Last updated 14 May 2026. Kastling ("Verdikt," "we," "us") respects your privacy. This policy explains exactly what we collect, why, and how long we keep it. If something here is unclear, email hello@tryverdikt.app and we'll fix the wording.
1. The short version
We do not train models on your briefs. We do not sell your data. We retain submitted briefs while your account is active and delete them on request (privacy@tryverdikt.app). We retain generated reports until you ask us to remove them. We rely on our model vendors' standard API terms (accessed via the Vercel AI Gateway), under which API payloads are not used to train their models.
2. What we collect
Account data: name, email address, hashed password (or OAuth identifier), and payment metadata supplied by our payment processor or merchant of record. We do not store full payment card numbers.
Brief data: the text, audio, files, and URLs you submit during the intake flow. This is the most sensitive thing in our system and we treat it that way.
Verdict data: the reports we produce for you, including all citations and the reasoning trace.
Usage data: pages you visit, actions you take, and which features you use. We use this for product improvement and aggregate analytics.
3. How we use it
To run the research pipeline and deliver verdicts to you.
To send transactional email (receipts, completed-report notifications, security alerts).
To improve the product based on aggregate, de-identified patterns.
To comply with legal obligations and respond to lawful requests.
We do not use your brief content, verdict content, or usage data to train any model, ours or any third party's.
6. Retention
Brief content: retained while your account is active; deleted on request.
Verdict reports: indefinite, until deletion is requested.
Payment metadata: 7 years (tax requirements).
LLM prompt and response payloads at provider level: we rely on our model vendors' standard API terms (accessed via the Vercel AI Gateway), under which API payloads are not used to train their models.
7. Your rights
Account deletion is self-serve and immediate: from Settings, choose Delete account to permanently erase your account and all associated data (briefs, verdict reports, intake history, uploads, and audio). Payment records are kept — unlinked from your Verdikt account, though they still contain payment-provider identifiers (e.g. the Paddle customer and transaction IDs) — only as long as tax, accounting, and dispute-resolution obligations require (see Retention). This cannot be undone. For any other data-subject request (access, export, correction, restriction, portability, or objection), email privacy@tryverdikt.app; we acknowledge within 5 business days and resolve within 30 days.
EU and UK residents have additional rights under GDPR including the right to object to processing and the right to data portability. Same address: privacy@tryverdikt.app. You also have the right to lodge a complaint with your supervisory authority.
California residents have rights under CCPA, including a right to know, delete, and correct, plus a right to opt out of sharing for cross-context behavioral advertising. We do not sell personal information and we do not share it for cross-context behavioral advertising.
8. International transfers
Verdikt operates internationally. Data may be transferred to and processed in countries where our infrastructure providers operate, including the United States. Each of our infrastructure and LLM providers offers Standard Contractual Clauses (SCCs) as part of their standard terms for EU and UK transfers; we rely on those vendor SCCs. We do not currently maintain our own customer-facing SCC contracts.
9. Security practices
Encryption at rest (AES-256) and in transit (TLS 1.3). Least-privilege access controls enforced with row-level security. Verdikt does not currently hold a third-party security certification (SOC 2, ISO 27001); the controls described here are self-attested. Security incidents that affect customer data are disclosed within 72 hours.
10. Children
Verdikt is not directed at children under 16. We do not knowingly collect personal information from children. If you believe a child has used the Service, email hello@tryverdikt.app and we will delete the account.
11. Changes to this policy
We will notify you of material changes at least 30 days before they take effect. Changes that reduce your rights or expand our data collection require explicit re-consent.
12. Contact
Privacy questions, data requests, or complaints: privacy@tryverdikt.app. For general support, hello@tryverdikt.app. For security or DPO requests, security@tryverdikt.app.
© 2026 Kastling · Terms of service