Last updated: 13 June 2026
This Privacy Policy explains how Verdikt (“we”, “us”) processes personal data. Because fraud prevention is our core purpose, we act as a data controller for fraud-detection processing and as a data processor when handling data on behalf of our merchant customers. This policy covers both roles.
1. Data we process
To assess the risk of a transaction, we process signals submitted by our customers and collected at checkout, including:
- Transaction data: order amount, currency, product type, timestamps;
- Identity data: name, email address, phone number, billing details;
- Device & network data: IP address, device identifiers, browser and OS attributes;
- Behavioural signals: interaction patterns gathered via our browser SDK;
- Payment metadata: tokenised card BIN, last four digits and method (we do not store full card numbers).
2. How and why we use data
We process personal data to:
- Detect, investigate and prevent fraud, chargebacks and other unlawful activity;
- Return real-time risk decisions to our customers;
- Train, evaluate and improve our fraud-detection models;
- Provide, secure, maintain and support the Services;
- Comply with legal obligations and enforce our agreements.
3. Legal bases
Where the GDPR or similar laws apply, we rely on our legitimate interests (and those of our customers) in preventing fraud and securing payment ecosystems, on compliance with legal obligations, and, where required, on the consent obtained by our customers at the point of collection. Fraud prevention is expressly recognised as a legitimate interest under GDPR Recital 47.
4. How we share data
We share personal data only as needed to operate the Services:
- With customers: the merchant that submitted the transaction receives the resulting decision;
- With sub-processors: vetted cloud-hosting and infrastructure providers under written contracts;
- For legal reasons: where required by law, regulation, or valid legal process;
- In a business transfer: in connection with a merger, acquisition, or sale of assets, subject to this policy.
We do not sell personal data, and we do not share it for cross-context behavioural advertising.
5. Data retention
We retain personal data for as long as necessary to provide the Services and to maintain the integrity of our fraud models, typically up to 24 months for detailed transaction signals, after which data is aggregated or anonymised. Some records are retained longer where required to comply with legal or regulatory obligations.
6. Security
We maintain a security program aligned to SOC 2 Type II and PCI DSS Level 1. Measures include encryption in transit and at rest, least-privilege access controls, network segmentation, continuous monitoring, and regular third-party penetration testing. No method of transmission or storage is completely secure, but we work to protect data using industry-standard safeguards.
7. International transfers
We may process data in the United States and other countries. Where we transfer personal data internationally, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses and equivalent mechanisms. Enterprise customers may elect EU, US or APAC data residency.
8. Your rights
Depending on your location, you may have rights to access, correct, delete, or restrict the processing of your personal data, and to object to processing or request portability. Because we usually process data on behalf of a merchant, please direct requests to the merchant you transacted with; we will support them in responding. You may also contact us directly using the details below, and you have the right to lodge a complaint with your local supervisory authority.
9. Cookies & the browser SDK
Our browser SDK uses device and session identifiers strictly to assess fraud risk, for example, to recognise a returning device or detect automated behaviour. These are used for security and fraud prevention, not advertising. Our own website uses only essential cookies needed to operate the site.
10. Children
The Services are intended for businesses and are not directed to children. We do not knowingly collect personal data from anyone under 16.
11. Changes to this policy
We may update this policy to reflect changes in our practices or the law. We will post the updated version with a new effective date and, for material changes, provide additional notice.
12. Contact us
For privacy questions or to reach our Data Protection Officer, email [email protected].