OnVerb User Data Statement

Published on 27 July 2025

Last updated on 27 July 2025

User Data Statement

OnVerb's Commitment to Protecting Your Information

Our Data Protection Promise

At OnVerb, we recognise that your trust is fundamental to our relationship. The content you create, the prompts you develop, and the conversations you have with AI models represent your intellectual property, creative work, and often confidential information. We take our responsibility to protect this data extremely seriously.

This User Data Statement explains exactly how we handle your information, what we do to keep it secure, and your rights regarding your data. We believe in complete transparency about our data practices because your privacy and security are not negotiable.

What Data We Collect and Why

Account and Profile Information

We collect basic information necessary to provide you with OnVerb services:

  • Account Details: Email address, name, and password (encrypted)
  • Subscription Information: Billing details and subscription status
  • Usage Metrics: Token consumption and feature usage for billing and service optimisation
  • Team Information: Team memberships and collaboration settings when you use team features

Purpose: This information is essential for account management, billing, and providing you with the collaborative features you've requested.

Content and Creative Work

Your creative and professional work remains entirely yours:

  • Documents: All content created using our Lexical editor
  • System Prompts: Your custom prompts and templates
  • Uploaded Files: Documents, PDFs, and CSV files you upload for processing
  • AI Conversations: The content of your interactions with AI models

Our Commitment: This content belongs to you. We never access, read, analyse, or use your content for any purpose other than providing the service you've requested.

Operational Logs

For service reliability and security, we maintain minimal operational logs:

  • Interaction Logs: Technical records of system interactions (not content)
  • Error Logs: Technical information to diagnose and resolve service issues
  • Security Logs: Access patterns to protect against unauthorised use
  • Performance Metrics: System performance data to maintain service quality

Retention: All operational logs are automatically deleted after 28 days and contain no personal content or sensitive information.

How We Protect Your Data

Encryption at Rest

Every piece of your data is protected using industry-leading encryption:

  • AES-256-GCM Encryption: All user content, including documents, prompts, and files
  • Encrypted Database Storage: Your account information and metadata are encrypted in our database
  • Secure Key Management: Encryption keys are managed using best-practice security protocols
  • Zero-Knowledge Architecture: Even our own systems cannot access your encrypted content without proper authentication

Encryption in Transit

Your data is protected during transmission:

  • TLS 1.3 Encryption: All communications between your device and our servers
  • Secure API Connections: Encrypted connections to AI model providers
  • Certificate Pinning: Additional security measures to prevent interception
  • End-to-End Security: Your data remains encrypted throughout its journey

Access Controls and Security Measures

We implement comprehensive security controls:

  • Multi-Factor Authentication: Available for all user accounts
  • Role-Based Access: Strict internal access controls based on job requirements
  • Regular Security Audits: Independent third-party security assessments
  • Penetration Testing: Regular testing to identify and address vulnerabilities
  • Security Monitoring: 24/7 monitoring for suspicious activity or potential breaches

Our Data Access Policy

We Never Access Your Content

This is our fundamental commitment to you:

  • No Content Reading: OnVerb staff never read your documents, prompts, or conversations
  • No Content Analysis: We do not analyse your content for any business purpose
  • No Training Data: Your content is never used to train AI models or improve our services
  • No Sharing: We never share your content with third parties, partners, or other users without your explicit permission

Limited Technical Access

The only exceptions to our no-access policy are:

  • Technical Support: Only when you explicitly request help and grant permission
  • Legal Compliance: Only when required by valid legal process (we will notify you unless legally prohibited)
  • Security Incidents: Only to investigate potential security breaches affecting your account (with full transparency)

Team and Collaboration Features

When you use OnVerb's team features:

  • User-Controlled Sharing: You decide what to share and with whom
  • Team Boundaries: Content shared with teams remains within those teams
  • Permission Management: You control access levels for team members
  • Audit Trails: Clear records of who has accessed shared content

AI Model Data Policies

Third-Party AI Providers

OnVerb integrates with multiple AI providers, each with their own data policies:

  • OpenAI: GPT-3.5, GPT-4, and other OpenAI models
  • Anthropic: Claude and other Anthropic models
  • Google: PaLM 2 and other Google AI models
  • Mistral: Mistral AI models

Your Control Over AI Interactions

You have complete control over your AI interactions:

  • Model Selection: Choose which AI providers to use based on their data policies
  • Privacy Information: Access each provider's privacy policy directly from your account
  • Opt-Out Options: Avoid providers whose data policies don't meet your requirements
  • Transparency: Clear labelling of which AI provider is handling each interaction

Accessing AI Provider Policies

To review the data retention and privacy policies for each AI model:

  1. Navigate to the AI Models section in your OnVerb account
  2. Click on any model to view its details
  3. Click the "Privacy Policy" link to review that provider's data practices
  4. Make informed decisions about which models to use based on your privacy requirements

Important Note: While OnVerb never accesses your content, each AI provider has its own policies regarding data retention and usage. We encourage you to review these policies and choose providers that align with your privacy preferences.

Data Retention and Deletion

Your Content Retention

Your creative work and data remain under your complete control:

  • Indefinite Storage: Your documents, prompts, and files are stored as long as you maintain your account
  • User-Controlled Deletion: Delete any content at any time through your account interface
  • Account Closure: All your content is permanently deleted when you close your account
  • Data Export: Download all your content before deletion if desired

Operational Data Retention

We maintain minimal operational data for service provision:

  • 28-Day Log Retention: All interaction logs are automatically deleted after 28 days
  • Billing Records: Retained for 7 years as required by UK accounting regulations
  • Account Information: Retained while your account is active, deleted upon account closure
  • Anonymous Analytics: Aggregated, non-identifiable usage statistics may be retained for service improvement

Secure Deletion Process

When data is deleted:

  • Cryptographic Deletion: Encryption keys are destroyed, making data unrecoverable
  • Multi-Stage Deletion: Data is removed from all systems, including backups
  • Verification Process: Deletion is verified across all storage systems
  • Compliance: Deletion processes meet GDPR "right to be forgotten" requirements

Your Data Rights

Access and Control Rights

Under GDPR and UK data protection law, you have comprehensive rights:

  • Right of Access: Request a copy of all data we hold about you
  • Right to Rectification: Correct any inaccurate personal data
  • Right to Erasure: Request deletion of your personal data
  • Right to Portability: Export your data in a machine-readable format
  • Right to Restrict Processing: Limit how we process your data

How to Exercise Your Rights

To exercise any of these rights:

  • Account Dashboard: Most data management can be done directly in your account
  • Data Export: Use the built-in export tools to download your content
  • Support Request: Contact our support team for assistance with data requests
  • Data Protection Officer: Contact our DPO directly for complex privacy matters

Response Timeframes

We are committed to responding promptly to your requests:

  • Simple Requests: Within 72 hours for account-based changes
  • Data Export Requests: Within 5 business days
  • Complex Requests: Within 30 days as required by law
  • Urgent Security Matters: Immediate response for security-related concerns

International Data Transfers

Data Location and Processing

Your data security extends to where it's processed:

  • UK-Based Infrastructure: Primary data storage within the United Kingdom
  • EU Adequacy: Data transfers within the EU under adequacy decisions
  • Third-Country Safeguards: Appropriate safeguards for any transfers outside the UK/EU
  • AI Provider Locations: Clear information about where each AI provider processes data

Transfer Safeguards

When data must be transferred internationally:

  • Standard Contractual Clauses: Legal protections for international transfers
  • Adequacy Decisions: Transfers only to countries with adequate protection
  • Additional Safeguards: Technical and organisational measures beyond legal requirements
  • User Notification: Clear information about where your data is processed

Incident Response and Breach Notification

Security Incident Response

In the unlikely event of a security incident:

  • Immediate Response: 24/7 security monitoring and incident response team
  • Impact Assessment: Rapid assessment of any potential impact on user data
  • Containment Measures: Immediate steps to prevent further unauthorised access
  • Investigation Process: Thorough investigation to understand the scope and cause

User Notification

We are committed to transparent communication:

  • 72-Hour Notification: Notification within 72 hours if your data may be affected
  • Clear Communication: Plain English explanation of what happened and what we're doing
  • Ongoing Updates: Regular updates as our investigation progresses
  • Support and Assistance: Dedicated support to help you understand and respond to any impact

Regulatory Compliance

We meet all legal requirements for breach notification:

  • ICO Notification: Report qualifying breaches to the Information Commissioner's Office
  • Regulatory Cooperation: Full cooperation with regulatory investigations
  • Compliance Documentation: Comprehensive records of our response and remediation efforts
  • Lessons Learned: Implementation of improvements based on incident analysis

Children's Privacy

Age Restrictions

OnVerb is designed for professional and educational use:

  • Minimum Age: Users must be at least 13 years old
  • Parental Consent: Users under 16 require parental consent in accordance with GDPR
  • Educational Use: Special protections for educational accounts involving minors
  • Age Verification: Appropriate measures to verify user age during registration

Enhanced Protections for Minors

When minors use OnVerb through educational institutions:

  • Additional Safeguards: Enhanced privacy protections beyond standard measures
  • Educational Oversight: School or institutional control over student accounts
  • Limited Data Collection: Minimal data collection appropriate for educational use
  • Parental Rights: Enhanced rights for parents regarding their children's data

Business Transfers and Changes

Merger or Acquisition Scenarios

In the event of business changes:

  • User Notification: 30 days' advance notice of any ownership changes
  • Data Protection Continuity: New owners must commit to the same privacy standards
  • Opt-Out Rights: Right to delete your account before any transfer
  • Regulatory Approval: Compliance with all regulatory requirements for data transfers

Service Changes

If we make significant changes to our data practices:

  • Advance Notice: 30 days' notice before implementing material changes
  • Clear Explanation: Detailed explanation of what's changing and why
  • User Choice: Options to opt out or modify your account if you disagree with changes
  • Grandfathering: Existing users may be able to maintain previous terms

Compliance and Certifications

Regulatory Compliance

OnVerb complies with all applicable data protection regulations:

  • GDPR: Full compliance with EU General Data Protection Regulation
  • UK GDPR: Compliance with UK data protection law post-Brexit
  • Data Protection Act 2018: Adherence to UK-specific requirements
  • Sector-Specific Regulations: Additional compliance for healthcare, education, and financial services

Industry Standards and Certifications

We maintain high standards through recognised certifications:

  • ISO 27001: Information security management system certification
  • SOC 2 Type II: Independent audit of security, availability, and confidentiality controls
  • Cyber Essentials Plus: UK government-backed cybersecurity certification
  • Regular Audits: Annual third-party security and privacy audits

Contact Information

Data Protection Enquiries

For any questions about your data or privacy:

Data Protection Officer: privacy@onverb.co.uk General Support: support@onverb.co.uk Security Concerns: security@onverb.co.uk

Postal Address: OnVerb Data Protection Team [Company Address] United Kingdom

Regulatory Complaints

If you're not satisfied with our response to your privacy concerns:

Information Commissioner's Office (ICO) Website: ico.org.uk Telephone: 0303 123 1113 Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

Updates to This Statement

Regular Reviews

This User Data Statement is reviewed and updated regularly:

  • Quarterly Reviews: Regular assessment of our data practices and policies
  • Regulatory Updates: Updates to reflect changes in data protection law
  • Service Changes: Updates when we introduce new features or services
  • User Feedback: Improvements based on user questions and concerns

Notification of Changes

When we update this statement:

  • Email Notification: All users receive email notification of material changes
  • Account Dashboard: Prominent notice in your account dashboard
  • Version History: Previous versions available for reference
  • Effective Date: Clear indication of when changes take effect

Our Ongoing Commitment

At OnVerb, protecting your data is not just a legal requirement—it's fundamental to who we are as a company. We built our platform with privacy and security at its core because we understand that your trust is earned through consistent action, not just words.

We are committed to:

  • Continuous Improvement: Regularly enhancing our security and privacy measures
  • Transparency: Clear, honest communication about our data practices
  • User Control: Ensuring you always maintain control over your data
  • Innovation: Developing new features that enhance both functionality and privacy
  • Accountability: Taking responsibility for protecting your information

Your data is yours. Our job is to keep it safe while helping you be more productive. That's a responsibility we take seriously every single day.

Document Information

  • Version: 1.0
  • Last Updated: 27 July 2025
  • Next Review: 27 October 2025
  • Effective Date: 27 July 2025

This User Data Statement is part of OnVerb's comprehensive privacy framework. For additional information about our privacy practices, please review our full Privacy Policy and Terms of Service.