Privacy.

Last updated: 7 May 2026

This policy describes how Verka collects, uses, and protects personal data when you use our website and our SaaS service. We comply with the EU General Data Protection Regulation (GDPR).

1. Who is the data controller?

Verka is an AI-driven marketing platform based in Sweden. Verka acts as the data controller for personal data processed through this website and the Service.

Email: [email protected]

For any questions about personal data, contact us at [email protected].

2. Two different roles

Verka processes personal data in two different roles, depending on the context:

As data controller — when we handle data about you as a website visitor or as a user of the service (for example, your name, email address, and login credentials).

As data processor — when you, as a customer, connect your marketing accounts (such as Google Ads or Google Search Console) to Verka and we process data about your customers and contacts on your behalf. For this processing, we enter into a separate Data Processing Agreement (DPA) with you as the customer.

This policy primarily covers our role as data controller. For our role as data processor, please request our DPA at [email protected].

3. What data do we collect?

Website visitors and waitlist sign-ups

• Email address, company name, and role (when you join the waitlist)
• IP address — hashed and stored only for short-term rate limiting
• Browser, device, and operating system (logged automatically by our infrastructure)

Users of the service (once the platform is active)

• Name and email address
• Hashed password
• Company details, brand voice, target audience, and KPI targets
• Content and settings you create within the service
• Data from the marketing services you connect (Google Ads, Google Search Console, and others you authorise via OAuth)
• Logs of your use of the service
• Your approval and rejection decisions on AI-generated recommendations

4. Why do we process your data?

• Provide and develop our service
• Manage your account and our communications with you
• Send service messages and invoices
• Improve agent recommendations based on your past approvals and rejections — your data only, never aggregated across customers
• Improve the user experience and troubleshoot issues
• Protect the service against abuse and security threats
• Comply with legal obligations (such as accounting requirements)
• Market our services — when you have given your consent

5. Legal basis

We only process personal data when we have a legal basis for doing so. For Verka, the most common bases are:

• Contract — to deliver the service you have ordered
• Legitimate interest — for security, product development, and basic analytics
• Consent — for marketing emails, newsletters, and similar
• Legal obligation — for accounting and other statutory documentation

6. AI processing

A core part of Verka is that AI agents perform work on your behalf — analysing campaigns, generating content drafts, and recommending actions. This means that personal data you enter into the service may be processed by AI models provided by third-party vendors.

Currently we use:

• Anthropic (Claude) — based in the United States. Used for all AI processing in the platform. Anthropic's commercial API terms confirm that customer data submitted via the API is not used to train models. Anthropic is covered by the EU-US Data Privacy Framework.

We do not send more data than is required for the task. Our AI vendors are covered by our DPA with you.

Most actions in the service operate in human-in-the-loop mode by default — the AI prepares a recommendation and you approve before it is executed. Where automated decisions are made that have a legal or similarly significant effect on a person, you have the right to have the decision reviewed by a human. Contact [email protected] if you wish to exercise this right.

A current list of our sub-processors — including AI vendors — can be requested from [email protected].

7. What we will never do

• Sell your data to third parties
• Use your data to train foundation AI models
• Aggregate your data with other customers' for benchmarking without explicit consent
• Send marketing email if you didn't ask for it

8. Cookies and analytics

The Verka marketing website (verka.io) currently does not set any tracking, analytics, or advertising cookies.

The platform itself, when active, uses only essential cookies required for the service to function — for example, to keep you signed in and to protect against abuse.

If we add analytics or advertising cookies in the future, we will request your consent through a clear cookie banner.

9. Third-party services

We use the following sub-processors to run Verka:

• Cloudflare (US, EU regions) — hosting, content delivery, and edge compute
• Supabase (EU regions) — database, authentication, and file storage
• Anthropic (US) — AI model processing
• Resend (US) — transactional email delivery
• DataForSEO (when site audits run) — website crawling for SEO analysis
• Google APIs (US) — when you authorise Verka to access your Google Ads or Google Search Console data, requests are sent to Google APIs on your behalf

A current and complete list of our sub-processors can be requested from [email protected].

Google API Services compliance. Verka's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

10. Transfers outside the EU/EEA

Some of our providers are based in the United States or process data there. When we transfer personal data outside the EU/EEA, we do so on the basis of:

• European Commission adequacy decisions (where applicable, such as the EU-US Data Privacy Framework)
• Standard Contractual Clauses (SCCs) approved by the European Commission
• Supplementary safeguards where necessary

11. How long do we keep the data?

• Waitlist sign-ups — until commercial launch plus 12 months, then deleted unless you become a customer
• Hashed IP addresses (waitlist rate limiting) — kept alongside the waitlist record for the duration of that record
• Account and user data — for as long as you have an active account, plus up to 90 days thereafter
• Invoicing and accounting data — seven years, as required by Swedish accounting law
• Support tickets — up to 24 months
• Marketing consents — until you withdraw them
• Logs and security data — typically 30–90 days

12. Security

We protect your data with technical and organisational measures, including encryption in transit (TLS), passwords stored as hashes, access controls, row-level security in our database, and logging. In the event of a personal data breach that poses a risk to you, we will notify the Swedish Authority for Privacy Protection (IMY) within 72 hours and inform you when required by law.

13. Your rights

Under GDPR, you have the right to:

• Be informed about the data we hold about you (subject access request)
• Have inaccurate data corrected
• Have data erased (the "right to be forgotten")
• Have processing restricted
• Object to processing based on legitimate interest
• Receive your data in a machine-readable format (data portability)
• Withdraw consent at any time

Contact [email protected] and we will help you. If you believe we are handling your data incorrectly, you can also file a complaint with the Swedish Authority for Privacy Protection (imy.se).

14. Data deletion (for connected platforms)

If you have connected your account from Google, Meta, LinkedIn, or another marketing platform to Verka and wish to have your data removed, contact us at [email protected] with the subject line "Data deletion request".

Include in your request:

• The email address you used to authorise the connection
• The platform(s) you connected (Google Ads, Meta, LinkedIn, etc.)
• Whether you want all data removed, or only data from a specific connected account

We confirm receipt within 5 business days and complete deletion within 30 days. After deletion is complete, you will receive a confirmation email.

15. Changes

We may update this policy as the service evolves or as legislation changes. For significant changes, we will notify you by email or within the service. The date at the top of this page indicates when the policy was last updated.

16. Contact

For questions, feedback, or to exercise your rights — email us at [email protected].