VERIDEX

Privacy Policy

Your privacy is fundamental to Veridex. This document explains how we handle your data.

Last Updated: February 2026·Applies to: Veridex extension v1.9.1.0 and later

Overview

Veridex is designed with privacy as a core principle. We believe in transparency and giving you full control over your data. This document explains what information we collect, how we use it, and your rights regarding your personal information.

Key Privacy Principles:

  • Email content is never stored—it is processed transiently in memory and immediately discarded after analysis
  • Basic Protection runs entirely on-device; no email content is transmitted. Smart AI Auto-Protection is opt-in (default off) in the Protect tab; when enabled, we ask you to acknowledge our Privacy Policy and Security Overview before continuing
  • All deterministic phishing detection (Tier-1 hard flags, Tier-1 soft scam signals, and Tier-2 contextual signals) runs client-side inside the browser extension. Text used for pattern matching is kept in memory only and is never stored, logged, or sent except when you use manual Analyze or Smart AI Auto-Protection.
  • AI-powered analysis (toolbar badge and manual Analyze) is optional; when Smart AI Auto-Protection is off, only manual "Analyze with Veridex" sends content, and only when you click it
  • Email content is never used to train models
  • You have full control over your data and can request deletion of telemetry at any time; you can turn off Smart AI Auto-Protection at any time in the Protect tab
  • The extension runs only on Gmail and Outlook Web (mail.google.com, outlook.office.com, outlook.live.com); it does not access other sites
  • All extension code is bundled in the extension package—we do not load or execute any code from the internet (no remote scripts)

Email Content Handling

Veridex does not store email content. Email subject lines, body text, sender addresses, recipient addresses, links, and attachments are processed transiently in memory only. This applies to all local detection—including Tier-1 deception checks and soft scam pattern matching (e.g. payment and pickup heuristics)—which runs entirely in memory with no persistence of email text.

Email content is never:

  • Written to disk
  • Saved to logs or databases
  • Sent to analytics or telemetry systems
  • Used to train machine learning models
  • Reviewed by humans

After analysis completes, email content is immediately discarded from memory. This ephemeral processing model ensures your email content remains private and is never retained by Veridex systems.

What We Collect

Information Stored Locally

Veridex stores the following information locally in your browser using Chrome's storage API:

  • Relationship data: Sender email addresses and interaction counts; sender domains and interaction counts; sender-recipient pair statistics; last seen timestamps. Maximum limits: 1,000 senders, 1,000 pairs, 500 domains (oldest entries are automatically removed when limits are reached).
  • Thread state: Email thread identifiers and analysis states (which emails have been analyzed).
  • Metrics: Aggregated statistics (scanned count, flagged count, paused count, marked safe, reported) and scan performance metrics (started, completed, failed).
  • Settings: Extension enabled/disabled state, risk thresholds (noUI, softWarning, prominentWarning), and LLM analysis preferences.
  • Device token: A locally generated unique identifier (format: dev_[timestamp]_[random]) used for backend authentication and analytics; generated automatically on first use.
  • Protect tab: First-time setup completed flag (veridex_first_time_setup_completed), Smart AI Auto-Protection on/off (auto_scan_enabled), and—when you enable Smart AI and acknowledge policies—a consent record (ai_auto_protection_consent) with consented_at, policy_version, and extension_version; the consent record is retained even if you later turn the feature off.
  • Schema version: A version number used when we update the extension so your existing data remains compatible and is never overwritten by updates.

Important: No email content (subject, body, attachments) is stored locally. Only metadata (sender addresses, domains, timestamps, counts) is stored.

Information Processed by Our Services

The extension sends email content to Veridex's backend only in these cases:

  • Toolbar risk indicator: Only when you have opted in to Smart AI Auto-Protection in the extension's Protect tab (default is off). When enabled, opening an email in Gmail or Outlook Web may send a truncated copy (subject, sender, body up to a limit) to our backend to show the green/yellow/red badge. This happens only for the email you are currently viewing.
  • Manual "Analyze with Veridex": When you click "Extract from Current Email" and then "Analyze with Veridex" in the popup, the extracted email content is sent to our backend for full analysis. This is always user-initiated.

Data transmitted to our backend (api.veridexhq.com / veridex-0mdk.onrender.com) includes: subject, body (preprocessed/truncated as needed), sender and recipient addresses and names, email date, link domains, and device/session tokens for authentication. The backend returns risk scores, severity levels, and explanations. No raw email content is permanently stored in our backend database; it is processed in memory and discarded.

Rate limiting: The backend enforces rate limits per device. You can sign out or disable the extension to stop toolbar-related requests; manual analysis is always under your control.

How We Use Data

Local Analysis

Default Mode

  • Deterministic phishing detection (Tier-1 hard flags, Tier-1 soft scam signals, and Tier-2 signals) runs client-side inside the browser extension. All heuristic text is used in memory only.
  • Signal extraction and risk rules execute locally on Gmail and Outlook Web only
  • When Smart AI Auto-Protection is off (default), the toolbar uses local checks only—including soft scam patterns that can show a yellow (medium) badge—and no email content is sent for the badge until you enable Smart AI in the Protect tab or run manual "Analyze"
  • Local-only mode (no backend for toolbar): keep Smart AI Auto-Protection off and use only manual "Analyze" when you choose, or disable the extension to send no email content to our servers

AI-Powered Analysis

Optional Feature

  • Enhanced threat detection using a third-party large language model (LLM)
  • Sanitized, preprocessed email data is sent via a secure backend proxy
  • Email content is processed ephemerally and never retained
  • If AI analysis fails or is unavailable, Veridex never defaults to "safe"; it may show a "review" state or, when deterministic soft scam patterns (e.g. payment and pickup heuristics) indicate medium risk, a yellow (medium) indicator—all without sending email content.

Use of Artificial Intelligence

When AI-powered analysis is enabled, Veridex uses a third-party large language model (LLM) accessed through a secure backend proxy to provide enhanced threat detection capabilities.

Data Handling Safeguards

  • Email content sent for AI analysis is treated as untrusted data
  • All processing is ephemeral—email content is never stored, logged, or retained
  • The AI provider is contractually prohibited from storing, learning from, or retaining submitted content
  • Email content is never used to train AI models

Security Measures

  • Strict output validation is applied to all AI responses
  • Schema enforcement ensures responses conform to expected formats
  • Prompt-injection defenses protect against adversarial inputs
  • If AI analysis fails or times out, the system defaults to a "review" state—never to "safe"

Note: AI analysis is entirely optional. You can disable it at any time in the extension settings, and all detection will be performed locally using deterministic rules.

Telemetry & Analytics

Veridex collects minimal, privacy-safe telemetry to ensure product reliability, monitor performance, and track security metrics.

What Telemetry Includes

  • Counters (e.g., number of analyses performed)
  • Enumerated values (e.g., feature flags, error types)
  • Timing metrics (e.g., analysis duration)
  • Anonymized device identifiers

What Telemetry Explicitly Excludes

Telemetry never includes:

  • Email content or body text
  • Email subject lines
  • Sender email addresses
  • Recipient email addresses
  • URLs or links from emails
  • Attachments or attachment metadata

Backend telemetry storage uses strict field allow-lists to ensure only permitted data types are recorded. Telemetry data is retained for operational purposes and rotated on a rolling basis.

Data Storage

Local Storage (Browser)

The browser extension stores only: relationship data (senders, domains, pairs—with LRU eviction at 1,000 / 1,000 / 500 limits), thread state, metrics (scanned, flagged, paused, etc.), settings, and device token.

Local data remains until you uninstall the extension, clear browser data, reset statistics via the popup, or manually clear Chrome's extension storage. No email content is ever stored locally. When you update the extension, we use a versioned storage schema so your settings and data are preserved and only missing defaults are added—we do not overwrite or delete your existing data on update.

Backend Storage

Our backend stores: device tokens and installation timestamps; aggregated analytics (total requests, emails analyzed, emails flagged per device); and analysis results (risk scores, attack type categorizations, timestamps). Backend data retention is managed by Veridex.

No raw email content is permanently stored. Email content is processed transiently in memory and immediately discarded—it is never written to disk, logs, or databases.

Security

Encryption

All data transmission uses industry-standard HTTPS encryption. Local data is protected by your browser's security features.

Anonymization

Device identifiers are randomly generated and cannot be used to identify you personally.

Access Control

Only you have access to data stored locally on your device. Cloud data is protected by authentication measures.

Best Practices

We follow security best practices and regularly update our systems to protect your data.

Your Rights

Export

You can export your statistics at any time via the extension popup.

Reset

You can reset all statistics and relationship history via the extension popup.

Disable & Delete

You can disable the extension without losing data. Uninstalling the extension removes all local data.

Opt-Out of Smart AI Auto-Protection

You can turn off Smart AI Auto-Protection in the extension's Protect tab at any time; the toolbar will then use local checks only, and no email content will be sent for the badge. Manual "Analyze" remains user-initiated only.

Access

You can view all locally stored data via Chrome's extension storage inspector.

Delete Telemetry

You may request deletion of telemetry associated with your device token by contacting us at the email below.

Permissions

Veridex requires the following browser permissions:

  • storage: To store relationship data, metrics, and settings locally
  • activeTab: To access the currently open tab only when you click "Extract from Current Email" or "Analyze" on Gmail or Outlook Web
  • alarms: For optional metrics aggregation scheduling
  • scripting: To run extraction logic in the active tab only when you click "Extract from Current Email" or "Analyze"; not used for automatic injection on other sites
  • tabs: To get the active tab when you use "Extract" or "Analyze," to open sign-in and support links, and to clear the toolbar badge when you close a tab
  • Host permissions: Only mail.google.com, outlook.office.com, and outlook.live.com (Gmail and Outlook Web); plus Veridex backend and website domains (api.veridexhq.com, veridex-0mdk.onrender.com, veridexhq.com) for analysis, sign-in, and updates. The extension does not access any other websites.

Third-Party Services

Service Providers

Veridex uses the following third-party service providers:

  • Hosting Provider: Render.com (or equivalent infrastructure provider) hosts our backend services
  • AI Provider: OpenAI (or equivalent LLM provider) provides AI analysis capabilities when enabled

Important: No third-party provider receives stored email content. Email content is processed ephemerally and never persisted by any service provider.

AI Provider Policies

When you enable optional AI-powered analysis:

  • Email content is processed by the AI provider through our secure backend proxy
  • The AI provider is contractually prohibited from storing, learning from, or retaining submitted content
  • Email content is never used to train AI models

OpenAI Privacy Policy: When using AI analysis features, data may be processed by OpenAI. You can review their privacy policy at openai.com/policies/privacy-policy

Children's Privacy

Veridex is not intended for users under the age of 13. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected information from a child under 13, please contact us immediately.

Policy Updates

We may update this privacy policy from time to time to reflect changes in our practices or for legal, operational, or regulatory reasons. We will notify you of any material changes by updating the "Last Updated" date at the top of this page. We encourage you to review this policy periodically to stay informed about how we protect your information.

Contact Us

If you have any questions, concerns, or requests regarding this privacy policy or our data practices—including requests to delete telemetry data associated with your device token—please contact us:

Privacy Inquiries: support@veridexhq.com

We are committed to addressing your privacy concerns and will respond to inquiries in a timely manner.

Last Updated: February 2026

Applies to: Veridex extension v1.9.1.0 and later

← Back to Home