Privacy policy

Last Updated: November 13, 2025

Introduction

Verumatic ("Verumatic," "us," "we," or "our") is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you interact with us, including when you visit our website, verumatic.com (the "Site"), or use our services (collectively, the "Services").

This policy defines key terms: "you" refers to any individual interacting with our Services. "Personal Data" means any information that identifies or can be used to identify you. "Processing" refers to any operation performed on Personal Data, such as collection, storage, use, and disclosure.

Data Controller

The data controller responsible for your Personal Data is:

Verumatic AB (559555-1911)

For any privacy-related questions, you can contact us at: legal@verumatic.com

1. Scope of This Policy

This Privacy Policy applies to all Personal Data we process, including data from:

  • Visitors to our website, verumatic.com.

  • Individuals who contact us for inquiries or support.

  • Users of our products and Services.

  • Individuals who subscribe to our newsletters or marketing communications.

This policy does not cover data processing practices of third-party websites or services that may be linked from our Site.

2. Personal Data We Collect

We collect only the Personal Data that is necessary for specific, explicit, and legitimate purposes. The categories of data we collect are broken down by how we receive them.

2.1. Data You Provide Directly

You directly provide us with most of the data we collect. This includes:

  • Identity & Contact Data: Such as your name, email address, and phone number, which you provide when you complete a contact form, request information, or communicate with our team.

  • Marketing Data: Such as your preferences for receiving marketing communications from us, which you provide when you subscribe to our newsletter.

2.2. Data We Collect Automatically

When you visit our Site, we automatically collect certain technical information about your interaction. This includes:

  • Technical & Usage Data: Such as your IP address, browser type, device information, operating system, the pages you viewed on our Site, the time you spent, and referral sources. This data is collected via your browser and through the use of cookies and similar tracking technologies.

2.3. Data We Receive from Third Parties

We generally do not receive Personal Data about you from third parties. If we receive data from sources such as marketing partners or publicly available databases in the future, we will ensure it is processed in accordance with this policy and applicable law.

3. How and Why We Use Your Personal Data (Purposes and Legal Basis)

We only use your Personal Data when the law allows us to. Our processing activities are based on specific purposes and legal bases under the General Data Protection Regulation (GDPR).

  • To respond to your inquiries and requests: We process your Identity & Contact Data. The legal basis for this is our Legitimate Interest to respond to your communications.

  • To send you marketing communications (like our newsletter): We process your Identity & Contact Data and Marketing Data. This processing is based on the Consent you provide when you subscribe.

  • To analyze, improve, and secure our Site: We process Technical & Usage Data. This is based on our Legitimate Interest to ensure our Site functions, improve the user experience, and protect our services.

  • To comply with legal obligations: To respond to lawful requests from authorities, we may process your Identity, Contact, and Technical Data. The legal basis for this is Legal Obligation.

  • To process job applications: We process your Identity & Contact Data and Recruitment Data. This is based on our Legitimate Interest to assess your application and suitability for the role.

5. International Data Transfers

Our primary operations are based within the European Union (EU) and European Economic Area (EEA), and your Personal Data is primarily stored and processed in this region.

If we engage Sub-processors or service providers located outside the EU/EEA, we will not transfer your Personal Data without ensuring it is adequately protected. Such transfers will only occur if:

  • The country is approved by the European Commission as having an adequate level of protection ("Adequacy Decision"); or

  • We have entered into the EU Commission's Standard Contractual Clauses (SCCs) with the third party.

6. Data Security

We take the security of your Personal Data very seriously. We have implemented appropriate Technical and Organizational Measures (TOMs) designed to protect your data from unauthorized access, disclosure, alteration, loss, or misuse. These measures are regularly reviewed and updated to ensure the ongoing integrity and confidentiality of your information.

7. Data Retention

We will only store your Personal Data for as long as is necessary to fulfill the purposes for which it was collected, or as long as we are required to store it by law (such as for accounting purposes).

The retention period depends on the type of data and the purpose of processing. For example:

  • If you have given your consent to receive our newsletter, we will store your name and e-mail address on our mailing list until you choose to unsubscribe.

  • Data from job applications may be kept for a period after the recruitment process is finished, in accordance with our legitimate interests or legal requirements.

Once the purpose is fulfilled and the legal retention period has expired, your Personal Data will be securely deleted or anonymized.

8. Your Data Protection Rights

Under the GDPR, you have specific rights regarding your Personal Data. We are committed to upholding these rights.

  • The Right to Access: You have the right to request copies of your Personal Data.

  • The Right to Rectification: You have the right to request that we correct any information you believe is inaccurate or complete information you believe is incomplete.

  • The Right to Erasure ("Right to be forgotten"): You have the right to request that we erase your Personal Data, under certain conditions.

  • The Right to Restrict Processing: You have the right to request that we restrict the processing of your Personal Data, under certain conditions.

  • The Right to Object to Processing: You have the right to object to our processing of your Personal Data, under certain conditions (especially where we rely on Legitimate Interest).

  • The Right to Data Portability: You have the right to request that we transfer the data that we have collected to another organization, or directly to you, under certain conditions.

  • The Right to Withdraw Consent: If we are processing your data based on your consent, you have the right to withdraw that consent at any time.

  • The Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority if you believe our processing of your Personal Data infringes data protection laws.

To exercise any of these rights, please contact us at legal@verumatic.com.

9. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. We will notify you of any material changes by posting the new policy on this page and updating the "Last Updated" date at the top. We encourage you to review this policy periodically.

10. How to Contact Us

If you have any questions, concerns, or complaints about this Privacy Policy or our data processing practices, or if you wish to exercise any of your rights, please contact us at:

Email: legal@verumatic.com

Appendix 1: Data Processing Agreement (DPA)

(This appendix applies when Verumatic acts as a Data Processor on behalf of the Customer (the Data Controller). It governs the processing of personal data that the Customer uploads to the Services.)

1. Definitions

Unless otherwise specified, terms used in this DPA shall have the same meaning as in the General Data Protection Regulation (EU) 2016/679 ("GDPR").

  • "Controller" means the Customer, the entity that determines the purposes and means of the processing of Personal Data.

  • "Processor" means Verumatic, the entity processing Personal Data on behalf of the Controller.

  • "Applicable Data Protection Laws" means all legislation and regulations applicable to the processing of Personal Data under this DPA, including the GDPR.

  • "Data Subject", "Personal Data", and "Personal Data Breach" shall have the meanings ascribed to them in Article 4 of the GDPR.

2. Roles and Responsibilities

  • Roles: The Parties acknowledge and agree that for the purpose of this DPA, the Customer is the Data Controller and Verumatic is the Data Processor.

  • Controller's Obligations: The Customer, as the Controller, is responsible for ensuring that the processing of Personal Data is lawful and has the sole right and obligation to determine the purposes and means of the processing. The Customer warrants that it has a valid lawful basis for all processing activities conducted by the Processor on its behalf.

  • Processor's Obligations: Verumatic, as the Processor, shall only process Personal Data on behalf of the Controller and in accordance with the Controller's documented instructions. Verumatic shall promptly inform the Controller if, in its opinion, an instruction infringes on Applicable Data Protection Laws.

3. Details of Processing

Subject-matter of Processing The subject matter of the processing is the provision of the Verumatic Services to the Customer as defined in the Main Agreement. This encompasses the processing of personal data required to operate the Verumatic platform, manage the Customer’s account, and perform the specific functions requested by the Customer through their use of the Services.

Duration of Processing Verumatic will process personal data for the duration of the Main Agreement and the Customer's subscription to the Services. Processing will continue until the Agreement is terminated or expires, after which personal data will be deleted or returned in accordance with the terms of this DPA, unless applicable law requires storage for a longer period.

Nature and Purpose of Processing The nature of the processing includes the collection, recording, organization, structuring, storage, adaptation, retrieval, use, disclosure by transmission, and erasure or destruction of data. The purpose of the processing is to enable the Customer to utilize the Verumatic platform features, to facilitate the management of the Customer’s workflows, and to ensure the technical functionality, security, and maintenance of the Services. Verumatic processes this data solely to provide the Services in accordance with the Customer’s documented instructions.

Categories of Personal Data The personal data processed includes Identity and Contact Data of the Customer’s authorized users, such as names, email addresses, phone numbers, and job titles. Furthermore, it includes any personal data contained within the content, documents, files, or data that the Customer uploads, transmits, or generates while using the Services ("Customer Content"). The extent and specific types of personal data within Customer Content are determined and controlled solely by the Customer.

Categories of Data Subjects The personal data transferred concerns the Customer’s employees, consultants, and authorized users who access the Verumatic Services. Additionally, the processing may concern other individuals whose personal data is included in the materials or information the Customer processes using the Services, such as the Customer’s own clients, customers, suppliers, business partners, and other third parties relevant to the Customer’s business operations.

4. Processor's Obligations

4.1. Confidentiality: The Processor (Verumatic) shall ensure that all persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.2. Security: The Processor shall, in accordance with Article 32 of the GDPR, implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, protecting the Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

4.3. Data Subject Requests: Taking into account the nature of the processing, the Processor shall assist the Controller by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the Data Subject's rights as laid down in Chapter III of the GDPR.

4.4. Personal Data Breach: The Processor shall notify the Controller without undue delay after becoming aware of a Personal Data Breach. The Processor shall further assist the Controller in ensuring compliance with the Controller's obligations pursuant to Articles 33 and 34 of the GDPR, taking into account the nature of the processing and the information available to the Processor.

5. Sub-processors

5.1. The Controller provides a general authorization for the Processor to engage other processors ("Sub-processors") to support the provision of the Services. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors, thereby giving the Controller the opportunity to object to such changes.

5.2. The Processor shall impose on any engaged Sub-processor, by way of a written contract, the same data protection obligations as set out in this DPA. Where a Sub-processor fails to fulfil its data protection obligations, the Processor shall remain fully liable to the Controller for the performance of that Sub-processor's obligations.

5.3. A current list of Sub-processors engaged by Verumatic is available in Appendix 2 of this document.

6. International Transfers

The Processor shall only process, including by transfer or access, Personal Data in a country outside the EU/EEA if it is in accordance with the Controller's documented instructions and if the Processor ensures that appropriate safeguards are in place in accordance with Chapter V of the GDPR (such as an Adequacy Decision or Standard Contractual Clauses).

7. Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and Article 28 of the GDPR. The Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller. The Controller shall notify the Processor in writing at least thirty (30) days prior to a potential audit and shall bear all costs associated with such an audit.

8. Termination and Data Deletion/Return

Upon termination of the Main Agreement, the Processor shall, at the choice of the Controller, delete or return all Personal Data to the Controller. The Processor shall delete existing copies unless applicable law requires storage of the Personal Data.

9. Liability and Governing Law

9.1. The liability of each Party for any breach of this DPA shall be subject to the limitations and exclusions of liability set out in the Main Agreement.

9.2. This DPA, and any non-contractual obligations arising out of or in connection with it, shall be governed by and construed in accordance with the laws specified in the Main Agreement.

Appendix 2: Sub-processor List

This list identifies the third-party sub-processors used by Verumatic to provide the Services. We maintain this list and will notify the Controller of any material changes. Where a sub-processor is located outside the EEA, transfers rely on the EU-US Data Privacy Framework (DPF) or Standard Contractual Clauses (SCCs).

  • Google Cloud (Google Ireland Ltd)

    • Service Provided: Cloud Hosting Infrastructure

    • Location (Country): Ireland / EU

    • Transfer Safeguard (if outside EU/EEA): N/A (EU)

  • Google Firebase (Google Ireland Ltd)

    • Service Provided: Backend Services, Database & Authentication

    • Location (Country): Ireland / EU

    • Transfer Safeguard (if outside EU/EEA): SCCs / Data Privacy Framework

  • OpenAI (OpenAI Ireland Ltd)

    • Service Provided: AI Model Inference & Processing

    • Location (Country): Ireland / EU

    • Transfer Safeguard (if outside EU/EEA): SCCs / Data Privacy Framework

  • Anthropic (Anthropic Ireland Ltd)

    • Service Provided: AI Model Inference & Analysis

    • Location (Country): Ireland / EU

    • Transfer Safeguard (if outside EU/EEA): SCCs

  • HubSpot (HubSpot Ireland Ltd)

    • Service Provided: CRM, Marketing & Customer Support

    • Location (Country): Ireland / EU

    • Transfer Safeguard (if outside EU/EEA): SCCs / Data Privacy Framework

  • PostHog (PostHog Inc.)

    • Service Provided: Product Analytics & Session Tracking

    • Location (Country): Germany / EU

    • Transfer Safeguard (if outside EU/EEA): N/A (EU)

  • Fireflies (Fireflies AI Corp)

    • Service Provided: Meeting Transcription & Summarization

    • Location (Country): USA

    • Transfer Safeguard (if outside EU/EEA): Data Privacy Framework / SCCs

  • Google Gemini (Google Ireland Ltd)

    • Service Provided: AI Model Inference

    • Location (Country): Ireland / EU

    • Transfer Safeguard (if outside EU/EEA): N/A (EU)


Back to homepage

Back to homepage

Back to homepage