Privacy Policy

Vericoo operates a digital identity card platform that allows individuals and organisations to create, manage, and share QR-coded identity cards. When we refer to "we", "us", or "our", we mean Vericoo and its operators.

If you have questions about this policy or your personal data, contact us at privacy@coral-app-rwvli.ondigitalocean.app

Account information: When you create an account, we collect your name, email address, and a hashed password. We never store your password in plain text.

Card data: Information you voluntarily enter onto your identity cards — such as medical details, emergency contacts, employment information, or vehicle details. You control exactly what is stored and what is publicly visible via your QR code.

Scan notifications: When your QR code is scanned, we log the date, time, approximate location (derived from IP address), and device type. This is used to power your scan history dashboard. We do not identify scanners — scans are anonymous.

Organisation data: If your employer or institution issues you a card, they may pre-fill certain fields. Your organisation admin can see scan history for cards they issued.

Technical data: Standard web server logs including IP address, browser type, and pages accessed. We use this for security and performance monitoring only.

We use your data solely to provide and improve the Vericoo service:

• To render your identity cards when a QR code is scanned
• To send you scan notifications (if enabled)
• To allow you to log in and manage your cards
• To allow your organisation to manage cards they have issued to you
• To maintain security, prevent abuse, and debug issues

We do not sell your data to third parties. We do not use your data for advertising. We do not use your card contents for AI training.

Your card data visibility is controlled by you:

• Public fields: Anyone who scans your QR code can see fields you have marked as visible. No login is required to scan a card.
• Hidden fields: Fields you mark as hidden are never shown during a scan. They remain stored encrypted.
• Organisation admins: If your card was issued by an organisation, that organisation's administrators can view the card data for cards they issued.
• Platform administrators: Vericoo staff can access data only when required for security incidents, legal obligations, or at your request.

Your data is stored in encrypted databases hosted on reputable cloud infrastructure with physical security, access controls, and regular security audits.

Passwords are hashed using bcrypt with a work factor of 12. Card data is stored in encrypted columns. Database backups are encrypted at rest.

While we take significant steps to protect your data, no system is completely secure. We will notify you promptly in the event of a data breach that affects your personal information.

We retain your account and card data for as long as your account is active. When you delete a card, it is soft-deleted and removed from public access immediately. Hard deletion occurs within 30 days.

When you deactivate your account, your data is retained for 90 days to allow you to reactivate. After that, all personal data is permanently deleted except where required by law.

Scan logs are retained for 24 months and then automatically purged.

We use a minimal number of cookies strictly necessary for the service to function:

• Session cookie: Used to keep you logged in. Expires when you close your browser or log out.
• CSRF token: Used to protect form submissions from cross-site request forgery attacks.

We do not use advertising cookies, tracking pixels, or third-party analytics scripts.

We use the following third-party services to operate the platform:

• Cloud database provider: Stores your encrypted data. Subject to their privacy policy.
• File storage (Azure Blob Storage): Stores uploaded images (logos, profile photos). Files are served over HTTPS.
• Email delivery: Used to send invite emails and password reset links. Email addresses are shared only as necessary to deliver these messages.

We do not share your data with any other third parties.

You have the following rights regarding your personal data:

• Access: Request a copy of all personal data we hold about you
• Correction: Correct any inaccurate data (you can do this directly in your dashboard)
• Deletion: Request deletion of your account and all associated data
• Portability: Request your card data in a machine-readable format
• Objection: Object to specific processing of your data

To exercise any of these rights, email us at privacy@coral-app-rwvli.ondigitalocean.app. We will respond within 30 days.

Vericoo is not directed at children under 13. We do not knowingly collect personal data from children under 13. If you believe a child has submitted data without parental consent, please contact us immediately.

Child safety cards (for parents or guardians) are issued by adults on behalf of children. The adult account holder is responsible for the accuracy and appropriateness of the data entered.

We may update this policy from time to time. We will notify registered users of material changes via email at least 14 days before they take effect. The current version is always available at this URL.