Privacy Policy
Last updated: May 2026
1. Who We Are
Vera AI Solutions operates the Vera AI platform, an intelligent auditing workspace that enables audit professionals to build, configure, and converse with AI agents powered by Claude and Gemini models routed through Vercel AI Gateway. This Privacy Policy explains what personal data we collect, why we collect it, how it is processed, and what rights you have over it.
By creating an account or using any part of the Vera AI platform, you agree to the practices described in this policy. If you do not agree, please do not use the platform.
2. Data We Collect
We collect data in the following categories:
Account and Identity Data
When you register, we collect your email address, display name, and a hashed password if you use email authentication. If you register via Google OAuth, we receive your Google profile name, email address, and profile picture URL. We assign you an internal user ID, a role (Admin, User, or Viewer), and subscription status.
Chat and Conversation Data
All messages you send and all responses generated by the AI are stored in our database. This includes the full text of your prompts, AI-generated replies, model selections, timestamps, and structured message parts such as tool calls or reasoning blocks. Chat transcripts are retained until you delete them. Completed turn pairs are stored separately for usage accounting and to enable our chat history memory feature.
Uploaded Files
You may upload PDF and Word documents during a chat session or to a knowledge base linked to an agent. PDF files are stored in Supabase cloud storage. Word documents have their text extracted server-side and the extracted text is stored as part of the message record. Files are retained until you delete them. Files used within a session but not explicitly saved to a knowledge base are not persisted beyond that session.
Agent and Knowledge Base Data
When you create a custom agent, we store its name, icon, system prompt, output format configuration, and any files linked to it in a knowledge base. This data is retained until you delete the agent or associated files.
Saved Memory
If you use the memory feature, you may explicitly save context notes that persist across chat sessions. These saved memories, including any revision history, are stored in our database and are retained until you delete them. You can disable this feature in your account settings.
Usage and Billing Data
We maintain an append-only ledger of usage events recording the number of AI requests made, the model used, your active plan, billing interval, and the approximate character count of inputs and outputs. This data is used to enforce plan limits, calculate billing, and generate usage dashboards. Stripe, our payment processor, handles all payment card data. We do not store credit card numbers or full card details.
Profile and Preferences
We store your profile avatar image, display name, and account preferences including memory settings. Avatar images are stored in Supabase cloud storage.
3. How We Use Your Data
We use the data we collect for the following purposes:
- To create and manage your account and authenticate you securely.
- To provide the core Vera AI service, including delivering AI-generated responses to your messages.
- To send your uploaded files and prompts through Vercel AI Gateway to the selected model provider so we can generate contextually relevant responses.
- To enforce plan-based request limits and calculate billing through Stripe.
- To surface relevant prior context from your chat history and saved memories in new conversations where you have this feature enabled.
- To allow you to build and configure AI agents with custom system prompts and knowledge-base documents.
- To send transactional emails such as account confirmation, password reset, and billing receipts.
- To detect, investigate, and prevent fraud, abuse, and security incidents.
- To comply with legal obligations.
We do not use your conversation content to train or fine-tune AI models. We do not sell your personal data to any third party.
4. Third-Party Services
We rely on the following third-party services to operate the platform:
- Vercel AI Gateway and model providers - Your messages, uploaded document content, and agent system prompts are transmitted through Vercel AI Gateway to supported model providers, including Anthropic and Google, to generate AI responses. Applicable provider privacy terms govern how those providers process routed request data. We transmit only what is necessary to fulfil your request.
- Supabase - We use Supabase for PostgreSQL database hosting, file storage, and authentication. Your account data, chat transcripts, files, and memories are stored in Supabase infrastructure.
- Stripe - Stripe processes all subscription payments. When you subscribe, you interact directly with Stripe's payment interface. We receive billing status and subscription metadata from Stripe via webhooks but do not receive or store your raw payment card details.
- Vercel - The Vera AI application is hosted on Vercel's infrastructure. Request logs and performance data may be collected by Vercel in accordance with their data processing agreement.
- Google - If you use Google OAuth to sign in, Google transmits your name, email address, and profile picture to our authentication provider. We do not receive your Google password or access to your Google account beyond the initial sign-in.
5. Data Security
We implement security measures appropriate to the nature of the data we handle:
- All data is encrypted in transit using TLS. Data stored in Supabase is encrypted at rest.
- Row-level security (RLS) is enforced on all database tables, ensuring that users can only access their own data.
- AI Gateway API keys, Supabase service-role keys, and Stripe secret keys are stored only in server-side environment variables and are never exposed to client-side code or browser environments.
- All user-facing forms validate inputs with Zod schemas before any database write is performed.
- Stripe webhook events are validated against a signature header before being processed.
- Admin-only routes verify role server-side on every request.
No security system is perfect. If you discover a vulnerability, please report it through our Responsible Disclosure Policy.
6. Data Retention
We retain your data for as long as your account is active. Specific retention rules:
- Chat transcripts and messages are retained until you delete them or delete your account.
- Files uploaded to chat sessions but not saved to a knowledge base are not persistently stored beyond the session.
- Files added to a knowledge base are retained until you remove them from the knowledge base or delete the associated agent.
- Usage event records are retained for billing and auditing purposes for a minimum of 12 months.
- Upon account deletion, your profile, chats, agents, memories, and files are permanently removed. Billing records and usage ledger entries may be retained for legal and financial compliance purposes.
7. Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal data:
- Access - request a copy of the data we hold about you.
- Correction - request that inaccurate data be corrected.
- Deletion - request that your data be deleted. You can initiate this directly from your account settings or by contacting us.
- Portability - request a machine-readable export of your data.
- Objection - object to certain processing activities.
- Withdrawal of consent - where processing is based on consent, you may withdraw it at any time.
To exercise any of these rights, contact us at info@veraaisolutions.com.au. We will respond within 30 days.
8. Cookies and Tracking
We use session cookies issued by Supabase Auth to maintain your authenticated session. These are strictly necessary for the platform to function and are not used for advertising or cross-site tracking. We do not use third-party analytics tracking scripts, advertising pixels, or fingerprinting technologies.
9. Children
The Vera AI platform is intended for professional use by adults. We do not knowingly collect personal data from individuals under the age of 16. If you believe we have inadvertently collected data from a minor, please contact us immediately and we will delete it.
10. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated to registered users via email or an in-platform notice at least 14 days before they take effect. Your continued use of the platform after the effective date constitutes acceptance of the revised policy.
11. Contact
For privacy enquiries or data subject requests, contact us at: info@veraaisolutions.com.au.