This Privacy Policy explains how Virtual Glow Ltd (Company No. 14428785), with its registered office at 167–169 Great Portland Street, 5th Floor, London, United Kingdom, W1W 5PF (“Veryfo,” “we,” “us,” or “our”) collects, uses, stores, and protects personal and sensitive data when you use our website and related verification services.

We are fully committed to handling your personal data lawfully, transparently, and securely in accordance with the UK Data Protection Act 2018, the UK General Data Protection Regulation (UK GDPR), and, where applicable, the EU GDPR.

1. Who We Are

This Policy applies to Veryfo, a verification platform operated by Virtual Glow Ltd. It covers all data collected from users and customers in connection with:

• Website visits
• Account registration
• Token purchases
• Use of our verification services
• Global Payment Testing services, including manual and semi-manual payment flow testing

We are the data controller responsible for your personal data, unless otherwise stated.

2. Information We Collect

We may collect personal data you voluntarily provide when you:

a. Personal Information You Provide

This includes data you voluntarily submit when you:

• Register for an account.
• Purchase token packages.
• Submit support or contact requests
• Communicate with us by email or other channels

This may include:

• Full name
• Email address
• Company details (if applicable)
• Contact details
• Billing or invoice information

b. Log Data and Usage Information

We automatically collect certain information when you use our website or services:

• IP address
• Browser type and version
• Operating system
• Referring URLs
• Pages visited and actions taken
• Time and date of access

c. Service-Related Testing Data When you request Global Payment Testing services, we may process limited technical and transactional data provided by you or generated during testing. This may include payment method identifiers, test credentials, transaction references, screenshots, logs, and related technical information strictly necessary to perform the requested test and prepare a test report. This information is used for analytics, diagnostics, security monitoring, and service improvements.

3. Payment and Transaction Processing

We partner with reputable third-party payment processors to securely handle all financial transactions.

• We do not store or have access to your full payment details (e.g. credit card numbers).
• Payments are processed in accordance with Strong Customer Authentication (SCA) and PSD2 compliance.
• These third-party providers process your data according to their own privacy and security standards.

4. Use of Information

We use personal and service-related data for the following purposes:

• To provide and operate our verification services
• To register and manage your account
• To deliver purchased token packages
• To respond to inquiries and provide customer support.
• To send essential service-related notifications (e.g., technical alerts, billing notices)
• To detect, investigate, and prevent fraud, abuse, or security issues
• To analyze service usage and improve functionality
• To fulfill legal and regulatory obligations
• To perform Global Payment Testing services and generate detailed testing reports requested by users

We do not use your data for profiling, targeted advertising, or marketing without your explicit consent.

5. Handling of Verification Data

As part of our verification services (e.g, IBAN, IP address, phone number, ID), users may submit sensitive or identifying data. We take the following measures: This section applies specifically to automated verification services. Data processed in connection with Global Payment Testing is handled in accordance with Sections 2, 4, and 10 of this Policy and is retained only as long as necessary to complete the test and deliver the report.

• Data submitted for verification is processed solely for the purpose of fulfilling that specific request.
• We do not store IBANs, phone numbers, IP addresses, or identification documents after the verification process completes.
• We do not resell, reuse, share, or process verification data for marketing, analytics, or any unrelated purpose.
• All processing is conducted in a secure and isolated manner, using appropriate technical and organizational safeguards.

6. Legal Basis for Processing

We only process your personal data when legally permitted. Our legal bases include:

• Contractual necessity: To fulfill token purchases and provide requested services
• Legitimate interests: For security, fraud prevention, service analytics, and customer support
• Consent: When you opt in to communications or voluntarily provide data
• Legal obligations: When required to comply with applicable laws and regulations

7. Data Sharing and Disclosure

We do not sell or rent your personal data.

We may share your data with:

• Service providers and processors who support our operations (e.g., cloud infrastructure, payment gateways)
• Regulators or authorities, where required by law, subpoena, or court order
• Legal representatives, auditors, or consultants when necessary to protect our legal rights or safety

All third parties are bound by contractual obligations to maintain confidentiality and handle your data in compliance with applicable law.

8. International Data Transfers

In some cases, your personal data may be processed in countries outside the United Kingdom or European Economic Area (EEA).

Where applicable, we ensure appropriate safeguards are in place, such as:

• Standard Contractual Clauses (SCCs)
• Adequacy decisions by relevant data protection authorities
• Other lawful transfer mechanisms

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, loss, misuse, or alteration.

These may include:

• End-to-end encryption
• Secure server environments
• Access control and authentication mechanisms
• Routine data access audits

While no system is entirely immune to risk, we continuously monitor and update our security protocols to safeguard user data. For Global Payment Testing, access to service-related data is restricted to authorized personnel and limited to what is necessary to perform the requested test.

10. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes outlined in this Policy, or as required by law, including:

• Account information - retained as long as your account remains active
• Transaction records - retained for accounting, tax, and compliance purposes
• Support communications - retained for quality assurance and audit trails

Verification inputs (such as IBANs, IPs, or documents) are not stored once the verification result has been delivered. Data submitted or generated in connection with Global Payment Testing, including test credentials and reports, is retained only for as long as necessary to complete the service, deliver the report, and address follow-up inquiries, after which it is securely deleted or anonymized unless longer retention is required by law.

11. Your Data Rights

Under the UK GDPR and, where applicable, the EU GDPR, you have the right to:

• Access the personal data we hold about you
• Request rectification of inaccurate or incomplete data
• Request deletion of your data in certain circumstances
• Restrict or object to specific data processing activities
• Receive your data in a portable format (where applicable)
• Withdraw consent where processing is based on consent
• Lodge a complaint with the Information Commissioner’s Office (ICO) or your local supervisory authority

To exercise your rights, please contact us at support@veryfo.com. We will respond in accordance with applicable legal requirements and within the statutory timeframes.