

  • EU adequacy decisions — Where available, we rely on adequacy decisions recognizing that the recipient country provides an adequate level of data protection.
  • Standard Contractual Clauses (SCCs) — For transfers to countries without an adequacy decision, we use EU-approved Standard Contractual Clauses to ensure your data receives equivalent protection.

You have the right to request a copy of the safeguards we have in place for international data transfers by contacting us at [email protected].

Your Rights

Under the GDPR and applicable data protection laws, you have the following rights:

  • Right of access — You can request a copy of all personal data we hold about you.
  • Right to rectification — You can request correction of inaccurate or incomplete personal data.
  • Right to erasure — You can request deletion of your personal data, subject to legal retention requirements.
  • Right to restriction — You can request that we limit the processing of your data in certain circumstances.
  • Right to data portability — You can request your data in a structured, machine-readable format.
  • Right to object — You can object to processing based on legitimate interests, including profiling.
  • Right to withdraw consent — Where processing is based on consent, you can withdraw it at any time without affecting prior processing.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days as required by GDPR. If you believe your rights have been violated, you have the right to lodge a complaint with your local data protection authority.

Automated Decision-Making and Profiling

VerifyWall uses automated algorithms to analyze API requests and generate risk scores. This profiling is a core part of our fraud detection service and is performed under GDPR Article 22 and Article 13(2)(f).

How Profiling Works

When an API request is submitted, our systems automatically analyze the provided data to produce a numerical risk score (0–100) and a risk level (none, low, medium, or high). This process is fully automated and occurs in real time.

Data Points Used in Scoring

Risk scores are calculated using a combination of signals, which may include:

  • Email patterns (disposable providers, free email services, missing MX records)
  • IP reputation (known proxies, VPNs, Tor exit nodes, datacenter IPs)
  • Domain age and registration details
  • ASN (Autonomous System Number) reputation
  • Geographic and network intelligence

Advisory Nature of Scores

Risk scores generated by VerifyWall are strictly advisory. They are provided to our API consumers (your service provider) as one input among many. The final decision on how to act upon a risk score — such as blocking a registration, requiring additional verification, or allowing access — remains entirely with the API consumer. VerifyWall does not make binding decisions about individuals.

Your Rights Regarding Automated Decisions

Even though our risk scores are advisory and non-binding, you have the right to:

  • Request human review — Ask that a human reviews any automated assessment that has affected you.
  • Express your point of view — Provide additional context or information that may be relevant to the assessment.
  • Contest the decision — Challenge the outcome of an automated decision and request a reassessment.

To exercise these rights, contact us at [email protected].

Cookies

We use cookies and similar technologies on our website:

  • Essential cookies — Required for authentication, session management, and security. These cannot be disabled.
  • Analytics cookies — Help us understand how visitors use our website. These are only set with your consent.

We do not use advertising or tracking cookies. You can manage cookie preferences through your browser settings. Disabling essential cookies may affect your ability to use our service.

Security Measures

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction:

  • Encryption in transit — All data transmitted between your systems and VerifyWall is protected using TLS (Transport Layer Security) encryption.
  • Encryption at rest — Stored data, including API keys and webhook secrets, is encrypted at rest using industry-standard encryption algorithms.
  • Access controls — Role-based access controls restrict access to personal data to authorized personnel only, following the principle of least privilege.
  • Security reviews — We conduct regular security reviews and assessments of our infrastructure, code, and processes to identify and address potential vulnerabilities.
  • Data breach notification — In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay.

Contact Information

If you have questions about this Privacy Policy or our data practices, contact us at:

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through a notice on our website at least 30 days before the changes take effect. Continued use of our service after changes become effective constitutes acceptance of the updated policy.