Privacy Policy

Information you provide to us

We collect basic information that you voluntarily provide (such as your name, email address, and company) when you contact us or submit a form on this site.

We use this information only to respond to inquiries and share relevant updates about VertRule.

We also collect basic inbound attribution, such as referrer and UTM parameters, when it is present in the page URL. This helps us understand which campaigns or links led to a form submission.

We use Umami, a privacy-focused analytics service, in a cookieless configuration. No cookies or persistent identifiers are stored on your device, no cross-site or cross-device tracking occurs, and IP addresses are not retained. We collect aggregate metrics — pageviews, referring source, browser, operating system, device type, and country-level location. Aggregate data is processed by Umami Software, Inc. in the United States. Our lawful basis under GDPR Article 6(1)(f) is our legitimate interest in understanding aggregate site usage. Because no cookies or persistent identifiers are used, no consent prompt is shown.

We do not sell your personal data. We may use service providers for form handling, scheduling, and inbound enrichment, and those providers process submitted information on our behalf.

The verification and research demo features on this site run entirely in your browser. No receipt data, model weights, or execution results are transmitted to our servers.

Business contacts we reach out to

Separately from this website, we carry out direct business-to-business outreach by telephone to companies about AI governance and EU AI Act readiness. If we contact your organisation, we may process a small amount of business-contact data about you.

We hold your employer’s name and a business phone number for it (taken from the company’s own public website) and, after a call connects, your first name, your work role, and brief notes of our conversation. We do not record calls, we do not collect special-category data, and we do not make automated decisions about you. Company-level details come from public sources — the company’s website, public funding announcements, sector-association membership lists, and business registers; details about you personally come from our conversation.

Our lawful basis is our legitimate interest (GDPR Article 6(1)(f), and the UK GDPR equivalent for UK contacts) in reaching organisations to whom this is relevant. Our assessment of that interest is documented and available on request. We keep this data for up to six months from our last contact — or up to twelve months where there is an active follow-up — after which it is deleted.

Your rights

You may request to access, update, correct, or delete your information, or to restrict how we use it, at any time by emailing [email protected]. You also have an absolute right to object to our outreach: if you tell us to stop, we will cease contact immediately and add you to a suppression list so you are not contacted again — no reason is needed. You may also lodge a complaint with your national data protection authority.

We are based in British Columbia, Canada, and your data is processed there. Because our outreach processing is occasional and low-risk, we are not required to appoint an EU or UK representative (GDPR Article 27(2)).

Last updated: June 2026