GDPR at Veriprint
Last updated: July 16, 2026
The honest part first
A visitorId derived from device signals is personal data under GDPR. We will not tell you otherwise. Using Veriprint means you need a lawful basis and a mention in your privacy policy. For fraud prevention that lawful basis is usually legitimate interest, which Recital 47 names explicitly.
How the design helps
Veriprint stores no PII: no names, emails, or page content. A visitorId maps to a signal vector, nothing more. It runs first-party under your domain and your keys, not as a third-party tracker, and signals are never shared or cross-referenced across customers. Retention is bounded by your plan (7 to 90 days, custom on Scale), and a deletion API supports erasure requests. On the Scale tier you can self-host the full stack in your own VPC, so raw signals never leave your infrastructure.
Controller and processor
You are the controller: you decide why and how end-user data is processed. Veriprint is the processor, acting only on your API calls under our Data Processing Agreement, which includes Standard Contractual Clauses for transfers outside the EEA.
Questions
Our DPO answers at [email protected], including "can we use this for X" questions, where the honest answer is sometimes no.