Privacy Policy

Scope & Applicability

This Privacy Policy describes how Verana Foundation (“Verana”, “we”, “us”, or “our”) collects, uses, discloses, and protects personal information when you interact with our websites, documentation, developer playgrounds, trust network services, or community programs. It applies to individuals acting on their own behalf or on behalf of an organization. Additional notices may apply to specific products or jurisdictions; those notices prevail in the event of a conflict.

Information We Collect

• Account & contact information – Names, professional titles, organization affiliation, country, preferred language, and contact details submitted when requesting access to the developer playground, newsletters, or ecosystem programs.
• Service usage data – Log files, event metadata, IP addresses, device identifiers, browser details, session timestamps, and clickstream analytics that help us secure and improve our services. Wherever possible we aggregate or anonymize this information.
• Trust network records – When you publish verifiable services, register identifiers, or issue credentials, certain data may be written to decentralized infrastructure or trust registries. These records are designed to minimize personal data, but may still reference identifiers you choose to disclose.
• Support communications – Messages, attachments, or recordings you share with our support or community teams so we can investigate requests and provide assistance.
• Marketing preferences – Opt-in status, areas of interest, and engagement metrics that help us deliver relevant updates. You may opt out at any time.

How We Use Information

We process information to:

1. Provide, operate, and improve Verana services, documentation, and developer experiences.
2. Enable trust network functionality, including credential issuance, verification, discovery, and reputation scoring.
3. Safeguard the platform by monitoring for abuse, fraud, or violations of our Terms of Service.
4. Communicate updates, release notes, security notifications, and ecosystem news where you have subscribed or where communications are operationally required.
5. Analyze usage trends to understand adoption, plan capacity, and prioritize roadmap investments.
6. Comply with legal obligations, enforce agreements, and defend against legal claims.

Legal Bases for Processing

Where required by law (e.g., GDPR or UK GDPR), we rely on the following legal bases:

• Performance of a contract when providing requested services, sandbox access, or ecosystem participation.
• Legitimate interests such as securing infrastructure, preventing abuse, understanding adoption, and developing new capabilities.
• Consent for optional communications, beta programs, or when you publish data about yourself or your organization.
• Compliance with legal obligations including responding to lawful requests or maintaining necessary business records.

Data Sharing & Disclosure

We do not sell personal data. We may disclose information to:

• Trusted service providers that deliver hosting, email delivery, analytics, or security tooling under documented data protection agreements.
• Ecosystem partners when you explicitly connect your Verana identity, verifiable services, or credentials to their trust networks.
• Public authorities or regulators when legally required, to protect the rights, property, or safety of Verana, our users, or the public.
• Successors in the event of a merger, reorganization, or transfer of assets, subject to continued compliance with this policy.

Decentralized Data & On-Chain Records

Verana encourages privacy-preserving credential design, yet decentralized infrastructure may create immutable records. Before publishing identifiers, credentials, or metadata to public networks:

• Avoid embedding unnecessary personal data in decentralized identifiers (DIDs), schemas, or attestations.
• Use selective disclosure and zero-knowledge techniques whenever possible.
• Understand that third parties may independently replicate or index public blockchain data outside Verana’s control. We provide guidance and tooling to minimize exposure, but you remain responsible for the data you choose to record on-chain.

International Data Transfers

Verana operates globally using infrastructure located in the European Union, the United States, and other jurisdictions. When personal information is transferred across borders, we implement appropriate safeguards such as standard contractual clauses or rely on adequacy decisions where available. By using our services, you acknowledge that data may be processed in countries that may have different data protection rules than your jurisdiction.

Data Retention

We keep personal information only for as long as necessary to fulfill the purposes outlined in this policy, meet regulatory or contractual requirements, resolve disputes, and enforce agreements. Criteria used to determine retention periods include the nature of the information, legal obligations, and potential risk of harm from unauthorized use.

Security Measures

We employ administrative, technical, and organizational safeguards such as access controls, encryption in transit, continuous monitoring, and secure development practices. Despite these measures, no method of transmission or storage is completely secure. You are responsible for protecting credentials, keys, and secrets associated with your Verana accounts or verifiable services.

Your Rights & Choices

Depending on your location, you may have rights to:

1. Request access to the personal data we hold about you.
2. Request correction, update, or deletion of inaccurate or outdated information.
3. Object to or restrict certain processing activities, including profiling for security purposes.
4. Port your data to another provider where technically feasible.
5. Withdraw consent for communications or optional programs at any time.

Submit requests to privacy@verana.io. We will respond in accordance with applicable data protection laws. For unresolved concerns, you may lodge a complaint with your local supervisory authority.

Cookies & Similar Technologies

We use cookies, pixels, and local storage to operate our sites, remember preferences, and analyze aggregated traffic patterns. For detailed information about the types of cookies we use and how to manage them, please review our Cookie Policy.

Children’s Privacy

Verana services are not directed to children under 16. We do not knowingly collect personal information from children. If we become aware that a child has provided personal data, we will delete it promptly and terminate the associated access unless parental consent is obtained.

Updates to This Policy

We may revise this Privacy Policy to reflect changes in technology, legal requirements, or our services. When we make material changes we will update the “Last updated” date above and provide additional notice when required. Continued use of the services after changes become effective constitutes acceptance of the updated policy.

Contact Us

Questions or privacy requests may be directed to:

Verana Foundation
privacy@verana.io
https://verana.io

If you are located in the European Economic Area or United Kingdom, you may also contact your local data protection authority regarding unresolved concerns.