Privacy Policy

01 Who We Are

AssurePath Ltd (Company No. 16741039) is the data controller for personal data processed through the Vern platform.

Registered address: Manchester, United Kingdom.

For privacy enquiries, contact us at privacy@assurepath.co.uk.

Our Data Protection Officer can be reached at dpo@assurepath.co.uk.

02 Data We Collect

Account Data

When you create a Vern account, we collect:

• Name and email address
• Company name (if provided)
• Password (stored securely hashed, never in plain text)
• Account preferences and playbook configurations

Contract Documents

When you upload contracts for triage, we process:

• The document content (text extracted from uploaded PDFs or DOCX files)
• Triage results, risk ratings, and AI-generated analysis outputs
• Metadata such as upload date, file name, and triage status

Usage Data

We automatically collect:

• IP address and approximate location (country/region level)
• Browser type and operating system
• Pages visited and features used within the Vern application
• Timestamps of actions (uploads, triages, exports)

Payment Data

Payment processing is handled by Stripe. We do not store your full credit card details. Stripe processes and stores payment information in accordance with PCI DSS standards. We retain only a reference to your Stripe customer ID and subscription status.

03 How We Use Your Data

We use your data to:

• Provide the Vern service — process your contracts, generate triage reports, and deliver results to your dashboard
• Manage your account — authentication, billing, and subscription management
• Improve the platform — analyse usage patterns (not contract content) to improve features and performance
• Communicate with you — service updates, security notifications, and support responses
• Comply with legal obligations — tax records, regulatory requirements, and lawful requests from authorities

We will never use your contract documents or triage results for marketing purposes, sell your data to third parties, or use your data to train AI models.

04 Legal Basis for Processing

Under UK GDPR, we process your personal data on the following legal bases:

• Contract performance — processing necessary to provide the Vern service you have signed up for (Article 6(1)(b))
• Legitimate interests — improving our service, preventing fraud, and ensuring security (Article 6(1)(f))
• Legal obligation — complying with applicable laws, tax requirements, and regulatory obligations (Article 6(1)(c))
• Consent — where you have opted in to receive marketing communications (Article 6(1)(a)). You can withdraw consent at any time

05 Contract Document Data

Your contracts are some of your most sensitive business documents. Here's exactly how we handle them:

• Contract data is processed solely to fulfil your triage request
• Documents are never used to train AI models — this is contractually prohibited by our AI sub-processor agreements
• All contract data is encrypted at rest (AES-256) and in transit (TLS 1.2+)
• Contract data is stored in UK and EU data centres only
• You can delete individual contracts and their triage results at any time
• On account closure, all contract data is permanently deleted within 30 days

06 AI Processing

Vern uses a combination of proprietary processing and third-party AI services to analyse your contract documents. Our AI sub-processors (listed in Section 7) operate under Data Processing Addendums that contractually prohibit the use of customer data for model training.

Processing occurs via EU-based endpoints. All sub-processor agreements include appropriate safeguards including Standard Contractual Clauses where applicable.

AI outputs are informational triage indicators to assist human decision-making. They do not constitute automated decisions with legal effects under GDPR Article 22. You can request human review of any triage output at any time.

07 Data Sharing & Sub-Processors

We share your data only with the following categories of recipients, and only to the extent necessary to provide the Vern service:

Sub-Processors

• OpenAI (EU) — Contract analysis (AI processing)
• Anthropic (EU) — Contract analysis (AI processing)
• LlamaIndex (EU) — Document parsing
• Railway (EU) — Application hosting
• Clerk (EU) — Authentication
• Stripe (UK/EU) — Payment processing
• Resend (EU) — Email delivery

We provide 30 days' notice before adding or changing any sub-processor.

We do not sell, rent, or trade your personal data to any third party.

Legal Disclosure

We may disclose your data if required by law, court order, or to protect the rights, property, or safety of AssurePath, our users, or the public.

08 Data Retention

We retain your data for the following periods:

• Account data — retained for the duration of your account, plus 30 days after closure
• Contract documents and triage results — retained until you delete them, or 30 days after account closure
• Usage data — retained for up to 24 months for service improvement purposes
• Payment records — retained for 7 years as required by UK tax law
• Support correspondence — retained for 24 months after resolution

On account closure, you will receive a minimum of 14 days' notice to export your data before permanent deletion.

09 Data Security

We implement appropriate technical and organisational measures to protect your data:

• Encryption — AES-256 at rest, TLS 1.2+ in transit
• Access control — least-privilege access with multi-factor authentication on all admin accounts
• Infrastructure — SOC 2 Type II audited hosting, UK/EU data centres
• Monitoring — logging and monitoring of all administrative access
• Audits — regular security assessments and penetration testing
• Incident response — defined procedures with customer notification within 2 hours of a confirmed breach

For full details on our security posture, visit our Trust Centre.

10 Your Rights

Under UK GDPR, you have the following rights regarding your personal data:

• Right of access — request a copy of all personal data we hold about you
• Right to rectification — correct any inaccurate or incomplete data
• Right to erasure — request deletion of your data, subject to legal retention obligations
• Right to data portability — receive your data in a machine-readable format
• Right to restrict processing — limit how we use your data in specific circumstances
• Right to object — oppose processing based on legitimate interests
• Right to withdraw consent — where processing is based on consent, withdraw it at any time

To exercise any of these rights, contact us at privacy@assurepath.co.uk. We will respond within 30 days.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

11 Cookies

The Vern website uses the following cookies:

• Essential cookies — required for site functionality (theme preference, cookie consent status). These are stored in your browser's localStorage and do not track you.
• Analytics cookies — Google Analytics 4 (GA4) is used to understand how visitors use our site. These cookies are only set after you give consent via our cookie banner. We use Google Consent Mode v2 with IP anonymisation enabled. You can withdraw consent at any time by clearing your browser's localStorage.
• Authentication cookies — used by Clerk to maintain your login session in the Vern application.

We do not use advertising cookies or tracking pixels. For full details, see our Cookie Policy.

12 Children's Privacy

Vern is a B2B service designed for business professionals. We do not knowingly collect or process personal data from anyone under the age of 18. If you believe a minor has provided us with personal data, please contact us immediately and we will delete it.

13 Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notification at least 14 days before they take effect.

The "last updated" date at the top of this page indicates when this policy was most recently revised.

14 Contact Us

If you have any questions about this Privacy Policy or how we handle your data:

• Privacy enquiries: privacy@assurepath.co.uk
• Data Protection Officer: dpo@assurepath.co.uk
• General enquiries: hello@askvern.ai

AssurePath Ltd · Company No. 16741039 · Manchester, United Kingdom