Vertapass
Log inStart assessment

Privacy Policy

Last updated: 10 March 2026

1. Who we are

Vertapass Ltd (“Vertapass”, “we”, “us”) is the data controller for data collected through vertapass.com and the Vertapass application. Our registered office is in London, United Kingdom.

2. What we collect

  • Account data — email, display name, organisation name, and authentication tokens.
  • Assessment data — answers provided during the compliance assessment flow.
  • Evidence uploads — documents you attach to requirements (stored in your tenant-isolated GCS bucket).
  • Usage data — page views, session duration, and browser metadata (collected via first-party analytics only).

3. Lawful basis

We process data under the following bases per UK GDPR Article 6:

  • Contract performance (Art. 6(1)(b)) — to deliver the Vertapass service.
  • Legitimate interest (Art. 6(1)(f)) — for product improvement and security monitoring.
  • Consent (Art. 6(1)(a)) — for optional marketing communications.

4. How we store and protect data

Data is hosted on Google Cloud Platform (GCP) in the europe-west2 (London) region. Evidence files are stored in per-tenant GCS buckets with uniform bucket-level IAM. Passwords are hashed with bcrypt. API keys and secrets are stored in GCP Secret Manager.

5. Data retention

  • Account and assessment data: retained while your account is active, deleted within 30 days of account deletion.
  • Evidence uploads: retained per your organisation’s retention policy or 7 years, whichever is shorter.
  • Audit logs: retained for 2 years for compliance and security purposes.

6. Your rights

Under UK GDPR and EU GDPR you have the right to:

  • Access a copy of your personal data (GDPR export from Settings).
  • Rectify inaccurate data.
  • Erase your data (“right to be forgotten”).
  • Restrict or object to processing.
  • Data portability.

To exercise any of these rights, use the self-service tools in your account settings or contact privacy@vertapass.com.

7. Sub-processors

We use the following sub-processors:

  • Google Cloud Platform — infrastructure, storage, compute.
  • Firebase — authentication.
  • Stripe — payment processing.
  • SendGrid — transactional email.

8. Contact

For privacy-related enquiries, email privacy@vertapass.com.