VERIDEX

Privacy Policy

Your privacy is fundamental to Veridex. This document explains how we handle your data.

Last Updated: May 2026

Overview

Veridex is designed with privacy as a core principle. We believe in transparency and giving you full control over your data. This document explains what information we collect, how we use it, and your rights regarding your personal information.

Key Privacy Principles:

  • Veridex never stores email content on its own servers—it is processed transiently in memory and discarded after analysis
  • Basic Protection runs entirely on-device; no email content is transmitted. Smart AI Auto-Protection is opt-in (default off) in the Protect tab; when enabled, we ask you to acknowledge our Privacy Policy and Security Overview before continuing
  • All deterministic phishing detection (Tier-1 hard flags, Tier-1 soft scam signals, and Tier-2 contextual signals) runs client-side inside the browser extension. Text used for pattern matching is kept in memory only and is never stored, logged, or sent except when you use manual Analyze or Smart AI Auto-Protection.
  • AI-powered analysis (toolbar badge and manual Analyze) is optional; when Smart AI Auto-Protection is off, only manual "Analyze with Veridex" sends content, and only when you click it
  • Email content is never used to train models
  • You have full control over your data and can request deletion of telemetry at any time; you can turn off Smart AI Auto-Protection at any time in the Protect tab
  • The extension runs only on Gmail and Outlook Web (mail.google.com, outlook.office.com, outlook.live.com); it does not access other sites
  • All extension code is bundled in the extension package—we do not load or execute any code from the internet (no remote scripts)
  • When you use backend email analysis, we may record a minimal network-intelligence event for product security and abuse detection: no email subject, body, or full addresses—only derived fields such as sender and link domains, optional verdict and confidence from analysis, deterministic signal IDs, attachment file types (extensions only), and device or session identifiers already used for the request (see Network Intelligence Signals)

Email Content Handling

Veridex does not store email content. Email subject lines, body text, sender addresses, recipient addresses, links, and attachments are processed transiently in memory only. This applies to all local detection—including Tier-1 deception checks and soft scam pattern matching (e.g. payment and pickup heuristics)—which runs entirely in memory with no persistence of email text.

Email content is never:

  • Written to disk
  • Saved to logs or databases
  • Sent to analytics or telemetry systems
  • Used to train machine learning models
  • Reviewed by humans

After analysis completes, email content is immediately discarded from memory. This ephemeral processing model ensures your email content remains private and is never retained by Veridex systems.

What We Collect

Information Stored Locally

Veridex stores the following information locally in your browser using Chrome's storage API:

  • Relationship data: Sender email addresses and interaction counts; sender domains and interaction counts; sender-recipient pair statistics; last seen timestamps. Maximum limits: 1,000 senders, 1,000 pairs, 500 domains (oldest entries are automatically removed when limits are reached).
  • Thread state: Email thread identifiers and analysis states (which emails have been analyzed).
  • Metrics: Aggregated statistics (scanned count, flagged count, paused count, marked safe, reported) and scan performance metrics (started, completed, failed).
  • Settings: Extension enabled/disabled state, risk thresholds (noUI, softWarning, prominentWarning), and LLM analysis preferences.
  • Device token: A locally generated unique identifier (format: dev_ followed by a 128-bit cryptographically random value) used for backend authentication and analytics; generated automatically on first use.
  • Protect tab: First-time setup completed flag (veridex_first_time_setup_completed), Smart AI Auto-Protection on/off (auto_scan_enabled), and—when you enable Smart AI and acknowledge policies—a consent record (ai_auto_protection_consent) with consented_at, policy_version, and extension_version; the consent record is retained even if you later turn the feature off.
  • Schema version: A version number used when we update the extension so your existing data remains compatible and is never overwritten by updates.

Important: No email content (subject, body, attachments) is stored locally. Only metadata (sender addresses, domains, timestamps, counts) is stored.

Information Processed by Our Services

The extension sends email content to Veridex's backend only in these cases:

  • Toolbar risk indicator: Only when you have opted in to Smart AI Auto-Protection in the extension's Protect tab (default is off). When enabled, opening an email in Gmail or Outlook Web may send a truncated copy (subject, sender, body up to a limit) to our backend to show the green/yellow/red badge. This happens only for the email you are currently viewing.
  • Manual "Analyze with Veridex": When you click "Extract from Current Email" and then "Analyze with Veridex" in the popup, the extracted email content is sent to our backend for full analysis. This is always user-initiated.

Analysis requests are sent to api.veridexhq.com, while anonymized telemetry events (no email content) are sent to veridex-0mdk.onrender.com. Analysis payloads include subject, body (preprocessed/truncated as needed), sender and recipient addresses and names, email date, link domains, and device/session tokens for authentication. The backend returns risk scores, severity levels, and explanations. No raw email content is permanently stored in our backend database; it is processed in memory and discarded. Separately, we may persist a small, structured intelligence record per analysis (domains and signals only—never message text); see Network Intelligence Signals.

Rate limiting: The backend enforces rate limits per device. You can sign out or disable the extension to stop toolbar-related requests; manual analysis is always under your control.

How We Use Data

Local Analysis

Default Mode

  • Deterministic phishing detection (Tier-1 hard flags, Tier-1 soft scam signals, and Tier-2 signals) runs client-side inside the browser extension. All heuristic text is used in memory only.
  • Signal extraction and risk rules execute locally on Gmail and Outlook Web only
  • When Smart AI Auto-Protection is off (default), the toolbar uses local checks only—including soft scam patterns that can show a yellow (medium) badge—and no email content is sent for the badge until you enable Smart AI in the Protect tab or run manual "Analyze"
  • Local-only mode (no backend for toolbar): keep Smart AI Auto-Protection off and use only manual "Analyze" when you choose, or disable the extension to send no email content to our servers

AI-Powered Analysis

Optional Feature

  • Enhanced threat detection using a third-party large language model (LLM)
  • Sanitized, preprocessed email data is sent via a secure backend proxy
  • Veridex processes email content ephemerally in memory and does not retain it on its own servers
  • If AI analysis fails or is unavailable, Veridex never defaults to "safe"; it may show a "review" state or, when deterministic soft scam patterns (e.g. payment and pickup heuristics) indicate medium risk, a yellow (medium) indicator—all without sending email content.

Use of Artificial Intelligence

When AI-powered analysis is enabled, Veridex uses a third-party large language model (LLM) accessed through a secure backend proxy to provide enhanced threat detection capabilities.

Data Handling Safeguards

  • Email content sent for AI analysis is treated as untrusted data
  • Veridex does not store or log email content on its own servers; it is processed in memory and discarded after analysis
  • Email content is sent to third-party AI providers (OpenAI and Groq) via secure API. These providers do not use API-submitted data to train their models. Providers may retain data transiently for abuse monitoring per their standard API terms (for example, OpenAI's standard API retention is up to 30 days), after which it is deleted
  • Veridex is pursuing zero-retention data processing agreements with its AI providers; this page will be updated when those agreements are in effect

Security Measures

  • Strict output validation is applied to all AI responses
  • Schema enforcement ensures responses conform to expected formats
  • Prompt-injection defenses protect against adversarial inputs
  • If AI analysis fails or times out, the system defaults to a "review" state—never to "safe"

Note: AI analysis is entirely optional. You can disable it at any time in the extension settings, and all detection will be performed locally using deterministic rules.

Telemetry & Analytics

Veridex collects minimal, privacy-safe telemetry to ensure product reliability, monitor performance, and track security metrics.

What Telemetry Includes

  • Counters (e.g., number of analyses performed)
  • Enumerated values (e.g., feature flags, error types)
  • Timing metrics (e.g., analysis duration)
  • Anonymized device identifiers

What Telemetry Explicitly Excludes

Telemetry never includes:

  • Email content or body text
  • Email subject lines
  • Sender email addresses
  • Recipient email addresses
  • URLs or links from emails
  • Attachments or attachment metadata

Backend telemetry storage uses strict field allow-lists to ensure only permitted data types are recorded. Telemetry data is retained for operational purposes and rotated on a rolling basis.

Network Intelligence Signals

When a signed-in request completes backend email analysis (for example, Smart AI Auto-Protection or manual "Analyze with Veridex"), Veridex may append a non-blocking write of aggregate security telemetry to our database. This helps us detect abuse, measure product performance, and improve protection for everyone. It is not used to reconstruct your mailbox and does not store email subjects, bodies, full sender/recipient addresses, or raw links as text.

What may be stored (per analysis event)

  • Domains only: Registrable-style sender domain, reply-to domain (if present), and domains derived from links in the request—not full URLs, display names, or email addresses as a whole
  • Analysis summary: High-level verdict or classification, risk level, and numeric confidence returned by analysis, plus processing duration
  • Deterministic signals: Identifiers of Tier-1 / Tier-2 rules that fired (opaque IDs, not email text)
  • Attachment types: File extensions only (for example pdf), not filenames or file contents
  • Technical context: Email client indicator (for example Gmail vs Outlook Web), extension version, and the same device token or authenticated user identifier already associated with the request

Network intelligence records never include:

  • Email subject or body text
  • Full email addresses (only domains may appear, as described above)
  • Raw URLs, headers, or message IDs
  • Attachment contents or names (only extensions)

Domains may be aggregated into reputation-style rollups (appearance and verdict-weighted counts). Widely used consumer mailbox and infrastructure hostnames are excluded from ranked "top domain" views where we surface intelligence internally. Intelligence capture can be disabled in our environment for maintenance; it does not change how ephemeral analysis of email content works.

Access & retention

Intelligence aggregates are accessible only through authenticated, staff-controlled tooling (for example, token-protected admin endpoints). Retention follows our operational database policies. If you have questions or wish to discuss data associated with your device or account, contact us using the details in Contact Us.

Data Storage

Local Storage (Browser)

The browser extension stores only: relationship data (senders, domains, pairs—with LRU eviction at 1,000 / 1,000 / 500 limits), thread state, metrics (scanned, flagged, paused, etc.), settings, and device token.

Local data remains until you uninstall the extension, clear browser data, reset statistics via the popup, or manually clear Chrome's extension storage. No email content is ever stored locally. When you update the extension, we use a versioned storage schema so your settings and data are preserved and only missing defaults are added—we do not overwrite or delete your existing data on update.

Backend Storage

Our backend stores: device tokens and installation timestamps; aggregated analytics (total requests, emails analyzed, emails flagged per device); analysis results (risk scores, attack type categorizations, timestamps); and threat-intelligence metadata derived from analyzed emails (sender domain, reply-to domain, linked domains, attachment file types, and detection signal identifiers). This threat-intelligence metadata never includes full email addresses, subject lines, or message body content. Backend data retention is managed by Veridex.

No raw email content is permanently stored. Email content is processed transiently in memory and immediately discarded—it is never written to disk, logs, or databases.

Security

Encryption

All data transmission uses industry-standard HTTPS encryption. Local data is protected by your browser's security features.

Anonymization

Device identifiers are randomly generated and cannot be used to identify you personally.

Access Control

Only you have access to data stored locally on your device. Cloud data is protected by authentication measures.

Best Practices

We follow security best practices and regularly update our systems to protect your data.

Your Rights

Export

You can export your statistics at any time via the extension popup.

Reset

You can reset all statistics and relationship history via the extension popup.

Disable & Delete

You can disable the extension without losing data. Uninstalling the extension removes all local data.

Opt-Out of Smart AI Auto-Protection

You can turn off Smart AI Auto-Protection in the extension's Protect tab at any time; the toolbar will then use local checks only, and no email content will be sent for the badge. Manual "Analyze" remains user-initiated only.

Access

You can view all locally stored data via Chrome's extension storage inspector.

Delete Telemetry

You may request deletion of telemetry associated with your device token by contacting us at the email below.

Permissions

Veridex requires the following browser permissions:

  • storage: To store relationship data, metrics, and settings locally
  • activeTab: To access the currently open tab only when you click "Extract from Current Email" or "Analyze" on Gmail or Outlook Web
  • alarms: For optional metrics aggregation scheduling
  • scripting: To run extraction logic in the active tab only when you click "Extract from Current Email" or "Analyze"; not used for automatic injection on other sites
  • tabs: To get the active tab when you use "Extract" or "Analyze," to open sign-in and support links, and to clear the toolbar badge when you close a tab
  • Host permissions: Only mail.google.com, outlook.office.com, and outlook.live.com (Gmail and Outlook Web); plus Veridex backend and website domains (api.veridexhq.com, veridex-0mdk.onrender.com, veridexhq.com) for analysis, sign-in, and updates. The extension does not access any other websites.

Third-Party Services

Service Providers

Veridex uses the following third-party service providers:

  • Hosting Provider: Render.com (or equivalent infrastructure provider) hosts our backend services
  • AI Providers: Groq provides fast classification for the real-time toolbar indicator (Smart AI Auto-Protection); OpenAI provides deeper analysis for the manual "Analyze with Veridex" feature. Both receive email content only when the relevant feature is active, via our secure backend proxy.

Important: Veridex does not store email content on its own servers. Third-party AI providers may retain API-submitted content transiently for abuse monitoring under their standard API terms, then delete it.

AI Provider Policies

When you enable optional AI-powered analysis:

  • Email content is processed by third-party AI providers (OpenAI and Groq) through our secure backend proxy
  • These providers do not use API-submitted data to train their models
  • Email content may be retained transiently by providers for abuse monitoring per their standard API terms, then deleted; Veridex does not retain email content on its own servers

AI Provider Privacy Policies: When using AI analysis features, data may be processed by OpenAI (openai.com/policies/privacy-policy) and/or Groq (groq.com/privacy-policy). The toolbar indicator uses Groq; manual Analyze uses OpenAI.

Children's Privacy

Veridex is not intended for users under the age of 13. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected information from a child under 13, please contact us immediately.

Policy Updates

We may update this privacy policy from time to time to reflect changes in our practices or for legal, operational, or regulatory reasons. We will notify you of any material changes by updating the "Last Updated" date at the top of this page. We encourage you to review this policy periodically to stay informed about how we protect your information.

Contact Us

If you have any questions, concerns, or requests regarding this privacy policy or our data practices—including requests to delete telemetry data associated with your device token—please contact us:

Privacy Inquiries: support@veridexhq.com

We are committed to addressing your privacy concerns and will respond to inquiries in a timely manner.

Last Updated: May 2026

← Back to Home