Privacy Policy

Veroliq (“we”, “us”, “our”) operates an AI-powered chat widget that businesses embed on their websites. This policy explains what data we collect, why we collect it, how long we keep it, and your rights over it. It applies to:

• Dashboard users — founders and teams who sign up at app.veroliq.com to manage their sites.
• Website visitors — people who interact with a Veroliq-powered chat widget embedded on a customer’s website.

Dashboard users (account data)

• Email address and name (provided at signup)
• Hashed password (never stored in plain text)
• Account settings and plan information
• Usage statistics (number of chat sessions, leads captured)

Website visitors (widget data)

• Chat messages exchanged with the AI assistant
• Page URL and referrer URL at the time of the chat
• IP address (see “IP Addresses” section below)
• Browser user agent string
• Browser locale and timezone
• Pages visited during the session (for page-aware responses)
• Lead contact information, if voluntarily submitted via the widget (name, email, phone)

We do not collect payment card details (handled by our payment processor), passwords from website visitors, or any data through cookies placed on visitor browsers.

We store the raw IP address of website visitors on each chat session record. We also maintain rate-limiting and block records keyed by IP address.

Why we store raw IPs (not hashed): Veroliq uses IP addresses for security and abuse prevention. This includes correlating sessions from the same source, detecting unusual traffic patterns, applying rate limits, and investigating abuse reports. Hashed IPs cannot be looked up across tables, which would make these security functions impossible.

Legal basis: Legitimate interest in security, fraud prevention, and service integrity under GDPR Article 6(1)(f).

Automated blocking: If a single IP address creates more than 20 chat sessions per hour, or exceeds other usage thresholds, it may be automatically and temporarily blocked for up to 7 days without manual review. This is a proportionate measure to prevent abuse and protect service availability for other users.

Manual blocking: Administrators may permanently block IP addresses that repeatedly violate our Terms of Service.

Chat messages are processed by third-party AI providers (including OpenAI and/or Anthropic) to generate responses. Messages are transmitted to these providers’ APIs over encrypted connections. We configure these integrations to minimise data retention by the AI provider where possible. Please review OpenAI’s and Anthropic’s privacy policies for their data handling practices.

Customers may optionally provide their own AI API keys (BYOK — Bring Your Own Key), in which case their chat data is sent directly to their own API account and subject to their own agreement with the AI provider.

• To operate and deliver the chat widget service
• To capture and display leads to the website owner’s dashboard
• To detect and prevent abuse and fraudulent activity
• To improve the quality of AI responses (aggregated, not linked to identifiable individuals)
• To send transactional emails (e.g. password reset, lead notifications) to dashboard users
• To calculate usage statistics for plan enforcement

We do not sell personal data. We do not use visitor chat data for advertising.

• Chat session records and messages: retained for the duration of the customer’s active subscription, then deleted within 90 days of account closure.
• Session IP addresses: retained for up to 1 year from the session date.
• Rate-limit counters: retained for 90 days.
• Active IP blocks: retained for the duration of the block (7-day auto-blocks expire automatically; permanent blocks remain until lifted by an administrator).
• Lead contact information: retained until the customer deletes it from their dashboard, or their account is closed.
• Dashboard account data: retained for the duration of the account, then deleted within 90 days of account closure.

We share data only with the following categories of third parties:

• AI providers (OpenAI, Anthropic) — to process chat messages and generate responses.
• Cloud infrastructure providers — to host the application and database.
• Email service provider — to send transactional emails to dashboard users.
• Payment processor — to handle subscription billing (they collect card data directly; we do not receive it).

We do not share data with advertisers, data brokers, or analytics platforms.

If you are located in the European Economic Area, United Kingdom, or another jurisdiction with applicable data protection law, you have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your data, subject to our legitimate interest in security (we may retain IP block records where necessary)
• Object to processing based on legitimate interest
• Request a copy of your data in a portable format

To exercise any of these rights, email us at hello@veroliq.com. We will respond within 30 days.

Website visitors who interacted with a Veroliq widget should contact the website owner in the first instance, as the website owner is the data controller for visitor data collected on their site. Veroliq acts as a data processor on their behalf.

The Veroliq dashboard (app.veroliq.com) uses an httpOnly session cookie for authentication. No third-party tracking or advertising cookies are set.

The Veroliq chat widget uses sessionStorage (not cookies) to persist the active chat session within a single browser tab. This data is not sent to any third party and is cleared when the tab is closed.

We use industry-standard measures to protect data in transit (TLS) and at rest (encrypted database volumes). Access to production data is restricted to authorised personnel. We conduct periodic security reviews.

Veroliq is currently in public beta. While we take security seriously, we recommend that you do not submit sensitive personal information (such as financial details or passwords) through the chat widget.

We may update this policy from time to time. When we make material changes, we will update the “Last updated” date at the top of this page. Continued use of the service after changes are posted constitutes acceptance of the updated policy.

For privacy-related questions or requests, contact us at hello@veroliq.com.