Last updated 14 May 2026. Kastling ("Verdikt," "we," "us") respects your privacy. This policy explains exactly what we collect, why, and how long we keep it. If something here is unclear, email hello@tryverdikt.app and we'll fix the wording.
1. The short version
We do not train models on your briefs. We do not sell your data. We retain submitted briefs for thirty days after report delivery, then delete. We retain generated reports until you ask us to remove them. Every LLM provider we use has zero-data-retention contractually enabled.
2. What we collect
Account data: name, email address, hashed password (or OAuth identifier), payment method token. We do not store full payment card numbers; Stripe does.
Brief data: the text, audio, files, and URLs you submit during the intake flow. This is the most sensitive thing in our system and we treat it that way.
Verdict data: the reports we produce for you, including all citations and the reasoning trace.
Usage data: pages you visit, actions you take, and which features you use. We use this for product improvement and aggregate analytics.
3. How we use it
To run the research pipeline and deliver verdicts to you.
To send transactional email (receipts, completed-report notifications, security alerts).
To improve the product based on aggregate, de-identified patterns.
To comply with legal obligations and respond to lawful requests.
We do not use your brief content, verdict content, or usage data to train any model, ours or any third party's.
6. Retention
Brief content: 30 days after report delivery, then deleted.
Verdict reports: indefinite, until deletion is requested.
Audit logs: 12 months.
Payment metadata: 7 years (tax requirements).
LLM prompt and response payloads: not logged, not retained beyond request lifetime.
7. Your rights
You can access, export, correct, or delete your data at any time. Until the self-serve account UI ships, email privacy@tryverdikt.app for any data-subject request (access, export, correction, deletion, restriction, portability, or objection). We acknowledge within 5 business days and resolve within 30 days.
EU and UK residents have additional rights under GDPR including the right to object to processing and the right to data portability. Same address: privacy@tryverdikt.app. You also have the right to lodge a complaint with your supervisory authority.
California residents have rights under CCPA, including a right to know, delete, and correct, plus a right to opt out of sharing for cross-context behavioral advertising. We do not sell personal information and we do not share it for cross-context behavioral advertising.
8. International transfers
Verdikt operates internationally. Data may be transferred to and processed in countries where our infrastructure providers operate, including the United States. We rely on Standard Contractual Clauses for EU and UK transfers.
9. Security practices
Encryption at rest (AES-256) and in transit (TLS 1.3). Least-privilege access controls. Audit logging on all customer-data access. Verdikt does not currently hold a third-party security certification (SOC 2, ISO 27001); the controls described here are self-attested. Security incidents that affect customer data are disclosed within 72 hours.
10. Children
Verdikt is not directed at children under 16. We do not knowingly collect personal information from children. If you believe a child has used the Service, email hello@tryverdikt.app and we will delete the account.
11. Changes to this policy
We will notify you of material changes at least 30 days before they take effect. Changes that reduce your rights or expand our data collection require explicit re-consent.
12. Contact
Privacy questions, data requests, or complaints: privacy@tryverdikt.app. For general support, hello@tryverdikt.app. For security or DPO requests, security@tryverdikt.app.
© 2026 Kastling · Terms of service