1. About This Document
This EU & Swiss Privacy Policy supplements our Global Privacy Policy and provides additional disclosures required under:
- Regulation (EU) 2016/679 — the General Data Protection Regulation (GDPR)
- The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018
- The Swiss Federal Act on Data Protection (nFADP / revDSG), in force since September 2023
Verifox EU B.V. is our EU representative entity, established in Amsterdam, Netherlands. It acts as a co-controller for data subjects in the EU/EEA and as a local point of contact for EU supervisory authorities. Our DPO is reachable at support@verifox.ai.
2. Who Is the Controller?
For EU/EEA data subjects, the data controllers are:
- Verifox, Inc. , 548 Market St PMB 12345, San Francisco, CA 94104, USA — primary controller
- Verifox EU B.V., Herengracht 282, 1016 BX Amsterdam, Netherlands — EU representative controller for EU/EEA residents
For Swiss data subjects, Verifox, Inc. is the controller, and Verifox EU B.V. serves as the Swiss representative under nFADP Article 14.
For the UK, Verifox, Inc. is the controller and has appointed a UK Representative in accordance with UK GDPR Article 27. Contact support@verifox.ai to reach the UK representative.
3. Legal Bases for Processing
We process personal data only when we have a lawful basis under GDPR Article 6 (and the equivalent provisions of UK GDPR and nFADP). The following table summarises our principal processing activities and their legal bases:
| Processing Activity | Legal Basis | GDPR Article |
|---|---|---|
| Account creation and management | Contractual necessity | Art. 6(1)(b) |
| Email verification processing | Contractual necessity | Art. 6(1)(b) |
| Billing and invoicing | Legal obligation (tax/accounting) | Art. 6(1)(c) |
| Fraud prevention (FoxGuard) | Legitimate interests | Art. 6(1)(f) |
| Security monitoring and logging | Legitimate interests | Art. 6(1)(f) |
| Marketing communications | Consent | Art. 6(1)(a) |
| Compliance with legal requests | Legal obligation | Art. 6(1)(c) |
Where we rely on legitimate interests (Article 6(1)(f)), we have conducted a Legitimate Interests Assessment (LIA) to ensure that our interests do not override the rights and freedoms of data subjects. You may request a copy of our LIA by contacting support@verifox.ai.
4. Special Categories of Data
We do not intentionally collect or process special categories of personal data as defined in GDPR Article 9, including data revealing racial or ethnic origin, political opinions, religious beliefs, health data, biometric data, or data concerning sexual orientation.
The email addresses submitted for verification are professional/commercial email addresses (B2B use case). If a submission inadvertently contains sensitive personal data, you should cease submitting such data and contact support@verifox.ai. We have no mechanism to automatically detect or flag sensitive data categories within email address strings.
5. Your Rights Under GDPR
As a data subject in the EU/EEA, UK, or Switzerland, you have the following rights. To exercise any of these rights, contact support@verifox.ai. We will respond within one calendar month (extendable by two further months for complex requests, with notice).
Right of Access (Article 15)
You have the right to obtain confirmation of whether we process personal data about you, and if so, to receive a copy of that data together with information about how it is processed.
Right to Rectification (Article 16)
You have the right to have inaccurate personal data corrected without undue delay. You can update most account data directly in your account settings.
Right to Erasure / Right to be Forgotten (Article 17)
You have the right to request erasure of your personal data where: (a) the data is no longer necessary for the purposes for which it was collected; (b) you withdraw consent and there is no other legal basis; (c) you object to processing and there are no overriding legitimate grounds; or (d) the data has been unlawfully processed. This right is subject to exceptions, including legal retention obligations.
Right to Restriction (Article 18)
You may request that we restrict processing of your personal data in certain circumstances, such as while we verify the accuracy of contested data.
Right to Data Portability (Article 20)
Where processing is based on consent or contract and carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format (JSON or CSV), and to have it transmitted to another controller.
Right to Object (Article 21)
You have an absolute right to object to processing for direct marketing purposes. For processing based on legitimate interests, you may object on grounds relating to your particular situation, and we must stop unless we can demonstrate compelling legitimate grounds.
6. International Data Transfers
Our primary infrastructure is located in the United States. Transfers of personal data from the EU/EEA to the US are based on the following mechanisms:
- Standard Contractual Clauses (Module Two — Controller to Processor): Incorporated into all DPAs with US-based sub-processors, pursuant to Commission Implementing Decision (EU) 2021/914.
- EU-U.S. Data Privacy Framework: Where sub-processors are certified under the DPF, we rely on this certification as an additional safeguard.
- Transfer Impact Assessments (TIAs): For transfers to the US, we have conducted TIAs taking into account the technical, contractual, and organisational safeguards in place, consistent with the guidance of the European Data Protection Board (EDPB).
For Switzerland, we apply the updated SCCs as recognised by the FDPIC. For the UK, we use the UK International Data Transfer Agreement (IDTA) or the UK Addendum to EU SCCs.
7. Data Protection Officer
Verifox has appointed a Data Protection Officer (DPO) who is responsible for overseeing GDPR compliance and serving as the primary contact for data protection matters.
- Contact: support@verifox.ai
- Postal address: DPO, Verifox EU B.V., Herengracht 282, 1016 BX Amsterdam, Netherlands
If you are not satisfied with our response to a privacy request or complaint, you have the right to lodge a complaint with your national supervisory authority:
- Netherlands (lead SA for EU): Autoriteit Persoonsgegevens — autoriteitpersoonsgegevens.nl
- UK: Information Commissioner's Office — ico.org.uk
- Switzerland: Federal Data Protection and Information Commissioner — edoeb.admin.ch
8. Swiss nFADP Specific Disclosures
The revised Swiss Federal Act on Data Protection (nFADP / revDSG) entered into force on 1 September 2023. Under the nFADP, Verifox provides the following additional disclosures for Swiss residents:
- Swiss Representative: Verifox EU B.V., Herengracht 282, 1016 BX Amsterdam, Netherlands (acting as the Swiss representative under nFADP Art. 14).
- No automated individual decision-making: Verifox does not make decisions based solely on automated processing that produce legal effects or similarly significant impacts on individuals.
- Data security: We implement technical and organisational measures appropriate to the risk, in accordance with nFADP Art. 8.
- Breach notification: In the event of a data security breach likely to result in a high risk to the rights of natural persons, we will notify the FDPIC as soon as possible and, where required, the affected data subjects.
This document was last updated on March 27, 2026. If you have questions about this policy, please contact support@verifox.ai.