Privacy Policy

Vera is operated by Molto Ltd, a private limited company registered in England & Wales. Throughout this policy, “Vera”, “we”, “us”, and “our” refer to Molto Ltd trading as Vera. We are the data controller for the personal data we process about prospective and active customers of the Vera platform. For personal data we process on behalf of our customers (e.g. their prospect data), we act as a data processor — see the Data Processing section below.

You can contact us about anything in this policy at hello@veraa.ai.

We collect three categories of data:

Account & identity data. When you sign up, we collect your work email, company name, and a Stripe customer ID. After signup you can optionally provide your display name in Settings → Account.

Service data. The configuration you set inside your workspace — your buyer profiles, signals you watch for, tone-of-voice settings, integration tokens (encrypted), and the briefs Vera generates on prospects for you. This includes prospect contact data we pull on your behalf from third-party data providers.

Usage data.Basic application logs — which features you used, when, error events, and aggregate usage metrics. We don't track keystrokes, mouse movements, or deploy session replay.

We do not collect special-category personal data. We do not buy enriched personal data for marketing purposes. We do not track you across third-party sites.

We process personal data under the UK GDPR on the following bases:

Contract (Art. 6(1)(b)).To deliver the Vera service you've subscribed to — provisioning your workspace, processing payments, sending operational emails, and providing customer support.

Legitimate interests (Art. 6(1)(f)).To improve the service, prevent abuse, secure our systems, and contact you about product updates relevant to your subscription. We balance these interests against your rights and don't process data in ways you wouldn't reasonably expect.

Consent (Art. 6(1)(a)). Where required — e.g. marketing emails to prospective customers who request demos. You can withdraw consent at any time.

Legal obligation (Art. 6(1)(c)). For tax, accounting, and regulatory record-keeping.

When a Vera customer uses the platform to enrich and engage prospects, the prospect's personal data is processed by us on the customer's instructions. In that relationship, our customer is the data controller and we are a processor. A Data Processing Agreement (DPA) is available on request at hello@veraa.ai.

The lawful basis for our customer's processing of prospect data is their responsibility — typically legitimate interest in B2B outreach, with the safeguards required by UK GDPR including honouring opt-outs.

We use a small set of third-party providers to deliver the service. Each has their own published security and privacy practices, and each has a Data Processing Agreement in place with us.

Infrastructure providers — Supabase (database & auth), Stripe (billing), Anthropic (LLM), Resend (email) — are listed by name on our Security & Trust page.

Data-intelligence providers (contact data, signal intelligence, email verification, and public-source research) are disclosed by category on the Security page and named in full in our Data Processing Agreement, available to active customers and to prospects under NDA. To request the DPA, email hello@veraa.ai.

We'll notify customers at least 30 days before adding a new sub-processor that processes their customer-data, giving you the option to object.

Our primary database is hosted by Supabase in the European Union. Some sub-processors (Anthropic, Apollo, Stripe, Resend) operate globally and may process data in the United States under Standard Contractual Clauses or other UK-government-approved transfer mechanisms.

Data at rest is encrypted using AES-256. Data in transit uses TLS 1.2 or higher.

We retain your workspace data while your subscription is active.

On cancellation we delete all customer-specific data within 30 days, except where we're legally required to retain certain records for longer (e.g. tax records — held for six years after the end of the financial year, encrypted and access-restricted).

You can request deletion of your account and all personal data at any time by emailing hello@veraa.ai. We'll honour the request within 30 days.

Under the UK GDPR you have the following rights regarding your personal data:

Access — request a copy of the personal data we hold about you.

Rectification — ask us to correct inaccurate or incomplete data.

Erasure — ask us to delete your data (subject to legal retention requirements).

Restriction — ask us to limit processing in certain circumstances.

Portability — receive your data in a structured, machine-readable format.

Objection — object to processing based on legitimate interests.

Withdraw consent — where consent is the basis for processing.

To exercise any of these rights, email hello@veraa.ai. You also have the right to complain to the UK Information Commissioner's Office (ICO) at ico.org.uk.

Customer-data isolation is enforced at the database layer via Row-Level Security policies in Postgres. Internal access is role-based and limited to the engineers actively building Vera. Integration tokens are encrypted at the application layer. All traffic is TLS 1.2+.

Full architecture and isolation details are on our Security & Trust page.

We commit to notifying affected customers and the ICO of any personal data breach without undue delay (and within 72 hours where the breach is likely to result in a risk to your rights).

We use minimal cookies — essentially just what's needed to keep you signed in (Supabase auth) and to detect basic analytics events on the marketing site. We do not use third-party advertising trackers, session replay, or cross-site tracking.

We'll update this policy as the platform evolves. Material changes will be notified to active customers by email at least 14 days before they take effect. The “Last updated” date at the top of the page is the source of truth for the current version.

Molto Ltd
Email: hello@veraa.ai