Privacy Policy

1. Scope

This Privacy Policy applies to all products and services operated by Verimago, Inc. ("Verimago," "we," "us," or "our"), including the Verimago camera applications for iOS and Android, the websites at www.verimago.com and publisher.verimago.io, the public content registry at registry.verimago.io, and all APIs and SDKs (collectively, the "Services").

This Policy describes what information we collect, why we collect it, how we use and share it, how long we retain it, and the rights and choices available to you. We encourage you to read this Policy in its entirety before using the Services.

2. Information We Collect

Account Information. When you create a Verimago account, we collect your email address, display name, and authentication credentials. If you authenticate through a social identity provider (Apple, Google, or others), we receive your name and email address from that provider. For Publisher and Enterprise accounts, we also collect your organization name and domain for identity verification.

Content Credential Data. When you capture and sign a photo or video using the Verimago camera app, the following data is generated and transmitted to our servers: (a) a SHA-256 cryptographic hash of the media file; (b) a perceptual hash (pHash) — a visual fingerprint used for derivative detection; (c) a content classification (Authentic, AI-Enhanced, or AI-Generated); (d) an RFC 3161 trusted timestamp from an independent timestamp authority; (e) a device attestation token (Apple App Attest or Google Play Integrity); (f) the signing certificate identifier; and (g) optional metadata you choose to attach (headline, location, tags). We do not upload, store, or have access to your photos or videos — only the cryptographic credential is transmitted.

Device Information. We collect device model, operating system version, and a hardware attestation proof to verify that signing occurred on a genuine, unmodified device running the authentic Verimago application. On iOS, attestation is performed via Apple App Attest with Secure Enclave key binding. On Android, via Google Play Integrity with Android Keystore StrongBox (or TEE fallback).

Location Data. If you grant location permission, approximate or precise GPS coordinates may be embedded in the Content Credential at the time of capture. Location data is included only when you explicitly enable it and is stored solely within the Content Credential published to the registry. You may revoke location permission at any time through your device settings; subsequent captures will contain no location data.

Usage and Diagnostic Data. We collect anonymized telemetry including app launch events, feature usage patterns, and crash logs to diagnose issues and improve the Services. This data is not linked to your identity and cannot be used to identify you.

Payment Information. If you subscribe to a paid plan, payment processing is handled by Stripe, the Apple App Store, or the Google Play Store. Verimago does not receive or store your full credit card number, bank account details, or other payment credentials. We receive only a confirmation of payment status and a transaction identifier.

3. How We Use Your Information

To issue, publish, and manage Content Credentials tied to your verified identity.

To publish cryptographic manifests (hashes, timestamps, classifications, and signer identities) to the Verimago public registry, enabling anyone to verify content provenance.

To verify device integrity via hardware attestation services (Apple App Attest, Google Play Integrity) as part of the signing process.

To detect content derivatives via perceptual hash matching across the registry, preserving the provenance chain when content is edited, cropped, or re-encoded.

To process payments and manage your subscription.

To communicate with you about your account, certificate status, product updates, and security notices.

To diagnose technical issues, improve the Services, and develop new features.

To comply with applicable legal obligations and respond to lawful requests from governmental authorities.

4. The Public Registry

The Verimago registry is a public, permanent, and openly accessible record of Content Credentials. When you sign media, the credential (comprising the cryptographic hash, perceptual hash, timestamp, classification, and signer identity) is published to the registry. This publication is the core purpose of the Services — it enables independent verification of content provenance by any person or organization.

Registry entries cannot be modified, redacted, or deleted after publication. This permanence is inherent to the integrity guarantees the registry provides. You should consider this before signing content — once a credential is published, the fact that you signed specific content at a specific time under a specific classification becomes a permanent public record.

The registry does not contain the media file itself. It is not possible to reconstruct or view the original photo or video from the data stored in the registry.

5. Information We Share

Public Registry. Content Credentials are published to the public registry by design. The registry is accessible to anyone without authentication. The signer identity (your name or organization name, depending on your account tier) is visible in each credential you produce.

Service Providers. We use the following third-party service providers who process data on our behalf under contractual data protection obligations: Amazon Web Services (infrastructure, key management, database hosting); Stripe (payment processing); Apple and Google (device attestation verification); Cloudflare (CDN and DNS). These providers receive only the data necessary to perform their specific function.

Legal Requirements. We may disclose your information if required to do so by law, regulation, legal process, or enforceable governmental request. We will notify you of such disclosures where legally permitted.

Business Transfers. In the event of a merger, acquisition, or sale of all or substantially all of our assets, your information may be transferred to the acquiring entity. We will notify you before your information becomes subject to a different privacy policy.

We do not sell, rent, or trade your personal information to third parties. We do not serve advertising. We do not provide your data to data brokers.

6. Data Security

All data in transit between your device and our servers is encrypted using TLS 1.2 or higher.

Certificate authority private keys used for server-side signing are stored in FIPS 140-2 Level 3 hardware security modules (AWS CloudHSM) and are never exposed in software or accessible to Verimago personnel.

Ephemeral signing keys generated on your device during mobile capture never leave the device hardware (Secure Enclave on iOS, StrongBox/TEE on Android). Each key is used once and immediately destroyed.

Account credentials are stored using bcrypt with per-account salts. Session tokens are signed with HMAC-SHA256 and expire after a configurable period.

We implement least-privilege access controls, network segmentation, and maintain audit logs for all certificate operations and administrative access.

No system is perfectly secure. While we implement industry-standard safeguards, we cannot guarantee absolute security. If we become aware of a security breach affecting your personal data, we will notify you and applicable regulatory authorities as required by law.

7. Data Retention

Account Data. Your account information (email, display name, authentication credentials) is retained while your account is active and for 30 days after account deletion to support recovery requests. After 30 days, account data is permanently deleted.

Content Credentials. Registry entries (hashes, timestamps, classifications, signer identities) are retained permanently. This is inherent to the purpose of a public provenance registry — permanently recording when and by whom content was signed.

Device Attestation Tokens. Attestation tokens are verified at signing time and are not stored after verification is complete.

Usage and Diagnostic Data. Anonymized telemetry is retained for up to 24 months, after which it is deleted.

Payment Records. Transaction records are retained for 7 years to comply with financial reporting and tax obligations.

8. Your Rights and Choices

Access. You may request a copy of the personal data we hold about you by contacting privacy@verimago.com. We will respond within 30 days.

Correction. You may update your account information at any time through the app or Publisher Portal. If corrections affect your signer identity, note that previously published credentials retain the original identity — only future credentials will reflect the update.

Deletion. You may request deletion of your account and associated personal data by contacting privacy@verimago.com or visiting www.verimago.com/delete-account. We will delete your account data within 30 days. Published Content Credentials in the registry cannot be deleted — they are part of the permanent public provenance record.

Data Portability. You may request an export of your personal data in a structured, machine-readable format.

Withdraw Consent. Where processing is based on consent (e.g., location data), you may withdraw consent at any time through your device settings. Withdrawal does not affect the lawfulness of processing performed before withdrawal.

Lodge a Complaint. If you believe your data protection rights have been violated, you have the right to lodge a complaint with your local data protection supervisory authority.

9. International Data Transfers

Verimago is incorporated in the United States and operates infrastructure in the AWS us-east-1 (N. Virginia) and us-west-2 (Oregon) regions. If you access the Services from outside the United States, your information will be transferred to and processed in the United States.

For users in the European Economic Area, United Kingdom, or Switzerland: we rely on Standard Contractual Clauses (SCCs) approved by the European Commission as our lawful data transfer mechanism. A copy of the applicable SCCs is available upon request.

For users in Japan: Verimago maintains operations in Japan and processes certain data locally. Cross-border transfers are conducted in compliance with the Act on Protection of Personal Information (APPI).

10. Children

The Services are not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If we learn that we have inadvertently collected information from a child under 18, we will take immediate steps to delete that information. If you believe a child has provided us with personal data, please contact privacy@verimago.com.

11. California Residents (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA): the right to know what personal information we collect, the right to delete your personal information (subject to the registry permanence described above), and the right to opt out of the sale of personal information. Verimago does not sell personal information.

To exercise your CCPA rights, contact privacy@verimago.com. We will not discriminate against you for exercising these rights.

12. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices, the Services, or applicable law. We will post the updated Policy on this page and update the effective date. For material changes, we will provide at least 30 days' advance notice via email or an in-app notification before the changes take effect. Your continued use of the Services after the updated Policy becomes effective constitutes acceptance.

13. Contact

Privacy inquiries: privacy@verimago.com

Data protection requests: privacy@verimago.com

Verimago, Inc.