VerifyLegal
Effective 3 May 2026v1.0

Privacy Policy

This Privacy Policy explains how Ashlin Perumall, operating under the trading name VerifyLegal ("we", "us", "our"), collects, uses, shares, and safeguards Personal Information when you use the Service. We act as the Responsible Party for the processing described below, except where indicated otherwise.

1. Scope

This Policy applies to anyone who interacts with the Service, including registered Users, Lawyers issuing attestations, and visitors to the marketing site. It is governed by the Protection of Personal Information Act 4 of 2013 (POPIA) and, where applicable, by equivalent regimes such as the EU and UK General Data Protection Regulations.

2. Personal Information we collect

2.1. Information you give us

  • Account information — full name, email address, professional role, and (optionally) practising certificate number such as an LPC or SRA number, plus the jurisdictions you practise in.
  • Organisation information — the name and type of the law firm, in-house team, or sole practice you are associated with.
  • Content you submit for verification — AI-generated outputs, supporting source material, comments, evidence uploads, and other documents you upload through the Service.
  • Communications — the contents of any support, sales, or legal enquiries you send us.

2.2. Information we collect automatically

  • Authentication data — session tokens, IP address, user agent, and (where you sign in with Google) the OAuth identity payload returned by Google.
  • Usage telemetry — pages visited, actions performed, API calls made, and timestamps, used to operate the Service and diagnose problems.
  • Audit log — an immutable record of actions taken on each verification job, including who did what and when. This record is essential to the integrity of an Attestation Certificate.

3. Why we process your information

We process Personal Information for the following purposes, and on the corresponding lawful bases:

  • To provide the Service (performance of a contract with you under POPIA s 11(1)(b)) — including account creation, decomposition of AI Output into claims, AI-assisted triage, reviewer workflow, and issuance of Attestation Certificates.
  • To process payments (performance of a contract) — through our payment provider.
  • To maintain the integrity of attestations (legitimate interest under POPIA s 11(1)(f), and compliance with legal obligation under s 11(1)(c)) — including cryptographic hashing of certified outputs and retention of an immutable audit log.
  • To improve the Service (legitimate interest) — through aggregate or anonymised analytics on AI tool performance, reviewer workload, and matrix calibration.
  • To communicate with you about service updates, security notices, and (with your consent) product news.
  • To comply with law, respond to legal process, and protect our rights and the rights of others.

4. Who we share it with

We do not sell your Personal Information. We share information only with the following categories of recipient:

  • Within your Organisation — other Users associated with your Organisation may see jobs, claims, and attestations associated with that Organisation, in accordance with row-level security and the role assigned to each User.
  • Sub-processors and infrastructure providers — described in section 5 below.
  • Professional advisers — lawyers, auditors, and insurers, where reasonably necessary.
  • Authorities — courts, regulators, and law-enforcement bodies where required by law or where necessary to protect our rights or the rights of others.
  • Successors in a corporate transaction — in the event of a sale, merger, restructuring, or transfer of substantially all of our assets, subject to confidentiality obligations and continued application of this Policy.

5. Sub-processors

We rely on the following sub-processors to operate the Service. Each is bound by appropriate confidentiality and data-protection terms.

ProviderPurposeRegion
SupabaseDatabase, authentication, and encrypted file storage.European Union
VercelWeb application hosting and edge delivery.United States / European Union
AnthropicAI processing of submitted content for decomposition and triage. Anthropic does not train its production models on API content.United States
PaystackPayment processing and invoicing.South Africa
GoogleFederated sign-in (only when you sign in with Google).United States

6. Cross-border transfer

Because some of our sub-processors are located outside South Africa, your Personal Information may be transferred to and processed in the European Union or the United States. Such transfers are made in compliance with section 72 of POPIA, in reliance on the recipient's adherence to laws or binding corporate rules that uphold a level of protection substantially similar to POPIA, on Standard Contractual Clauses, or on your consent where applicable.

7. Retention

We keep Personal Information only for as long as is necessary for the purposes for which it was collected, or as required by law. In particular:

  • Account information is retained for the life of your account and for a reasonable period after closure to handle wind-down issues.
  • Verified outputs, attestation certificates, and the corresponding audit log are retained indefinitely so that historic attestations remain verifiable. This is essential to the trust model of the Service.
  • Logs and telemetry are retained for up to twelve months unless a longer period is required to investigate a security or integrity incident.

8. Your rights

As a data subject under POPIA you have the right, subject to the conditions and exceptions set out in the Act, to:

  • Confirm whether we hold Personal Information about you and request access to it (POPIA s 23);
  • Request correction or deletion of Personal Information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or obtained unlawfully (POPIA s 24);
  • Object to the processing of your Personal Information on reasonable grounds (POPIA s 11(3));
  • Withdraw any consent you have given (POPIA s 11(2)(b)); and
  • Lodge a complaint with the Information Regulator of South Africa.

To exercise any of these rights, contact us at privacy@verifylegal.app. We may need to verify your identity before responding. Note that we cannot delete information that is part of the immutable audit record supporting an issued Attestation Certificate without compromising the integrity of that certificate.

9. Security

We take appropriate technical and organisational measures to safeguard Personal Information, including transport-layer encryption (TLS) for data in transit, encryption at rest for stored files, row-level security policies on every database table, scoped access tokens for API integrations, and an immutable audit log. No system is perfectly secure, and we cannot guarantee absolute security; you are responsible for keeping your account credentials confidential.

10. Cookies

We use a small number of strictly necessary cookies to keep you signed in and to remember your theme preference. We do not use marketing or advertising cookies. If we add analytics or marketing cookies in future, we will update this Policy and, to the extent required, request your consent.

11. Children

The Service is intended for use by qualified legal practitioners and their support teams. It is not directed to children under 18, and we do not knowingly collect Personal Information from children. If you believe a child has provided us with Personal Information, please contact us so that we can delete it.

12. Changes to this Policy

We may update this Policy from time to time. The current version is always available at https://verifylegal.app/privacy. Material changes will be notified by email or by a prominent notice on the Service before they take effect.

13. Contact

For privacy enquiries or to exercise any data-subject right, contact us at privacy@verifylegal.app. For all other matters, write to hello@verifylegal.app.