VerefVeref

Legal

Privacy Notice

Last updated April 2026

This Privacy Notice explains how Veref Ltd (“Veref”, “we”, “us”) collects, uses, and protects personal data when you use veref.work or the Veref platform. It applies to candidates, referees, employer users, and anyone else who interacts with our services.

Who we are

Veref Ltd is registered in England and Wales and headquartered in London. We act as a data controller for personal data collected directly through veref.work and as a data processor for personal data processed on behalf of our enterprise customers.

What we collect

  • Identity data: government ID images, selfie liveness captures, biometric templates derived from those images.
  • Interview data: audio and video streams, transcripts, device and browser fingerprints, integrity signals generated during a session.
  • Reference data: referee identity, employer record cross-matches, structured questionnaire responses.
  • Account data: name, email, organisation, role, and audit logs of your activity in the product.
  • Usage data: IP address, user agent, pages viewed, referrer, and similar telemetry.

Why we process personal data

  • To verify the identity of candidates and referees at the explicit request of an employer.
  • To detect interview fraud including deepfakes, voice clones, and AI co-pilots.
  • To produce an auditable record of the hiring workflow for our customer.
  • To operate, maintain, and improve the Veref product.
  • To meet our legal obligations, including GDPR, UK GDPR, and the EU AI Act.

Legal basis

For candidates and referees, the primary legal basis is explicit consent captured at the point of verification. For employer users, the legal basis is the contract between Veref and the employer. Biometric data is only processed with explicit consent and is never used to train third-party models.

How long we keep data

Retention varies by data type. Candidate identity data is retained for the duration of the candidate’s Veref Passport, subject to the candidate’s right to export or delete at any time. Interview session data is retained according to the employer’s configured retention window, typically 12 months.

Your rights

  • Right to access a copy of the personal data we hold about you.
  • Right to rectification of inaccurate personal data.
  • Right to erasure of your Veref Passport and all associated records.
  • Right to restrict or object to certain processing.
  • Right to data portability in a machine-readable format.
  • Right to lodge a complaint with the Information Commissioner’s Office in the UK or your local EU supervisory authority.

Subprocessors and transfers

A current list of Veref’s subprocessors is published at veref.work/subprocessors. International transfers are governed by Standard Contractual Clauses and supplementary measures where required.

Security

SOC 2 Type II audit and ISO 27001 certification are planned on our compliance roadmap; timelines are shared on request. Today, biometric templates are encrypted at rest, all traffic is encrypted in transit, and access is governed by role-based controls and MFA.

Contact

To exercise any of your rights, contact privacy@veref.work. Our Data Protection Officer can be reached at the same address.

Questions?

Email legal@veref.work and a member of our team will respond within one business day.

Or book a call