Privacy Policy

Last updated: March 25, 2026

BLIND Processing: Vertifile never reads, accesses, or stores the content of your documents. We only process cryptographic hashes (fingerprints) of your files. Your document content never leaves your device.

Introduction

Vertifile ("we," "our," or "us") operates the vertifile.com website and document verification service. This Privacy Policy explains how we collect, use, and protect information when you use our services.

We are committed to protecting your privacy. Our core architecture is built on the principle of BLIND processing, meaning we are technically unable to read or access the content of documents you protect with Vertifile.

What We Collect

Document Hashes (Fingerprints)

When you protect a document, our system computes a SHA-256 cryptographic hash of your file. This hash is a one-way mathematical fingerprint that cannot be reversed to reconstruct your document. We store this hash for verification purposes.

Account and Organization Data

If you create an API account, we collect:

Organization name and contact information
Email address
API keys (stored securely, hashed)
Usage statistics (number of documents protected, API call counts)

Technical Data

We automatically collect standard technical information:

IP address (for rate limiting and security)
Browser type and version
Device type and operating system
Pages visited and timestamps

What We Do NOT Collect

We do not collect, read, store, transmit, or access the content of your documents at any point. Our BLIND processing architecture means that document content is hashed entirely on the client side. Only the resulting cryptographic fingerprint is sent to our servers. It is mathematically impossible to reconstruct document content from a hash.

We also do not collect:

Personal documents or their contents
Biometric data
Financial information (payments are handled by third-party processors)
Social media profiles or data

How We Use Your Data

We use the information we collect for the following purposes:

Document verification: Comparing submitted hashes against stored records to verify document authenticity
Blockchain registration: Recording document hashes on the Polygon blockchain for immutable proof of authenticity
Audit logging: Maintaining records of verification attempts for security and compliance
Service improvement: Analyzing usage patterns to improve our platform
Security: Detecting and preventing fraud, abuse, and unauthorized access
Communication: Sending service-related notifications and updates

Data Storage Location

Your data is processed and stored on cloud infrastructure located in the United States and Europe. Cryptographic hashes of your documents may be anchored on the Polygon blockchain, a public, decentralized network. No document content is ever transmitted to or stored on any server or blockchain.

Legal Basis for Processing (GDPR Article 6)

We process personal data under the following legal bases as defined in GDPR Article 6:

Contract performance: Processing necessary to provide you with the Vertifile service, including document verification, hash generation, and blockchain registration.
Legitimate interest: Processing necessary for security monitoring, fraud prevention, abuse detection, and service improvement.
Consent: Where applicable, we obtain your consent for optional analytics and marketing communications. You may withdraw consent at any time.

Blockchain Records

When a document is protected, its SHA-256 hash and HMAC signature are registered on the Polygon blockchain. These records are:

Immutable: Once recorded, they cannot be modified or deleted
Public: Transaction hashes are publicly visible on the blockchain
Non-reversible: The hash cannot be used to reconstruct the original document
Permanent: Records exist on the blockchain indefinitely

Blockchain records contain only cryptographic hashes, timestamps, and transaction metadata. No personal information or document content is stored on the blockchain.

Cookies and Analytics

We use minimal cookies for essential functionality:

Session cookie: A secure, HTTP-only cookie used to maintain your authenticated session. This cookie is essential for the service to function and expires when you log out or after a period of inactivity.
Language preference: Stores your selected language so the site displays in your preferred language on subsequent visits.

We may use privacy-respecting analytics to understand how our service is used. We do not use third-party advertising trackers or sell data to advertisers. No tracking cookies or marketing cookies are used.

Data Retention

We retain data according to the following schedule:

Document hashes: Retained indefinitely (required for verification)
Account data: Deleted within 30 days of account closure
Audit logs: Retained for 12 months
Technical logs: Retained for 90 days
Blockchain records: Permanent (immutable by design)
Password reset tokens: Deleted after use or 30-minute expiry

Data Sharing

We do not sell your data. We may share limited information with:

Blockchain networks: Document hashes are published to the Polygon blockchain
Infrastructure providers: Cloud hosting and CDN providers who process data on our behalf under strict data processing agreements
Legal requirements: When required by law, court order, or governmental authority

Sub-processors

Vertifile uses the following sub-processors:

Render.com — application hosting (US)
Neon.tech — PostgreSQL database (US/EU)
Polygon Network — blockchain anchoring (decentralized)
Google — OAuth authentication (US)

We will notify Enterprise customers 30 days before adding new sub-processors.

Security

We implement industry-standard security measures including:

Encryption in transit (TLS 1.3) and at rest
API key hashing and secure storage
Rate limiting and DDoS protection
Regular security audits
Principle of least privilege access controls

GDPR Compliance

If you are located in the European Economic Area (EEA), you have the following rights under the General Data Protection Regulation (GDPR):

Right of access: Request a copy of the personal data we hold about you
Right to rectification: Request correction of inaccurate personal data
Right to erasure: Request deletion of your personal data (note: blockchain records are immutable and cannot be deleted)
Right to restriction: Request restriction of processing of your personal data
Right to data portability: Request transfer of your data in a machine-readable format
Right to object: Object to processing of your personal data

To exercise any of these rights, contact us at privacy@vertifile.com.

Data Controller vs. Data Processor

Vertifile acts as a Data Processor when processing documents on behalf of organizations using our API. For individual users, Vertifile acts as the Data Controller. Organizations using our Enterprise plan can request a Data Processing Agreement (DPA).

Blockchain & Right to Erasure

Document hashes anchored on the Polygon blockchain are cryptographic fingerprints that cannot be reversed to reconstruct document content. While blockchain records are immutable, the hash alone does not constitute personal data as it cannot be linked to an individual without additional information held separately by Vertifile. Upon account deletion, all linking information is permanently removed, rendering blockchain hashes anonymous.

International Data Transfers

When your data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place. International transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission, where applicable. We evaluate the data protection laws of recipient countries and implement supplementary measures when necessary to ensure your data remains protected.

Breach Notification

In the event of a data breach affecting personal data, we will notify affected users and relevant supervisory authorities within 72 hours of becoming aware of the breach, as required by GDPR Article 33. Notifications will include the nature of the breach, the likely consequences, and the measures taken to address and mitigate the breach.

Privacy Inquiries

For privacy-related questions, concerns, or to exercise your data protection rights, please contact our dedicated privacy team at privacy@vertifile.com. We will respond to all privacy inquiries within 30 days.

Automated Decision-Making

Vertifile does not use automated decision-making or profiling that produces legal effects on users. Document verification is based solely on cryptographic hash comparison, not on document content analysis.

Children's Privacy

Vertifile does not knowingly collect personal information from children under the age of 16. If we learn that we have collected personal data from a child under 16, we will delete that information promptly. If you believe a child has provided us with personal data, please contact privacy@vertifile.com.

Third-Party Links

Our service may contain links to third-party websites. We are not responsible for the privacy practices of these external sites. We encourage users to review the privacy policies of any third-party service they interact with.

Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated via email to registered users at least 30 days before taking effect. Continued use of the service after changes take effect constitutes acceptance. Previous versions of this policy are available upon request.

Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at:

Vertifile
Rishon LeZion, Israel
Email: info@vertifile.com
Website: vertifile.com