Privacy Policy

Last Updated: June 21, 2026

1. Overview

This policy explains how Verdyct (“we,” “us”) handles data when you use the Service. A core feature sends the feedback you upload to OpenAI’s API for AI analysis — this is essential to how Verdyct works and is described in Section 4.

2. Two Roles: Who Controls What

We handle two kinds of data, and our responsibility differs for each:

  • Your account data — we decide how it’s handled (we’re the “controller”). This is the information we collect to run your account, like your email address.
  • Your uploaded feedback — you decide how it’s handled (you’re the “controller,” we’re your “processor”). The feedback you upload often contains personal information about your end users. You’re responsible for having the right and the necessary consents to upload it; we only process it on your instructions to provide the Service. Under India’s data-protection framework, you are the Data Fiduciary for this content and we act as your Data Processor.

3. What We Collect

  • Account data: your email address, login/authentication info, and your messages to us.
  • Uploaded feedback: the files and text you upload (support tickets, NPS responses, survey answers, comments — up to 1,000 rows per upload), which may contain personal information about your end users if it was in your source data.
  • Limited technical data: things needed to run and secure the Service, like IP address, basic device/browser info, and error/security logs.

We do not use analytics, advertising, or third-party tracking, and we don’t sell your data.

4. AI Analysis and OpenAI

Your uploaded feedback text is sent to OpenAI via its API to generate themes and analysis. Based on OpenAI’s published API policies (as of this policy’s “Last Updated” date): data sent through the OpenAI API is not used to train OpenAI’s models by default, and OpenAI may retain it for up to 30 days for abuse monitoring before deleting it, unless legally required to keep it longer.

Because feedback is sent to OpenAI, don’t upload data you’re not authorized to share this way.

5. Providers We Use

  • OpenAI (United States) — AI analysis of uploaded feedback.
  • Supabase (United States) — database and infrastructure storing your account data, uploads, and results.

They process data only to provide these services to us. We may add providers as needed and will update this policy.

6. Cookies

We use only essential cookies to keep you logged in and secure. No advertising, analytics, or tracking cookies — so no cookie banner is needed.

7. Keeping and Deleting Data

We keep data only as long as needed to provide the Service. Your account data stays while your account is active; your uploads and results stay available so you can track themes over time.

  • Delete a project in the app at any time. This permanently deletes that project’s data — including the feedback text you uploaded — from our database immediately; it is not recoverable. We also delete the original uploaded files from storage.
  • Delete your whole account and data by emailing us (see Section 11). We will remove your account and all associated data for you.

We do not keep separate long-term backups of your data, so deleted data is not retained in a backup archive. We may keep limited information only where reasonably needed for legal, security, or dispute-resolution reasons.

8. Where Data Is Processed

Verdyct is operated from India, and our providers (OpenAI, Supabase) process data primarily in the United States. If you’re elsewhere, your data — including any personal data in your uploads — may be processed in other countries. Where the law requires it, we take reasonable steps to support lawful transfers.

9. Your Rights

Depending on where you are, you may have rights to access, correct, delete, or restrict your personal information, to object to processing, to data portability, to withdraw consent, and to complain to a regulator. These can arise under the EU/UK GDPR, California’s CCPA/CPRA, and India’s DPDP Act.

  • For your account data (where we’re the controller), contact us using Section 11.
  • For uploaded feedback (where you’re the controller), requests from the people that data is about should go to you; if one reaches us directly, we’ll refer it to you.

We don’t sell personal information or share it for cross-context behavioral advertising.

10. India (DPDP), Security, and Children

India. We handle digital personal data consistent with India’s DPDP Act, 2023 and the DPDP Rules notified in November 2025 (being implemented in phases). You act as Data Fiduciary for your uploads and are responsible for lawful grounds and notice to your end users (Data Principals).

Security. We use reasonable safeguards, including encryption in transit and at rest, but no system is perfectly secure.

Children. The Service is meant for business use and isn’t directed to children; we don’t knowingly collect their data.

11. Changes and Contact

We may update this policy; we’ll change the “Last Updated” date and, for material changes, may ask you to accept the new version. Questions, requests, or deletion requests: verdyctai@gmail.com.