Privacy Policy

1. Introduction

VeriSwap ("the Platform", "we", "us") is committed to protecting your personal data. This Privacy Policy explains what information we collect, how we use it, how we store and protect it, and your rights regarding your data. This policy applies to all users of the VeriSwap platform, including visitors, registered users, and administrators.

By creating an account and using the Platform, you consent to the data practices described in this Privacy Policy. If you do not agree with this policy, you must not use the Platform.

2. Information We Collect

We collect several categories of personal information:

2.1. Registration Information

• Full name, email address, phone number, nationality, city of residence, and chosen username.
• Password (stored only as a cryptographic hash — we never store or have access to your plain-text password).

2.2. KYC Verification Documents

• Passport scans or photographs (Primary ID).
• Student ID, work permit, or other approved secondary identification documents.

2.3. Transaction Data

• Swap listings you create (amounts, currencies, transfer methods).
• Transaction history including fulfillments, handshake status, timestamps, and counterparty Public Aliases.
• SBP fee receipt uploads and their OCR verification results.

2.4. Communication Data

• In-app chat messages exchanged with transaction partners.
• Support requests and FAQ interactions.

2.5. Usage & Technical Data

• IP address, browser type, device type, and operating system.
• Login timestamps and session activity.
• Pages visited and features used within the Platform.

2.6. Referral Data

• Referral codes used and referral relationships between users.

3. How We Use Your Information

We process your personal data for the following purposes:

• Identity Verification: To verify your identity through KYC review and ensure compliance with our eligibility requirements.
• Transaction Facilitation: To match users, process swap listings, facilitate the Digital Handshake protocol, and track transaction status.
• Fee Verification: To process and verify SBP fee receipts using automated OCR technology and manual admin review when necessary.
• Trust & Safety: To calculate and display Trust Scores, detect fraudulent activity, and enforce our Terms of Service.
• Communication: To deliver real-time in-app messages, transaction notifications, and smart email alerts for offline users.
• Dispute Resolution: To investigate and resolve disputes between users using transaction records, chat logs, and uploaded evidence.
• Platform Improvement: To analyze usage patterns and improve Platform features, performance, and user experience.
• Legal Compliance: To comply with applicable laws, regulations, and legal processes.

4. Legal Basis for Processing

We process your personal data on the following legal grounds:

• Consent: You provide explicit consent when you create an account, submit KYC documents, and agree to these terms.
• Contractual Necessity: Processing is necessary to perform our obligations under the Terms of Service (e.g., facilitating transactions, verifying fees).
• Legitimate Interests: We have legitimate interests in preventing fraud, ensuring platform security, and improving our services.
• Legal Obligation: Processing may be necessary to comply with applicable anti-money laundering laws, tax regulations, or law enforcement requests.

5. Identity Anonymization & Public Alias

Protecting your identity from other users is a core principle of VeriSwap:

• Your real name, passport details, and personal contact information are never displayed to other users on the Swap Board or in transaction interfaces.
• All public-facing interactions use your randomly generated Public Alias (anonymized User ID).
• Only VeriSwap administrators can view your full identity, and only for the purposes of KYC verification, dispute resolution, and compliance.
• Your username is visible only in contexts where you choose to share it.

6. KYC Document Handling

Your identification documents are treated with the highest level of care:

• Documents are uploaded over encrypted (HTTPS/TLS) connections.
• Stored documents are accessible only to authorized VeriSwap administrators.
• Documents are used solely for identity verification and dispute resolution — never for marketing or third-party sharing.
• If your KYC documents are rejected, the uploaded files remain stored for audit purposes unless you request deletion after a successful resubmission.

7. Receipt Processing & OCR

When you upload SBP fee receipts:

• Receipt images are processed using Azure AI Vision (OCR) to extract text data (amount, date, recipient, payment status).
• Extracted data is validated against the expected transaction parameters using automated logic.
• If automated verification fails, the receipt is placed in a manual admin review queue.
• Receipt images and extracted OCR data are stored securely and retained as part of the transaction audit trail.

8. In-App Communication Data

• Chat messages exchanged between transaction partners are transmitted via encrypted real-time connections (SignalR over WebSocket/TLS).
• Messages are stored in our database and retained for dispute resolution, compliance, and safety purposes.
• Administrators may review chat logs only during active dispute investigations or when there is reasonable suspicion of Terms violation.
• Chat messages are not used for advertising, profiling, or any purpose beyond Platform operations.

9. Data Storage & Security

We implement multiple layers of security to protect your data:

• Encryption in Transit: All data is transmitted over HTTPS/TLS encrypted connections.
• Database Security: Data is stored in PostgreSQL with encrypted connections and access restricted to authorized services.
• Password Security: Passwords are hashed using industry-standard cryptographic algorithms (ASP.NET Core Identity). We never store plain-text passwords.
• File Storage: Uploaded documents and receipts are stored in secure cloud storage with access controls.
• Infrastructure: The Platform is hosted on secure cloud infrastructure with firewalls, monitoring, and regular security updates.
• Access Control: Internal access to personal data is restricted to authorized administrators on a need-to-know basis.

10. Data Sharing & Third-Party Services

We do not sell your personal data. We may share data only in the following limited circumstances:

• Service Providers: We use third-party cloud and AI services (e.g., Azure AI Vision for OCR, cloud hosting providers) that process data on our behalf under strict data processing agreements.
• Legal Requirements: We may disclose data when required by law, regulation, court order, or government request.
• Safety & Fraud Prevention: We may share limited information with law enforcement if we detect illegal activity or imminent threats to user safety.
• Business Transfers: In the event of a merger, acquisition, or sale of assets, user data may be transferred as part of the business, subject to the same privacy protections.

We do not share your data with advertisers, data brokers, or any other third parties for marketing purposes.

11. International Data Transfers

Your data may be processed and stored in servers located outside your country of residence. Where such transfers occur, we ensure appropriate safeguards are in place, including:

• Contractual protections with service providers.
• Compliance with applicable data transfer regulations.
• Use of providers that maintain industry-standard security certifications.

12. Data Retention

We retain your personal data for as long as necessary to fulfill the purposes described in this policy:

• Active Accounts: Data is retained for the duration of your active account.
• Closed Accounts: Core transaction records and KYC documents may be retained for up to 5 years after account closure for legal compliance, audit, and dispute resolution purposes.
• Chat Messages: Retained for the duration that the associated transaction dispute window remains open, and up to 2 years thereafter.
• Technical Logs: IP addresses and access logs are retained for up to 12 months.

After the applicable retention period, data is securely deleted or anonymized.

13. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Right of Access: Request a copy of the personal data we hold about you.
• Right to Rectification: Request correction of inaccurate or incomplete personal data.
• Right to Deletion: Request deletion of your personal data, subject to legal retention requirements.
• Right to Restriction: Request that we limit the processing of your data in certain circumstances.
• Right to Data Portability: Request your data in a structured, commonly used, machine-readable format.
• Right to Object: Object to processing of your data based on legitimate interests.
• Right to Withdraw Consent: Withdraw your consent at any time (this does not affect the lawfulness of prior processing).

To exercise any of these rights, please contact us through the Support page or at privacy@veriswap.com. We will respond within 30 days of receiving your request.

14. Children's Privacy

The Platform is not intended for use by individuals under 18 years of age. We do not knowingly collect personal data from minors. If we become aware that a user is under 18, we will promptly deactivate their account and delete their personal data.

15. Cookies & Local Storage

• Essential Cookies: We use cookies that are strictly necessary for authentication, session management, and security (e.g., anti-forgery tokens). These cannot be disabled.
• Local Storage: We use browser localStorage for UI preferences such as dark/light mode. This data never leaves your device.
• No Tracking: We do not use third-party tracking cookies, advertising pixels, or analytics services that track you across other websites.

16. Automated Decision-Making

VeriSwap uses limited automated processing:

• OCR Receipt Verification: Automated text extraction and validation of SBP fee receipts. If automated verification fails, receipts are escalated to manual admin review. No transaction is rejected solely by automated processing without human oversight.
• Trust Score Calculation: Automatically computed from user reviews. Admins may manually adjust scores in cases of verified abuse.
• Trust Chunks Recommendation: Automated warnings for high-value transactions by new users. These are recommendations only and do not block users from proceeding.

You have the right to request human review of any automated decision that significantly affects you.

17. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements:

• Material changes will be communicated via email and/or in-app notification at least 14 days before taking effect.
• The "Last Updated" date at the top of this page will be revised accordingly.
• Continued use of the Platform after the effective date constitutes acceptance of the updated policy.
• If you do not agree with changes, you may request account closure and data deletion.

18. Contact

For any privacy-related questions, concerns, or requests, please contact us through:

• The in-app Support page.
• Email: privacy@veriswap.com

We aim to respond to all privacy inquiries within 30 days.