Privacy Policy
Last updated: 4 July 2026 · Contact: hello@verdaic.com
Who we are
Verdaic ("we", "us") provides a sustainability platform for IT estates. We are the data controller for the personal data described here, operating from Portugal and subject to the GDPR. Questions or requests: hello@verdaic.com.
What we collect, and why
Website visitors & waitlist
If you join the waitlist: name, email, company, and your consent record (timestamp + IP address, kept as proof of consent). We use double opt-in. Legal basis: consent — withdraw any time via the unsubscribe link.
Customer accounts (the portal)
Name, email, hashed password, TOTP secret (encrypted), sign-in records (IP, device). Legal basis: performance of contract.
Billing
Billing contact details you provide (name, company, address, phone, email, VAT number) appear on invoices and are shared with Stripe, our payment processor. We never see or store card numbers — card data goes directly from your browser to Stripe. EU VAT numbers are validated against the European Commission's VIES service. Legal bases: contract and legal obligation (tax/accounting records).
Device telemetry (the Verdaic agent)
On devices your organisation enrols, the agent collects hardware inventory, energy/utilisation metrics, and — only when your administrator enables the categories — per-app CPU time, installed-software names, and health/patch status. The complete field-by-field list is public at verdaic.com/schema.php. The agent never collects files, messages, browsing history, keystrokes or screen content, and anonymous mode (default on) removes hostnames and per-user linkage. For employee data processed on behalf of a customer organisation, that organisation is the controller and we are the processor — a Data Processing Agreement is available on request.
Sub-processors
| Provider | Purpose | Location |
|---|---|---|
| Stripe Payments Europe | Payment processing, invoicing | EU/US (SCCs) |
| SMTP2GO | Transactional & account email | EU routing available |
| Our hosting provider | Application & database hosting | EU |
We do not sell personal data, run third-party advertising trackers, or use your data to train AI models.
Retention
Waitlist entries: until you unsubscribe or 24 months of inactivity. Account data: for the life of the account plus 30 days. Device telemetry: fine-grained metrics are pruned per your plan's retention window (30 days to 3 years); daily aggregates persist for reporting. Invoices and tax records: as required by Portuguese law (currently 10 years). Audit logs: 24 months.
Your rights
Under the GDPR you can request access, rectification, erasure, restriction, portability, or object to processing — email hello@verdaic.com and we action requests within 30 days. Organisations can export or delete their full dataset at any time. You may also complain to your supervisory authority (in Portugal, the CNPD).
Security
TLS everywhere; passwords hashed (bcrypt); TOTP secrets and payment configuration encrypted at rest (AES-256-GCM); device tokens hashed; mandatory two-factor authentication for staff; separate authentication realms for staff and customers; every administrative action audit-logged. If a breach affects your data we will notify you and the regulator as the GDPR requires.
