Privacy Policy

This Privacy Policy describes how Veristack Technologies, Inc. ("Veristack," "we," "our," or "us") collects, uses, stores, and protects information in connection with the Veristack platform and the website at veristacktech.com (collectively, the "Service"). By using the Service, you agree to the practices described in this Privacy Policy.

1. Scope

This Privacy Policy applies to information we collect through the Service. It does not apply to information collected by third parties outside the Service, including websites that link to or from the Service.

2. Information We Collect

2.1 Account Information

When you create an account, we collect your name, email address, company name, and role. This information is used to provision your account, authenticate your identity, and communicate with you about the Service.

2.2 Project Data

When you use the platform, you may upload timesheet data, subcontractor invoices, field tickets, wage determinations, classification rate tables, and other project-related documents. This data is processed by the platform to generate time-and-materials backup documentation and related outputs. Veristack does not claim ownership of your project data.

2.3 Certified Payroll Documents

You may upload certified payroll documents that contain personally identifiable information ("PII"), including Social Security numbers, home addresses, dates of birth, and employee compensation data. Certified payroll documents are subject to additional protection measures described in Section 5.

2.4 Usage Data

We automatically collect information about how you interact with the Service, including pages visited, features used, timestamps, browser type, and device information. This information is used to operate and improve the Service, diagnose technical issues, and monitor platform performance.

2.5 Cookies

The Service uses essential cookies required for authentication and session management. We do not use third-party advertising cookies or tracking pixels. We do not sell or share cookie data with advertisers.

3. How We Use Your Information

We use the information we collect to:

• Provide, operate, and maintain the Service;
• Process your project data and generate backup documentation;
• Authenticate users and manage accounts;
• Communicate with you about your account, the Service, and support requests;
• Monitor and improve the performance, security, and reliability of the Service; and
• Comply with legal obligations.

No AI / Machine-Learning Training Use

We do not use your project data, certified payroll documents, account information, or any other uploaded content to train machine-learning or artificial-intelligence models. We do not use your information for marketing purposes outside communications about the Service itself. We do not use your information for any purpose other than providing the Service to you.

4. How We Share Your Information

We do not sell your information. We do not share your information with third parties for their marketing purposes. We share information only in the limited circumstances described below.

4.1 Subprocessors

We engage vetted third-party subprocessors to host, secure, support, and operate the Service. These subprocessors provide functions such as cloud hosting and storage, content delivery and DNS, transactional email, application error monitoring, availability monitoring, and internal business communication. All customer data processed by subprocessors is stored in the United States. Each subprocessor is bound by written confidentiality and data protection obligations substantially consistent with this Privacy Policy and the Veristack customer agreement.

The current and complete list of subprocessors is maintained in Veristack's Security Posture Document, which is made available to customers and prospective customers under a non-disclosure agreement. When we add or replace a subprocessor that materially processes customer data, we update the Security Posture Document and notify active customers by email. Customers may submit questions or concerns regarding a subprocessor to privacy@veristacktech.com, and we will respond in good faith. Selection of subprocessors remains at Veristack's sole discretion, consistent with our contractual commitments and the security and privacy standards described in this Privacy Policy and our Security Posture Document.

4.2 Legal Requirements

We may disclose information if required by law, regulation, legal process, or governmental request, or where we believe in good faith that disclosure is necessary to protect the rights, safety, or property of Veristack, our users, or the public.

4.3 Business Transfers

If Veristack is involved in a merger, acquisition, reorganization, or sale of all or a portion of its assets, your information may be transferred as part of that transaction. We will provide at least thirty (30) days' advance written notice of any such transfer, and you may request deletion of your information before the transfer completes.

5. Certified Payroll PII Protection

Certified payroll documents contain sensitive employee information. The Service applies layered technical controls to these documents:

• Encryption. All certified payroll documents are encrypted in transit (TLS 1.2 or higher) and at rest (AES-256).
• Automated PII redaction. The platform automatically redacts Social Security numbers, home addresses, and dates of birth from certified payroll documents before long-term storage. Redaction is performed using pattern detection with an optical character recognition (OCR) verification pass.
• Fail-closed design. If redaction cannot be confirmed, the document is quarantined for user review rather than stored in an unredacted state.
• Retained fields. Employee names and wage information are retained in redacted documents as required for prevailing wage compliance reporting and audit traceability.

Veristack's security measures protect certified payroll data within the Service. Users remain responsible for their own handling of sensitive information outside the Service, including downloading documents to local devices, transmitting documents by email or other channels, sharing account credentials, or otherwise making sensitive information available to third parties.

6. Data Security

We implement technical and organizational measures designed to protect your information, including:

• Encryption of all data in transit using TLS 1.2 or higher;
• Encryption of all data at rest using AES-256;
• Logical isolation of customer data at the query layer, with independent review of isolation controls scheduled;
• Multi-factor authentication (TOTP) required for Veristack administrative access, and available and configurable for customer users;
• Role-based access controls enforced at the application and database layer;
• Security response headers including HSTS, Content Security Policy, and X-Frame-Options;
• Structured audit logging of API requests and administrative actions, retained for twelve (12) months;
• Automated dependency vulnerability scanning with defined remediation timelines; and
• External availability monitoring and application error tracking.

No method of transmission or storage is completely secure. While we apply reasonable measures to protect your information, we cannot guarantee absolute security.

7. Data Residency

All customer data processed through the Service is stored in the United States. No customer data is transferred to or stored on infrastructure outside the United States. Backup replication remains within United States regions.

8. Data Retention

We retain your account information for as long as your account is active or as needed to provide the Service. We retain project data for the duration of your subscription or engagement.

Upon termination of your agreement with Veristack:

• We provide a data export upon request, in standard, non-proprietary formats, within fifteen (15) business days.
• We delete customer project data within ninety (90) days of termination.
• Account information (name, email, company) may be retained beyond that period solely for legal and compliance recordkeeping, for the minimum period required.
• Written confirmation of deletion is available upon request.

9. Security Incident Notification

In the event of a confirmed security incident affecting your information, we will provide written notification within seventy-two (72) hours of confirmation. Notification will include the nature and known scope of the incident, the categories of information involved, and the steps we are taking in response. We will cooperate with your obligations under applicable breach notification laws.

10. Your Privacy Rights

Subject to applicable law and verification of your identity, you may have the right to:

• Access the personal information we hold about you;
• Request correction of inaccurate information;
• Request deletion of your information;
• Object to or restrict certain processing of your information;
• Receive a copy of your information in a portable format; and
• Withdraw consent where our processing is based on consent.

To exercise any of these rights, contact us at privacy@veristacktech.com. We will acknowledge your request within ten (10) business days and respond within thirty (30) days. Where a request is complex or we receive a high volume of requests, we may extend the response period by an additional forty-five (45) days and will notify you of the extension.

Regional Rights

Depending on your location, additional rights may apply under laws such as the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), the General Data Protection Regulation (GDPR), and other state or national privacy laws. These rights may be exercised through the same contact address.

We do not sell personal information and do not engage in targeted advertising as those terms are defined under applicable privacy laws.

11. Children's Privacy

The Service is intended for use by adult business users. The Service is not directed to individuals under the age of 18, and we do not knowingly collect personal information directly from individuals under 18. Certified payroll documents uploaded by customers may reference employees who are minors under applicable labor law; such information is handled under the same protections as all other certified payroll data described in Section 5. If we become aware that we have directly collected personal information from a child in a manner inconsistent with this policy, we will take steps to delete that information promptly.

12. Business Customers and Data Processing Addendum

Business customers who process personal data subject to the GDPR, CCPA, or similar laws may request a Data Processing Addendum (DPA) at privacy@veristacktech.com. The DPA is available as an addendum to the Master Services Agreement.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by posting the updated policy on our website, updating the effective date, and — for active customers — by email to the address on file at least thirty (30) days before the change takes effect. Your continued use of the Service after a change becomes effective constitutes acceptance of the updated policy.

14. Contact Us

Questions about this Privacy Policy or our data practices may be directed to:

Veristack Technologies, Inc.
Email: privacy@veristacktech.com

For security reports and vulnerability disclosures: security@veristacktech.com
For legal notices: legal@veristacktech.com