Privacy Policy

1. Introduction

VeritasIQ (“we”, “us”, “our”) operates the InvestiScript platform (“Service”). We are committed to protecting the privacy and security of your personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the South African Protection of Personal Information Act (POPIA), and other applicable international data protection laws.

This policy explains what data we collect, why we collect it, how we use it, and your rights regarding your personal information.

2. Data Controller

VeritasIQ is the data controller for personal data processed through the Service. For data protection enquiries, contact our Data Protection Officer at [email protected].

3. Data We Collect

4. How We Use Your Data

• Providing and maintaining the investigative journalism platform
• Authenticating your identity and managing sessions
• Processing AI-assisted research and content generation
• Sending operational notifications (research completion, @mentions)
• Maintaining audit trails for security and compliance
• Detecting and preventing fraud, abuse, and security incidents

5. AI Processing & Third-Party Services

When you trigger AI-powered research or content generation, your investigation brief and relevant context are sent to large language model APIs (hosted by Abacus.AI) for processing. This data is processed transiently and is not retained by the AI provider for training purposes. We ensure appropriate data processing agreements are in place with all sub-processors.

6. Data Retention

• Account data: Retained for the duration of your account, plus 30 days after deletion request to allow recovery. After 30 days, data is permanently purged.
• Investigation data: Retained until you delete it or request account erasure. Encrypted at rest.
• Audit logs: Retained for 2 years for security and compliance purposes (ISO 27001 A.12.4, SOC 2 CC7).
• Session cookies: Expire after 8 hours of inactivity. JWT-based, httpOnly.
• Database backups: Automated daily backups retained for 7 days. Encrypted in transit and at rest.
• Breach notification: In accordance with GDPR Article 33/34 and POPIA Section 22, we will notify the relevant supervisory authority within 72 hours of becoming aware of a personal data breach, and affected individuals without undue delay where the breach is likely to result in a high risk to their rights.

7. Your Rights

Under GDPR and POPIA, you have the following rights:

8. Security Measures

• Passwords hashed with bcrypt (adaptive cost factor)
• AES-256-GCM encryption for sensitive notes (client-side, passphrase never leaves your browser)
• Secure session tokens with 8-hour expiry and HSTS enforcement
• Rate limiting on authentication endpoints
• Account lockout after 5 failed login attempts (15-minute cooldown)
• Multi-tenant data isolation with organisation-scoped access control
• Comprehensive audit logging with IP address and user agent tracking
• Content Security Policy (CSP) headers to prevent XSS attacks

9. International Data Transfers

Your data may be processed in jurisdictions outside your country of residence. Where transfers occur to countries without an adequacy decision, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or equivalent safeguards under POPIA.

10. Contact & Complaints

For privacy enquiries or to exercise your rights, contact: [email protected]

If you are unsatisfied with our response, you have the right to lodge a complaint with your local supervisory authority (e.g., the ICO in the UK, the Information Regulator in South Africa).