effective 2026-06-01

privacy

1. what we collect

when you connect your gmail account, we access only messages from issuer domains (e.g. @hdfcbank.com, @axisbank.com, @americanexpress.com). we never read personal mail.

from those statement emails, we extract:

  • transaction date, amount, merchant, and merchant category
  • card number (last 4 digits only — full numbers are never stored)
  • account-level metadata (statement period, payment due, credit limit if disclosed)

we do not collect: full card numbers, CVVs, OTPs, login credentials, account passwords.

2. how we use it

we score every transaction against the issuer reward rules in force on that transaction's date. the score, plus a confidence number and the source rule, is stored alongside the transaction. that's your audit.

we do not use your data for advertising. we do not sell it. we do not share it with marketing partners.

3. where it lives

servers in the AWS Mumbai region (ap-south-1). data is encrypted at rest with AES-256 and in transit with TLS 1.3.

4. how long we keep it

while your account is active, we retain transactions and audits indefinitely so your audit gets richer over time. when you cancel, all data is hard-deleted within 30 days. no soft-delete, no archive.

5. your rights under DPDP

under india's digital personal data protection act, you have the right to:

  • access the data we have about you (request via support@verosum.com)
  • request correction of inaccurate data
  • request deletion at any time
  • withdraw consent for processing
  • file a grievance with our DPO (currently privacy@verosum.com)

6. third parties

we use the following third-party services:

  • google (gmail oauth) — read-only access to your statement emails
  • aws (mumbai) — hosting + encrypted data storage
  • resend — transactional email (confirmations, audits)
  • plausible — privacy-first analytics (no cookies, no personal data)

none of these have access to identifiable data outside their service function. none can re-sell.

7. changes

if this policy changes materially, we email every active user. the previous version of this page is always available via our changelog.

8. contact

questions, requests, or grievances → privacy@verosum.com. a human responds within 48 hours.

note: this is a v1 policy using compliant templates. it will be reviewed by a DPDP-specialist lawyer ahead of any funding round.