Legal
Privacy Policy
Vernota
Last updated: March 13, 2026 · Effective date: February 27, 2026
This Privacy Policy is written in English. In the event of any conflict between the English version and any translated version, the English version shall prevail.
01 Introduction
Vernota (“we,” “our,” or “us”) is a mobile application that helps you create and verify cryptographically timestamped statements. We respect your privacy and are committed to protecting your personal data.
This Privacy Policy explains what data we collect, why we collect it, how we use it, and what rights you have. It applies to the Vernota mobile app and the website at vernota.app.
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, this policy complies with the General Data Protection Regulation (GDPR) and applicable local laws.
02 Who We Are
Data Controller / Privacy Officer:
Vernota
Bartłomiej Nycz (individual developer)
Blokowa 39, 43-316 Bielsko-Biała, Poland
Contact: privacy@vernota.app
If you have questions about this policy, your data, or wish to exercise your privacy rights, contact our Privacy Officer at the email above. We aim to respond to all requests within 30 days.
03 Data We Collect
We strive to collect only the data necessary to provide and enhance our services.
3.1 Account Data
- Email address — used to create and manage your account, and to send you service-related messages.
- Google account information — if you sign in using Google Sign-In, we receive your email address and basic profile information (such as your name) from Google. This data is used solely for account creation and authentication.
3.2 User-Created Content
- Statement text — the written statements, predictions, or commitments you create inside the app.
- Images — photos or files you attach to statements.
3.3 Technical Data
- Push notification tokens — device-specific codes used solely to send you reminder alerts about your statements. We do not use these for advertising or tracking.
- Activity timestamps — We record when you last used the app. This timestamp is updated at most once per hour and is stored in your account profile. It is used solely to determine whether to send you an optional inactivity reminder (see section 4).
3.4 Data We Do Not Collect
We do not collect your location, contacts, browsing history, or any device data beyond what is listed above. We do not use any advertising identifiers or third-party tracking SDKs.
04 Why We Use Your Data
| Purpose | Legal Basis (GDPR) |
|---|---|
| To create and manage your account | Performance of a contract (Art. 6(1)(b)) |
| To store and display your statements | Performance of a contract (Art. 6(1)(b)) |
| To send reminders you configure | Performance of a contract (Art. 6(1)(b)) |
| To send service-related emails | Performance of a contract (Art. 6(1)(b)) |
| To send hash receipt emails confirming your statements | Performance of a contract (Art. 6(1)(b)) |
| To send optional inactivity reminder emails | Legitimate interests (Art. 6(1)(f)) — specifically, our interest in keeping users informed about the service, subject to your right to opt out at any time |
| To improve the app and fix bugs | Legitimate interests (Art. 6(1)(f)) — specifically, our interest in ensuring app stability, security, and delivering a functional user experience |
| To comply with legal obligations | Legal obligation (Art. 6(1)(c)) |
We do not use your data for advertising, profiling, or sale to third parties.
Inactivity reminders— If you have not used Vernota for 14 or more days, we may send you a single reminder email. These emails are sent at most once every 30 days. You can opt out at any time using the unsubscribe link included in every reminder email, or by disabling retention emails in the app's Settings screen. Once you opt out, no further reminder emails will be sent.
Hash receipt emails — Each time you create a statement, we automatically send a confirmation email to your registered address. This email contains the cryptographic hash (SHA-256 fingerprint) of your statement and serves as an independent record in your inbox. This is a core part of the verification system and cannot be disabled separately from your account.
05 Third-Party Services
We use the following trusted third-party services to operate Vernota. Each acts as a data processor on our behalf and is bound by data processing agreements.
5.1 Supabase — Database and Authentication
We use Supabase to store your account data and statements. Data is processed on servers in the European Union (EU).
- Privacy policy: supabase.com/privacy
5.2 Resend — Email Delivery
We use Resend to deliver all outbound emails: account verification, password reset, statement hash receipts, and inactivity reminder emails. Resend processes your email address for delivery purposes only.
- Privacy policy: resend.com/legal/privacy-policy
5.3 Expo / EAS — Push Notifications
We use Expo's push notification service to deliver reminder alerts to your device. Expo processes your push notification token.
- Privacy policy: expo.dev/privacy
5.4 Google — Sign-In Authentication
We offer Google Sign-In as an authentication option. When you choose to sign in with Google, your email address and basic profile information are transmitted from Google to Vernota via OAuth. Google may process your data in accordance with its own privacy policy.
- Privacy policy: policies.google.com/privacy
5.5 Vercel — Web Hosting
Our website and public proof links are hosted on Vercel. Vercel may process your IP address as part of standard web hosting.
- Privacy policy: vercel.com/legal/privacy-policy
06 Data Retention
We keep your data for as long as your account is active.
- If you delete your account, we permanently delete your personal data and all associated statements within 30 days.
- Backup copies may be retained for up to 90 days before being fully purged, in accordance with our database provider's backup schedule.
- You can delete your account at any time from within the app. For step-by-step instructions and details on what data is removed, see our account deletion page.
Email delivery log — We maintain a server-side log of all emails sent to you (email type, delivery status, and timestamp). This log is used for operational monitoring and troubleshooting delivery issues. It is not accessible through the app and is retained for as long as your account exists. When you delete your account, this log is deleted along with all other account data.
07 Data Security
We protect your data using the following measures:
- All data is transmitted over encrypted connections (HTTPS / TLS).
- Statements are hashed using SHA-256 for cryptographic integrity verification.
- Database access is restricted using strict access controls (Row-Level Security), meaning each user can only access their own data.
- Passwords are never stored in plain text.
In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours of becoming aware of it, as required by GDPR Article 33. If the breach is likely to result in a high risk to your rights, we will also notify you directly without undue delay.
08 Your Rights
8.1 EEA, UK, and Switzerland (GDPR)
If you are located in the EEA, UK, or Switzerland, you have the following rights:
- Right of access — you can request a copy of the data we hold about you.
- Right to rectification — you can ask us to correct inaccurate data.
- Right to erasure — you can ask us to delete your data.
- Right to restrict processing — you can ask us to limit how we use your data.
- Right to data portability — you can request your data in a machine-readable format.
- Right to object — you can object to processing based on legitimate interests.
- Right to withdraw consent — where we rely on consent, you can withdraw it at any time.
To exercise any of these rights, contact us at privacy@vernota.app. We will respond within 30 days.
If you believe we are not handling your data correctly, you may lodge a complaint with your national data protection authority. If you are in the United Kingdom, you can contact the Information Commissioner's Office (ICO) at ico.org.uk.
8.2 Opt Out of Reminder Emails
You can disable inactivity reminder emails at any time by clicking the unsubscribe link in any reminder email, or by turning off the option in the app under Settings. This does not affect transactional emails (account verification, password reset, or hash receipt emails), which are required for the service to function.
8.3 California Residents (CCPA / CPRA)
We do not “sell” or “share” your personal information as defined by California law (including for cross-context behavioral advertising).
California residents have the right to:
- Know the categories and specific pieces of personal information we have collected about you over the past 12 months.
- Request deletion of your personal information.
- Correct inaccurate personal information.
- Not be discriminated against for exercising any of these rights.
The categories of personal information we collect are: identifiers (email address), user-generated content (statements, images), and device identifiers (push notification tokens). We do not collect sensitive personal information as defined by CPRA.
To submit a California privacy request, contact us at privacy@vernota.app.
09 Children's Privacy
Vernota is not intended for children under the age of 16. We do not knowingly collect personal data from children under 16. If we learn we have collected data from a child under 16, we will delete it promptly.
If you believe a child has provided us with personal data, please contact us at privacy@vernota.app.
10 International Data Transfers
Your data is stored primarily in the European Union (via Supabase). Where data is transferred outside the EEA — for example, to Resend, Expo, or Vercel in the United States — we ensure appropriate safeguards are in place:
- For EEA transfers: Standard Contractual Clauses (SCCs) as approved by the European Commission.
- For UK transfers: UK International Data Transfer Agreements (IDTAs) or the UK Addendum to EU SCCs, as required by UK GDPR.
11 Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will update the “Last updated” date at the top of this page. For significant changes, we will notify you via email or an in-app message.
We encourage you to review this policy periodically.
12 Contact Us
For any questions, requests, or concerns about this Privacy Policy or your personal data:
Privacy Officer
Email: privacy@vernota.app
Website: vernota.app
Last reviewed: March 13, 2026