Private beta open for teams shipping AI agents.·See the demo

Legal

Privacy Policy

What we collect, what we deliberately never receive, who processes it, and the rights you have over it.

Last updated: July 4, 2026

01Who we are

Verifiable Labs, Inc. is a Delaware corporation operating verifiable-labs.com, the Verifiable Labs dashboard, and the Verifiable Labs API (the “Service”). For the personal data described in this policy, Verifiable Labs is the data controller. You can reach us about anything in this policy at privacy@verifiable-labs.com.

02What we collect

  • Account data — name, email address, authentication identifiers, and organization membership, handled through our authentication provider, Clerk. If you sign in with Google or GitHub we receive the basic profile those providers share.
  • Billing data — your plan, subscription status, and invoices, handled through Stripe. Card details are entered on Stripe’s payment pages and never touch our servers.
  • Usage telemetry — metered counts (traces, scoring calls, dataset tuples), API request metadata, and the scalar audit aggregates you post to the telemetry endpoints (for example candidates_tested, shortcuts_detected, and the derived hack rate).
  • Assistant input — messages you type to the dashboard assistant and, if you use voice input, short audio clips that are transcribed to text to serve your request. Both are metered against your plan.
  • Contact details — what you submit through the contact form (name, email, company, message).
  • Logs — IP addresses, user-agent strings, and timestamps collected by us and our hosting providers for security, abuse prevention, and debugging.

Cookies on the Service are used for authentication and session management (set by Clerk). We do not use advertising or cross-site tracking cookies, and we do not sell personal data.

03What never reaches us

The platform is architected so that the sensitive material of an evaluation stays inside your trust domain. As documented in the API reference and on the Security page: your reference code and test cases never leave your trust domain; audit telemetry accepts scalar aggregates, not candidate code or graders; and assurance records disclose decisions and score deltas, not the material that produced them. Hidden evaluation cases, gold answers, and raw model traces stay inside the evaluation boundary.

For dataset jobs, the model API key you supply is encrypted at rest, used only to call your endpoint, and never returned.

04How we use data

  • to provide and operate the Service, including authentication, evaluation runs, and the dashboard;
  • to meter usage against your plan and to bill subscriptions;
  • to secure the Service — abuse prevention, rate limiting, and incident investigation;
  • to respond to support and contact requests;
  • to send service communications (e.g. completed audits, monitor regressions, security notices).

Where GDPR applies, we rely on performance of contract (providing the Service), legitimate interests (security, service improvement), and consent where required.

05Subprocessors

We use the following service providers to run the Service. Each processes data only as needed for the purpose listed.

ProviderPurposeLocation
ClerkAuthentication, user accounts, and organizationsUSA
StripePayment processing and subscription billingUSA
VercelWebsite and dashboard hostingUSA
Fly.ioAPI hostingUSA
SupabaseManaged database (Postgres)USA
CloudflareDNS and object storage (R2)USA
UpstashRedis — rate limiting and queuesUSA
OpenRouterManaged model routing for the metered LLM-backed featuresUSA
OpenAIModel inference for the dashboard assistant and voice transcriptionUSA
ResendTransactional email (e.g. contact-form notifications)USA
Google WorkspaceCompany email and document handlingUSA / EU
SentryError monitoringUSA
Better StackUptime monitoring and log managementUSA / EU

If you book a call through the Calendly link on our contact page, or visit our public status page (hosted by Atlassian Statuspage), those providers process the data you give them under their own privacy policies.

06Retention

Account data is kept while your account exists and removed when you delete it (self-serve, from the dashboard settings). Usage metering, audit records, and assurance records are kept while the account is active, since they are the product’s evidence trail. Billing records are retained as required by tax and accounting law. Operational logs are kept for a limited period for security and debugging and then deleted or anonymized.

07Your rights (GDPR / CCPA)

Depending on where you live, you may have the right to access, correct, delete, or export your personal data, to object to or restrict certain processing, and to withdraw consent. You can delete your account and its data yourself from the dashboard settings, or exercise any of these rights by emailing privacy@verifiable-labs.com — we respond within the timelines the applicable law sets.

If you are in the EEA or UK you may also lodge a complaint with your supervisory authority. If you are a California resident, the CCPA rights to know, delete, correct, and opt out of sale/sharing apply; we do not sell or share personal data as those terms are defined in the CCPA, and we do not discriminate against you for exercising your rights.

08International transfers

We are a US company and the Service is operated from the United States. Where data of EEA/UK users is transferred to the US or other countries, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses with our subprocessors.

09Security

Security practices — private-by-default evaluation boundaries, redacted records, and responsible disclosure — are described on our Security page. Vulnerability reports go to security@verifiable-labs.com or via security.txt. No method of transmission or storage is perfectly secure, but we work to protect your data with measures appropriate to the risk.

10Children

The Service is a business tool and is not directed to children under 16. We do not knowingly collect personal data from children; if you believe a child has provided us data, contact privacy@verifiable-labs.com and we will delete it.

11Changes to this policy

We may update this policy from time to time. For material changes we will give notice — on this page, in the product, or by email — before the change takes effect. The “Last updated” date above always reflects the current version.

12Contact

Privacy questions and requests: privacy@verifiable-labs.com. Legal questions: legal@verifiable-labs.com.