Privacy Policy
Last updated: December 2024
At Vernac, we take your privacy seriously. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform.
1. Data Controller
Vernac is the data controller responsible for your personal data. If you have any questions about this Privacy Policy or our data practices, contact us at:
- Email: support@vernac.com
2. Information We Collect
2.1 Information You Provide
We collect information you provide directly, including:
- Account Information: Name, email address, password, profile photo, and phone number
- Profile Information: Bio, location, languages spoken, interests, and expertise areas
- Verification Data: Government-issued ID and selfie photos (for Locals undergoing identity verification)
- Payment Information: Payment method details processed securely through Stripe
- Communications: Messages exchanged with other users and our support team
2.2 Information Collected Automatically
When you use our Service, we automatically collect:
- Device Information: Browser type, operating system, device identifiers
- Usage Data: Pages visited, features used, search queries, interaction patterns
- Location Data: Approximate location based on IP address (precise location only with your consent)
- Cookies and Similar Technologies: As described in our Cookie Policy
3. Lawful Basis for Processing (GDPR)
We process your personal data under the following lawful bases:
| Purpose | Lawful Basis |
|---|---|
| Account creation and management | Contract performance |
| Payment processing | Contract performance |
| Identity verification (Locals) | Contract performance / Legitimate interest (trust & safety) |
| Customer support | Contract performance |
| Fraud prevention | Legitimate interest |
| Service improvement and analytics | Legitimate interest |
| Marketing communications | Consent |
| Legal compliance | Legal obligation |
4. How We Use Your Information
We use collected information to:
- Provide, maintain, and improve our Service
- Process transactions and send related notifications
- Connect travellers with appropriate Locals
- Verify user identities for trust and safety
- Send promotional communications (with your consent)
- Respond to your enquiries and support requests
- Detect and prevent fraud and abuse
- Comply with legal obligations
- Analyse usage patterns to improve user experience
5. Information Sharing
We may share your information with:
5.1 Other Users
Your profile information is visible to other users. Messages are shared between conversation participants. You control what information appears on your public profile.
5.2 Service Providers
We work with trusted third parties who process data on our behalf:
| Provider | Purpose | Data Shared |
|---|---|---|
| Supabase | Authentication & database | Account data, profile data, messages |
| Stripe | Payment processing | Payment details, transaction history |
| Veriff | Identity verification | ID documents, selfie photos, verification results |
| Resend | Email delivery | Email address, name |
All service providers are bound by Data Processing Agreements (DPAs) that require them to protect your data and use it only for the specified purposes.
5.3 Identity Verification (Veriff)
When Locals verify their identity, Veriff processes:
- Government-issued ID images
- Selfie photos for facial matching
- Device and session metadata
Retention: Veriff retains verification session data for up to 90 days after completion. We store only the verification result (approved/rejected) and verification date, not the actual ID documents or photos.
See Veriff's Privacy Notice for more details.
5.4 Legal Requirements
We may disclose information when required by law, subpoena, or government request, or to protect our rights and safety.
5.5 Business Transfers
In the event of a merger, acquisition, or sale of assets, user information may be transferred as part of that transaction. We will notify you before your data is transferred and becomes subject to a different privacy policy.
6. Data Security
We implement appropriate technical and organisational measures to protect your personal information, including:
- Encryption of data in transit (TLS 1.3) and at rest (AES-256)
- Regular security assessments and penetration testing
- Access controls and authentication protocols
- Secure data centres with physical security measures
- Employee security training and access restrictions
However, no method of transmission over the Internet is 100% secure, and we cannot guarantee absolute security.
7. Data Retention
We retain your personal information according to the following schedule:
| Data Type | Retention Period |
|---|---|
| Account data | Until account deletion + 30 days |
| Messages | Until account deletion + 30 days |
| Transaction records | 7 years (legal requirement) |
| Identity verification results | Until account deletion + 1 year |
| Support tickets | 3 years after resolution |
| Analytics data | 26 months (anonymised thereafter) |
When you delete your account, we will delete or anonymise your personal information within 30 days, except where retention is required by law.
8. Your Rights (GDPR)
Under UK GDPR and the Data Protection Act 2018, you have the following rights:
- Access: Request a copy of your personal data (we will respond within 30 days)
- Rectification: Request correction of inaccurate data
- Erasure: Request deletion of your personal data ("right to be forgotten")
- Portability: Request your data in a machine-readable format (JSON or CSV)
- Objection: Object to processing based on legitimate interests
- Restriction: Request restriction of processing while we verify your concerns
- Withdraw Consent: Withdraw previously given consent at any time
To exercise these rights, contact us at support@vernac.com or use the data export/deletion tools in your account settings.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
9. Cookies and Tracking
We use cookies and similar technologies to:
- Keep you logged in (essential)
- Remember your preferences (functional)
- Analyse platform usage (analytics)
- Deliver relevant content (optional)
You can manage your cookie preferences at any time. For detailed information about the cookies we use and how to control them, see our Cookie Policy.
10. International Data Transfers
Your information may be transferred to and processed in countries other than your own. Our primary data processors are located in:
- Supabase: United States (AWS)
- Stripe: United States
- Veriff: Estonia (EU)
- Resend: United States
For transfers to countries outside the UK/EEA that do not have an adequacy decision, we ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by the ICO
- Data Processing Agreements with all processors
11. Children's Privacy
Our Service is not intended for users under 18 years of age. We do not knowingly collect personal information from children. If we learn we have collected information from a child, we will delete it within 48 hours. If you believe we have collected data from a child, please contact us immediately.
12. Third-Party Links
Our Service may contain links to third-party websites. We are not responsible for the privacy practices of these sites. We encourage you to review their privacy policies before providing any personal information.
13. Automated Decision-Making
We use automated systems for:
- Fraud detection: Flagging suspicious payment patterns
- Content moderation: Detecting prohibited content in messages
- Identity verification: Veriff's automated ID checks
You have the right to request human review of any automated decision that significantly affects you. Contact us if you believe an automated decision was made incorrectly.
14. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes at least 30 days before they take effect by:
- Email to your registered address
- Prominent notice on the Service
The updated policy will be effective upon posting. Your continued use after the effective date constitutes acceptance.
15. Contact Us
If you have questions about this Privacy Policy or our data practices, please contact us:
- Email: support@vernac.com
- General Enquiries: hello@vernac.com
16. Data Protection Officer
For GDPR-related enquiries, you may contact our Data Protection Officer at support@vernac.com.