Effective Date: July 24, 2025
1. Introduction and Scope
Welcome to VeriFlow.me. This Privacy Policy explains how Continuous Labs SpA, operating as VeriFlow.me ("we", "us", "our"), collects, uses, shares, and protects personal information. Our core service is providing professional credential verification to our business customers ("Clients").
It is critical to understand our role: in providing our services, we act primarily as a "Data Processor" (or "Service Provider" under the CCPA) on behalf of our Clients. Our Clients, who are the "Data Controllers" (or "Businesses"), determine the purposes and means of processing the personal data they entrust to us. This policy applies to the data we process on their behalf, as well as the data we collect from visitors to our website and our Clients' representatives.
2. Information We Collect
We collect and process several categories of personal data to provide our services and manage our business. This includes:
- Identity and Contact Data: Names, email addresses, phone numbers, and other identifiers of the professionals whose credentials are being verified.
- Professional Credential Data: Information directly related to verification, such as professional license numbers, certification details, employment history, professional affiliations, and educational records.
- Technical Usage Data: IP addresses, login data, browser type and version, and other technology data on the devices used to access our Platform.
- Client Data: Contact and billing information of our Clients' representatives.
To enhance transparency, a core principle of the GDPR, below is a summary of our data processing activities when acting as a Data Processor.
| Data Category | Purpose of Processing | Legal Basis (Determined by our Client, the Data Controller) |
|---|---|---|
| Identity and Contact Data | To identify the subject of the verification and communicate the results of the service to the Client. | Performance of a contract, Legal obligation, Legitimate interest. |
| Professional Credential Data | To perform the core credential verification service requested by the Client. | Performance of a contract, Legal obligation, Legitimate interest. |
| Technical Usage Data | To monitor, protect, and improve the security, availability, and performance of the Platform. | Legitimate interest (to ensure the security and integrity of the service). |
3. Legal Basis for Processing (as a Data Processor)
Our legal basis for processing the personal data of professionals on behalf of our Clients is the contract we have with that Client (the Data Controller). It is the sole responsibility of our Client to establish and document the primary legal basis (e.g., consent, contractual necessity, etc.) for processing the data of their employees, candidates, or affiliates, in accordance with applicable data protection laws.
4. How We Use and Share Your Information
We use the information collected to:
- Provide, maintain, and improve our Services.
- Ensure the security of our Platform.
- Provide Customer support.
We may share personal data with the following categories of third parties:
- Credential-Issuing Bodies: To carry out the verification process.
- Sub-processors: Service providers who assist us in operating our business, such as cloud infrastructure providers (e.g., Google Cloud). We maintain a list of our sub-processors and require them to comply with strict data protection obligations.
- Legal Compliance: If required by law, court order, or legal process.
5. International Data Transfers
VeriFlow.me operates globally, which may require the transfer of personal data outside of your home country. When we transfer personal data originating from the European Economic Area (EEA), the UK, or Switzerland to countries that have not been deemed to provide an adequate level of data protection, we ensure that appropriate safeguards are in place.
To do this, we rely on approved legal mechanisms, such as the European Commission's Standard Contractual Clauses (SCCs), to ensure that the data is adequately protected. This practice is critical in the post-Schrems II landscape. Simply signing SCCs is no longer sufficient; companies must conduct Transfer Impact Assessments (TIAs) to evaluate the laws of the recipient country. By stating the use of robust mechanisms, VeriFlow.me not only complies with the law but also sends a clear signal to enterprise Clients, especially in the EU, that the company has a high level of data privacy maturity, which is a significant competitive advantage.
6. Data Security and Retention
We have implemented appropriate technical and organizational security measures to protect personal data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.
We retain personal data processed on behalf of our Clients for as long as instructed by the respective Client. Upon termination of our relationship with a Client, we will securely return or delete the personal data in accordance with their instructions and our contractual obligations.
7. Your Data Protection Rights
Depending on your location, you may have certain rights over your personal data. We are committed to facilitating the exercise of these rights.
- Rights under GDPR (for EEA/UK residents): Right of access, rectification, erasure ("right to be forgotten"), restriction of processing, data portability, and the right to object.
- Rights under CCPA (for California residents): Right to know, right to delete, right to non-discrimination for exercising your rights.
Since we process data on behalf of our Clients, any request to exercise these rights should be directed in the first instance to the organization that provided us with your data (the Data Controller). If we receive a request directly from you, we will forward it to the relevant Client to manage.
8. Contact Information and Data Protection Officer (DPO)
If you have any questions about this Privacy Policy or our data practices, please contact us at:
Continuous Labs SpA (operating as VeriFlow.me)
privacy@veriflow.me
Given the nature and scale of our processing of sensitive data, we have appointed a Data Protection Officer (DPO) to oversee our compliance with data protection laws. You can contact our DPO at dpo@veriflow.me