verithentic

Privacy Policy

Verithentic LLC

Last updated: March 26, 2026

This Privacy Policy ("Policy") describes how Verithentic LLC("Verithentic," "Company," "we," "us," or "our"), a limited liability company with its principal place of business at Central One District, C1 Building, Dubai, collects, uses, stores, shares, and protects information in connection with the Verithentic platform and all related services, applications, tools, and features (collectively, the "Service").

This Policy applies to all users of the Service, including account holders, authorized users, administrators, employees, and any other individuals who access or interact with the Service. This Policy also describes the choices available to you regarding the use of your information and how you can access, update, and request deletion of your information.

By accessing or using the Service, creating an Account, or submitting information through the Service, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. This Privacy Policy is incorporated into and forms part of our Terms of Use.

1. Information We Collect

1.1 Account and Identity Information

  • Full name, email address, phone number, and mailing address
  • Password (stored in hashed form using bcrypt cryptographic hashing; never stored in plaintext)
  • Profile image (if uploaded)
  • Geographic location data (Mapbox place ID, if address lookup is used)

1.2 Organization and Business Information

  • Company name, display name, legal name, business type, and description
  • Business address, geographic coordinates, phone, email, fax, and website
  • Business license number and Employer Identification Number (EIN)
  • Tax rate, currency, date format preferences, time zone, and business hours
  • Shop labor rate and revenue goals

1.3 Customer and Client Data

Users input data about their own customers (end customers of the automotive repair shop):

  • Customer name, email address, phone number, and mailing address
  • Customer tags and classifications (e.g., VIP, Fleet, Warranty)
  • Internal notes and service date overrides

1.4 Vehicle Information

  • Vehicle Identification Number (VIN) and license plate number
  • Year, make, model, trim, and color
  • Current mileage and decoded vehicle specifications (via VIN Decode)

1.5 Work Order and Service Data

  • Work order identifiers, status, and authorization status
  • Technician and service advisor assignments
  • Service line items, parts used, pricing, and labor hours
  • Estimated and actual costs, ETA, and completion times
  • Internal notes, customer-facing notes, tags, and bay assignments

1.6 Digital Vehicle Inspection (DVI) Data

  • Inspection mode, categories, item condition assessments, and priority classifications
  • Specialized measurements (brake pad depth, battery voltage, fluid condition)
  • Photographs captured during inspection with metadata (file name, size, upload timestamp)
  • Technician notes, findings, timeline recommendations, and inspection timer data

1.7 Financial and Payment Data

  • Subscription plan, billing status, and payment amounts
  • Stripe customer ID and subscription ID (assigned by Stripe)
  • Invoice reference numbers and line items
  • Metered usage data (seat count, storage usage, AMI usage metrics)

Important: We do not directly store credit card numbers, CVV codes, or full payment card details. All sensitive payment information is processed and stored exclusively by our payment processor, Stripe, Inc., in accordance with PCI DSS standards.

1.8 Employee and Staff Data

  • Employee name, job title, phone number, and employment type
  • Start date, professional certifications, and organizational role
  • Time-off requests (type, date range, notes, approval status) and absences
  • Workload assignments and bay assignments

1.9 Appointment and Scheduling Data

  • Appointment identifiers, title, description, and date/time
  • Customer, vehicle, and service associations
  • Appointment status, confirmation token, and confirmation timestamps
  • Assigned technician, bay, and customer notes

1.10 Review and Feedback Data

  • Overall rating and category-specific ratings (service quality, advisor, technician, cleanliness, shuttle)
  • Written comments, public consent flag, and anonymization preferences
  • Review request tokens, status, and timestamps

1.11 Authentication and Security Data

  • Password hashes (bcrypt — never stored in plaintext)
  • Two-factor authentication (2FA) secrets (encrypted with AES-256-GCM) and backup codes (hashed)
  • Email verification status and timestamps
  • Failed login attempt counts and timestamps
  • OAuth provider connections (Google, GitHub) with provider IDs

1.12 Device Session and Access Data

  • IP addresses, user agent strings, device type, browser, and operating system
  • Session creation, last activity, and expiration timestamps
  • Session revocation status

1.13 Audit and Activity Logs

  • Actor user ID, target user ID, action type, IP address, metadata, and timestamp

1.14 AI Interaction Data (AMI)

  • Conversation identifiers, titles, and sequence numbers
  • Message content (both user inputs and AI-generated responses), role, and timestamps
  • Session state data (selected customer, vehicle, work order context)
  • Action log entries (type, payload, execution status, execution time)
  • AMI terms acceptance records (IP address, user agent, acceptance timestamp)
  • AMI usage metrics (feature used, quantity, metadata)

1.15 Automatically Collected Technical Data

  • IP address, browser type and version, operating system, and device type
  • Pages visited within the Service and time/date of access
  • Performance metrics (page load times, interaction events)
  • Error logs and diagnostic data

2. How We Collect Information

2.1 Information You Provide Directly: When you create an Account, enter customer/vehicle/work order data, interact with AMI, configure settings, provide payment information, or accept terms of service.

2.2 Information Collected Automatically: Through server logs, session management, analytics (Vercel Analytics), and audit logging.

2.3 Information from Third-Party Sources: From OAuth providers (Google, GitHub) during social login; from Stripe via payment webhooks; from VIN decode services; and from AI service providers via AMI responses.

3. How We Use Your Information

3.1 Service Delivery: To provide, operate, and maintain the Service including customer management, vehicle tracking, work orders, appointments, DVI inspections, estimates, invoices, inventory, employee management, bay assignments, review collection, AMI functionality, and public booking pages.

3.2 Billing and Payments: To process subscription payments, calculate metered usage, manage upgrades/downgrades, and communicate billing information.

3.3 Communication: To send transactional emails (verification, password resets, 2FA codes), operational notifications (appointment confirmations, work order updates), customer-facing communications (estimates, invoices, review requests), and push notifications.

3.4 Security and Fraud Prevention: To authenticate identities, manage sessions, enforce 2FA, detect and prevent unauthorized access, maintain audit logs, track device sessions, and enforce RBAC.

3.5 Service Improvement: To monitor performance, analyze usage patterns, diagnose issues, improve features, and generate anonymized benchmarks.

3.6 Compliance: To comply with applicable laws, respond to lawful government requests, enforce Terms of Use, and protect rights and safety.

3.7 AI Training Disclaimer: Verithentic does not use your Customer Data, conversational inputs, or any personally identifiable information to train, fine-tune, or improve third-party AI models.

4. AI-Specific Data Processing (AMI)

4.1 Data Transmitted to AI Providers. When you interact with AMI, the following data may be transmitted to our third-party AI service provider: your conversational input; contextual company data (customer names, vehicle details, work order information, service catalog data, employee information, financial summaries, inventory data, appointment data); user role and permission context; and company time zone.

4.2 Purpose. Data is used exclusively for generating responses, executing automated actions, producing reports, and providing contextual automotive guidance.

4.3 AI Provider Retention. Data transmitted to third-party AI providers is processed according to their data handling policies. Verithentic selects providers that commit to commercially reasonable data protection but cannot guarantee specific retention practices of third parties.

4.4 Conversation History. Verithentic stores AMI conversations, messages, session state, and action logs to provide continuity, enable history access, and support usage metering. Users may delete individual conversations through the Platform.

4.5 Terms Acceptance Tracking. When you accept AMI terms, we record your account identifier, Company Workspace, IP address, user agent, and timestamp as a legal record of consent.

5. Information Sharing and Disclosure

Verithentic does not sell, rent, or trade your Personal Data or Customer Data to third parties for their marketing purposes. We share information only in the following circumstances:

  • Within Your Company Workspace: Among Authorized Users according to role-based access controls.
  • With Third-Party Service Providers: Who perform services on our behalf, contractually obligated to maintain appropriate security (see Section 6).
  • For Legal Compliance: When required by law, regulation, or legal process; to enforce Terms; to protect rights, property, or safety.
  • Business Transfers: In connection with a merger, acquisition, reorganization, or sale of assets.
  • With Your Consent: When you have explicitly consented to sharing.
  • Aggregated and Anonymized: De-identified information may be shared for any lawful purpose.

6. Third-Party Service Providers

6.1 Payment Processing — Stripe, Inc.

Data shared: Billing address, email, subscription details, payment amounts. Stripe processes payment card information directly (not stored by Verithentic). PCI DSS Level 1 certified.

6.2 Authentication — Google (OAuth), GitHub (OAuth)

Data received: Profile name, email, profile picture, unique provider identifiers. Used for authentication and account linking.

6.3 AI Processing — Third-Party LLM Provider

Data shared: Conversational inputs and contextual Company Workspace data. Used for AMI AI assistant functionality. Provider-level encryption in transit and at rest.

6.4 Email Delivery — SMTP Service

Data shared: Recipient email addresses and email content (confirmations, codes, estimates, invoices, review requests). TLS encryption for transmission.

6.5 Hosting and Infrastructure — Vercel

All data transmitted through the Service passes through Vercel's infrastructure. Analytics collected: page views, performance metrics, web vitals.

6.6 Database — Neon (PostgreSQL)

All persistent data is stored on Neon's managed database infrastructure with encryption at rest and in transit.

6.7 Vehicle Data — VIN Decode Services

VINs are shared with external services to retrieve vehicle year, make, model, trim, and specifications.

6.8 Address Lookup — Mapbox

Address strings shared for validation, geocoding, and geographic coordinate determination.

7. Cookies, Tracking, and Similar Technologies

Essential Cookies: Authentication session tokens (NextAuth) and CSRF security tokens. These are required for the Service to function.

Functional Cookies: User preference cookies (e.g., theme selection via next-themes).

Analytics: Vercel Analytics collects aggregated performance metrics and page views. It is privacy-focused and does not use third-party cookies.

Push Notifications: When opted in, we store push subscription endpoint URL, encryption keys, authentication secret, and user agent. This data is deleted when you unsubscribe.

No Third-Party Advertising or Tracking Cookies. The Service does not use advertising cookies, social media tracking pixels, or cross-site tracking technologies. We do not serve advertisements within the Service.

8. Data Retention

Active Account Data: Account, company, customer, vehicle, work order, and operational data is retained for the life of your Account/Company Workspace until explicitly deleted. AMI conversation history is retained until individually deleted. Audit logs and financial records are retained in accordance with applicable requirements.

Temporary Data: Email verification codes expire within 24 hours. Magic link tokens expire within 15 minutes. Review request tokens expire per company configuration (default: 7 days). Expired device sessions are purged daily.

Post-Termination: Customer Data is retained for up to 90 days for export, then permanently deleted. Audit logs and billing records may be retained longer as required by law. Anonymized data is retained indefinitely.

9. Data Security

Verithentic implements comprehensive security measures:

  • Encryption in Transit: All data transmitted via TLS/HTTPS.
  • Encryption at Rest: Database encryption via Neon PostgreSQL.
  • Selective Field Encryption: 2FA TOTP secrets encrypted with AES-256-GCM; passwords hashed with bcrypt; tokens and backup codes hashed before storage.
  • Access Controls: Role-based access control (RBAC), multi-tenant data isolation, 2FA support, and configurable session expiration.
  • Monitoring: Audit logging, device session tracking, failed login monitoring, and brute-force protection.
  • Application Security: Zod schema validation, parameterized queries (Prisma ORM), CSRF protection, and secure cookie configuration.

While we employ commercially reasonable security measures, no method of transmission over the Internet is completely secure. We cannot guarantee the absolute security of your information.

10. Your Rights and Choices

Depending on your jurisdiction, you may have the following rights:

  • Right of Access: Request confirmation of whether we process your Personal Data and access such data. Much information is accessible directly through the Platform.
  • Right to Rectification: Request correction of inaccurate or incomplete data. Most information can be updated through Platform settings.
  • Right to Erasure: Request deletion of your Personal Data, subject to legal retention requirements. Delete specific records and AMI conversations through the Platform.
  • Right to Restriction: Request restriction of processing in certain circumstances.
  • Right to Data Portability: Receive your data in structured, commonly used formats (CSV, PDF exports available).
  • Right to Object: Object to processing based on legitimate interests, including direct marketing.
  • Right to Withdraw Consent: Withdraw consent at any time by disabling optional features, adjusting notification preferences, or contacting legal@verithentic.com.
  • Right to Lodge a Complaint: Lodge a complaint with a competent data protection authority.

To exercise any of these rights, contact legal@verithentic.com. We will respond within the timeframes required by applicable law. We will not discriminate against you for exercising your privacy rights.

11. Cross-Border Data Transfers

Verithentic operates from Dubai and utilizes infrastructure that may process your data in jurisdictions outside your country of residence, including the United States and the European Economic Area. When your data is transferred internationally, we implement appropriate safeguards including contractual protections, standard contractual clauses, and selection of providers with industry-recognized security certifications.

12. Children's Privacy

The Service is not directed to individuals under the age of eighteen (18). We do not knowingly collect Personal Data from children under 18. If we become aware that we have collected such data, we will take reasonable steps to delete it promptly. Contact legal@verithentic.com if you believe we have collected data from a child under 18.

13. Data Controller and Data Processor Roles

Verithentic as Data Controller: For account/identity information, billing data, technical/usage data, and information necessary to maintain the Service.

Verithentic as Data Processor: For Customer Data that Organizations input and process within their Company Workspaces (customer records, vehicle data, work orders, employee data, DVI inspections, financial documents). Organizations are responsible for ensuring their data collection complies with applicable laws.

14. Legal Basis for Processing

  • Performance of a Contract: Account management, service delivery, billing, and subscription-related communications.
  • Legitimate Interests: Security, fraud prevention, service improvement, analytics, audit logging, and compliance.
  • Consent: Optional features (AMI, Reviews, Online Booking), push notifications, and non-essential communications.
  • Legal Obligations: Financial record-keeping, tax compliance, and lawful government requests.

15. Automated Decision-Making and Profiling

The AMI AI assistant processes data using automated means but does not make legally significant decisions without human oversight. AMI outputs are advisory and require human review. Automated processing for appointment scheduling, usage billing, review delivery, and session cleanup is operational in nature and does not produce legal effects on individuals. If you believe automated processing has significantly affected you, contact legal@verithentic.com for human review.

16. Changes to This Privacy Policy

Verithentic reserves the right to update this Policy at any time. For material changes, we will provide notice through the Platform or email. Your continued use of the Service after the effective date of changes constitutes acceptance of the updated Policy.

17. Contact Information

For questions regarding this Privacy Policy or our data practices, please contact:

Verithentic LLC
Central One District
C1 Building
Dubai
Email: legal@verithentic.com

© 2026 Verithentic LLC. All rights reserved.