Skip to content

Last updated 14 May 2026. Kastling ("Verdikt," "we," "us") respects your privacy. This policy explains exactly what we collect, why, and how long we keep it. If something here is unclear, email hello@tryverdikt.app and we'll fix the wording.

1. The short version

We do not train models on your briefs. We do not sell your data. We retain submitted briefs while your account is active and delete them on request (privacy@tryverdikt.app). We retain generated reports until you ask us to remove them. We rely on our model vendors' standard API terms (accessed via the Vercel AI Gateway), under which API payloads are not used to train their models.

2. What we collect

Account data: name, email address, hashed password (or OAuth identifier), and payment metadata supplied by our payment processor or merchant of record. We do not store full payment card numbers.

Brief data: the text, audio, files, and URLs you submit during the intake flow. This is the most sensitive thing in our system and we treat it that way.

Verdict data: the reports we produce for you, including all citations and the reasoning trace.

Usage data: pages you visit, actions you take, and which features you use. We use this for product improvement and aggregate analytics.

3. How we use it

To run the research pipeline and deliver verdicts to you.

To send transactional email (receipts, completed-report notifications, security alerts).

To improve the product based on aggregate, de-identified patterns.

To comply with legal obligations and respond to lawful requests.

We do not use your brief content, verdict content, or usage data to train any model, ours or any third party's.

4. Who we share with

Sub-processors: a vetted list of third-party services we use to run Verdikt. The current list is on our Security page. We update the list 30 days before any new processor handles your data.

Verdict URLs: when you generate a shareable URL for a verdict, the report becomes accessible to anyone holding the link. URLs are unguessable and are not indexed. Email privacy@tryverdikt.app to have a shared report taken down.

Legal: we may share data when required by law, but we will challenge requests we believe are improper and notify affected users where we are legally able.

Acquisition: in the unlikely event of a merger or acquisition, customer data transfers with the same protections. We will notify customers in writing before the transfer.

5. Cookies and tracking

We use essential cookies for session and security. We also use Google Analytics 4 (GA4) to measure page views, traffic sources, and aggregate engagement. GA4 sets a small number of first-party cookies (_ga and _ga_<MEASUREMENT_ID>). Analytics is configured with IP anonymization enabled and Google's Advertising Features (remarketing, ad personalization) disabled. We do not pass personally identifiable information to Google.

Product analytics (PostHog) will be added behind a cookie consent banner when self-serve product analytics ship.

We do not use cross-site tracking pixels or advertising cookies. You can opt out of GA4 collection by installing the Google Analytics opt-out browser add-on.

6. Retention

Brief content: retained while your account is active; deleted on request.

Verdict reports: indefinite, until deletion is requested.

Payment metadata: 7 years (tax requirements).

LLM prompt and response payloads at provider level: we rely on our model vendors' standard API terms (accessed via the Vercel AI Gateway), under which API payloads are not used to train their models.

7. Your rights

Account deletion is self-serve and immediate: from Settings, choose Delete account to permanently erase your account and all associated data (briefs, verdict reports, intake history, uploads, and audio). Payment records are kept — unlinked from your Verdikt account, though they still contain payment-provider identifiers (e.g. the Paddle customer and transaction IDs) — only as long as tax, accounting, and dispute-resolution obligations require (see Retention). This cannot be undone. For any other data-subject request (access, export, correction, restriction, portability, or objection), email privacy@tryverdikt.app; we acknowledge within 5 business days and resolve within 30 days.

EU and UK residents have additional rights under GDPR including the right to object to processing and the right to data portability. Same address: privacy@tryverdikt.app. You also have the right to lodge a complaint with your supervisory authority.

California residents have rights under CCPA, including a right to know, delete, and correct, plus a right to opt out of sharing for cross-context behavioral advertising. We do not sell personal information and we do not share it for cross-context behavioral advertising.

8. International transfers

Verdikt operates internationally. Data may be transferred to and processed in countries where our infrastructure providers operate, including the United States. Each of our infrastructure and LLM providers offers Standard Contractual Clauses (SCCs) as part of their standard terms for EU and UK transfers; we rely on those vendor SCCs. We do not currently maintain our own customer-facing SCC contracts.

9. Security practices

Encryption at rest (AES-256) and in transit (TLS 1.3). Least-privilege access controls enforced with row-level security. Verdikt does not currently hold a third-party security certification (SOC 2, ISO 27001); the controls described here are self-attested. Security incidents that affect customer data are disclosed within 72 hours.

10. Children

Verdikt is not directed at children under 16. We do not knowingly collect personal information from children. If you believe a child has used the Service, email hello@tryverdikt.app and we will delete the account.

11. Changes to this policy

We will notify you of material changes at least 30 days before they take effect. Changes that reduce your rights or expand our data collection require explicit re-consent.

12. Contact

Privacy questions, data requests, or complaints: privacy@tryverdikt.app. For general support, hello@tryverdikt.app. For security or DPO requests, security@tryverdikt.app.

© 2026 Kastling · Terms of service