Privacy Policy

Last updated: 2026-05-11

VerAuth, Inc. (“VerAuth,” “we,” “our,” or “us”) operates verauth.net and the related estate document vault service. This Privacy Policy explains what information we collect, how we use and protect it, and the choices you have. It applies to your use of the Service as a member, an authorized accessor (such as a designated attorney, executor, or family member), or an institutional verifier.

1. Information We Collect

  • Account information. Email address, name, phone number, and optionally date of birth and basic profile details you provide.
  • Uploaded documents. The estate documents you choose to vault (wills, trusts, powers of attorney, advance directives, and similar instruments) and metadata you supply about them.
  • Identity verification data. When identity verification is required, we send the data needed to complete verification to our verification provider (Persona). Raw images of identity documents are processed by Persona; VerAuth retains the verification result and audit metadata, not raw ID images on our servers.
  • Payment information. Card data is tokenized by our payment processor (NMI). VerAuth does not store raw card numbers, expiration dates outside of the tokenized record, or CVV codes.
  • Audit logs. Records of significant events on your account — for example, document uploads, Authority Contract signatures, access grants, and institutional verification events — so that you and your authorized parties have a tamper-evident history.
  • Technical data. Standard request logs (IP address, user agent, timestamps) needed to operate, debug, and secure the Service.

2. How We Use Information

  • To provide and operate the Service for you.
  • To verify identity at the points where the Service requires it.
  • To process payments and manage subscriptions and one-time purchases.
  • To prevent fraud, abuse, and security incidents.
  • To comply with applicable law and lawful process.
  • To communicate with you about your account and material changes to the Service.

3. How We Share Information

We do not sell your personal information. We share information only with the service providers and parties needed to deliver the Service:

  • NMI — payment processing.
  • Persona — identity verification.
  • Auth0 (by Okta) — authentication and session management.
  • Amazon Web Services — hosting, S3 object storage, and KMS key management (us-west-2 region).
  • Supabase — managed PostgreSQL database.
  • Polygon network — public blockchain attestation of document hashes only. We never publish your documents or personal information to the blockchain — only a cryptographic fingerprint.
  • Anthropic — optional AI assistance for features such as the obituary writer in the Final Arrangements package. Used only when you invoke the feature.

We also share information with the parties you designate — for example, executors, attorneys, or family members — under the access conditions you set. We may disclose information when required by law or to protect the rights, property, or safety of VerAuth, our members, or the public.

4. Security

We use industry-standard practices to protect your information:

  • Encryption at rest. Documents are encrypted with AES-256 in S3, with keys managed by AWS KMS.
  • Encryption in transit. All traffic is protected with TLS 1.2 or higher.
  • Access controls. Administrative access to production systems is restricted, and production access is logged.
  • Tamper-evident document attestation. Document hashes are published to a public blockchain so that a later modification of a vaulted document is detectable.
  • Authentication. Account authentication is handled by Auth0 with support for multi-factor authentication.

No system is perfectly secure. If we discover a security incident that affects your data, we will notify you in accordance with applicable law.

5. Data Location and Retention

Your data is hosted in the United States. We retain account information and documents for as long as your account is active and for the period thereafter described in our retention schedule, which is calibrated to legal, accounting, and audit requirements. After account closure, you may request deletion as described below.

6. Your Rights

Depending on where you live, you may have the following rights regarding your information:

  • Access. Request a copy of the personal information we hold about you.
  • Correction. Ask us to correct inaccurate information.
  • Deletion. Request that we delete your account and the associated documents. We honor deletion requests with a 30-day grace period so that you can cancel the request if it was sent in error or so that designated accessors can be notified.
  • Portability. Download the documents you have vaulted in their original formats.

To exercise these rights, email privacy@verauth.net.

7. Cookies and Sessions

We use only the cookies needed to operate the Service, primarily for authentication and session management via Auth0. We do not use third-party advertising cookies on the authenticated portions of the Service.

8. Children

The Service is intended for adults aged 18 and older. We do not knowingly collect personal information from anyone under 18. If you believe a child has provided us with personal information, please contact privacy@verauth.net.

9. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will provide notice by email or by posting a notice on the Service.

10. Contact

Questions or concerns about privacy can be sent to privacy@verauth.net. For account support, email support@verauth.net. For mailing addresses and additional contacts, see our Contact page.