Privacy Policy

What we collect, why we collect it, how long we keep it, who we share it with, and the rights you have over it.

1. Who we are

"Verisand" refers to the entity operating the Verisand URL and phishing analysis sandbox (the "Service"). The Service is offered to security teams on a premium-only basis.

For privacy questions, email privacy@verisand.ai or use /contact.

2. What we collect

From visitors to this site

• Contact form submissions. When you fill out the /contact form, we store the name, email, company, team size, use-case description, and an optional source field you provide. We also record the time of submission and a one-way salted hash of your IP address; we do not store the raw IP.
• Technical logs. Our server records request paths, user-agent strings, response codes, and timing for operational debugging.
• Functional cookies. See /legal/cookies. This site does not set analytics, advertising, or cross-site tracking cookies.

From customers

The categories below apply to customers using the Service under a Master Service Agreement. They are listed here for transparency.

• Account identifiers. Email address, password hash, single sign-on provider tokens, and multi-factor-authentication secrets stored encrypted at rest.
• Submissions you make. URLs you submit, the rendered page content Verisand captures (document object model, screenshots, network traffic, response headers), the analysis output, and detection rules generated from the analysis.
• Audit events. Successful and failed authentication events, IP, user-agent, device fingerprint used for new-device detection, and the request paths you accessed. Retained at least 90 days for security investigation.
• Billing data. When you subscribe, payment-method metadata returned by our payment processor (card brand, last 4, country). Full card numbers never touch Verisand servers.

3. How we use it

• To deliver the Service. Render submitted URLs in an isolated environment; produce verdicts, indicators, and detection rules; return results to you.
• To respond to you. Contact-form details enable our team to reply to your inquiry. We do not add you to a general marketing list without separate consent.
• To secure the Service. Audit events power abuse detection, account takeover prevention, and incident investigation.
• To comply with law. Where we have a legal obligation to retain or disclose information.

We do not sell personal data. We do not share personal data for third-party marketing.

4. Who we share it with

We use a small set of sub-processors to operate the Service. They fall into the following categories:

• Cloud infrastructure and content-delivery providers.
• An AI-analysis provider that processes submitted URL content to produce verdicts and detection rules.
• A transactional-email provider for service-related messages.
• A payment processor for subscription billing.

Each sub-processor is bound by data-processing terms commensurate with this policy. We will give existing customers at least 30 days' notice before adding a new sub-processor that materially changes how their data is handled. The current sub-processor list is provided to enterprise customers as an exhibit to the Master Service Agreement signed during procurement; email legal@verisand.ai or use /contact to request it ahead of contract.

5. International transfers

Verisand's primary hosting region is the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States. We rely on the European Union Standard Contractual Clauses (and the United Kingdom International Data Transfer Addendum where applicable) for transfers of personal data subject to the GDPR.

6. How long we keep it

• Contact-form inquiries. Retained for the duration of the sales relationship plus a reasonable archive period. You may request deletion at any time via privacy@verisand.ai.
• Submissions and analysis output. Retained per your customer contract. Default is the active term of your subscription plus 30 days; longer retention is available by request for forensic-investigation use cases.
• Audit logs. Minimum 90 days for security investigation.
• Backups. Database backups retained on a rolling 30-day window; deleted data persists in backups until rotated out.

7. Your rights

If you are in the European Union, the United Kingdom, California, or another jurisdiction with a comparable privacy statute, you have the right to:

• Access the personal data we hold about you.
• Correct inaccurate or incomplete data.
• Request deletion of your data, subject to legal retention obligations such as audit logs.
• Receive a portable copy of your data.
• Object to or restrict certain processing.
• Lodge a complaint with your local data-protection authority.

Two of these rights are self-serve from your account settings: data portability via a "Download my data" button (account metadata, every submission you've created, and the last 90 days of security activity, as a single JSON file), and deletion via a confirmation email with a 24-hour single-use link. Audit-event records are retained beyond the deletion per the retention table above for legal and security investigation. For any other right (correction, restriction, objecting to processing, lodging a complaint), email privacy@verisand.ai.

California residents have additional rights under the CCPA and CPRA, including the right to know what categories of personal information we collect, the right to delete, the right to opt out of "sales" (Verisand does not sell personal data), and the right to non-discrimination for exercising these rights. To exercise any right, email privacy@verisand.ai.

8. Children

The Service is offered to security teams in business contexts and is not directed at children. We do not knowingly collect personal data from anyone under 16. If you believe we hold data about a minor, email privacy@verisand.ai and we will delete it.

9. Security

We apply administrative, technical, and physical safeguards reasonable for the sensitivity of the data we hold: encryption in transit and at rest for sensitive fields, password hashing using industry-standard algorithms, role-based access control, audit logging of administrative actions, and an active SOC 2 readiness program. No system is perfectly secure; we will notify affected users without undue delay if a personal-data breach is reasonably likely to result in a risk to their rights and freedoms.

10. Changes to this policy

We will publish material changes here at least 30 days before they take effect and notify active customers via email. The "Effective from" date in the footer reflects the most recent revision.

11. Contact

Privacy questions, data-subject requests, and complaints: privacy@verisand.ai.