Privacy Policy

Last updated: June 19, 2026 · Effective immediately

Plain English summary: We collect the data you give us (email, brand info, prompts) plus standard usage data. We use it to run the Service, bill you, and improve Verso. We share data with the providers we use (Stripe, Clerk, Anthropic, Google, Render, Resend) — nobody else. We don't sell your data. You have GDPR rights to access, correct, or delete your data — email us. We keep data only as long as we need to.

1. Who's the data controller

For purposes of the EU General Data Protection Regulation ("GDPR") and similar laws, the data controller is:

Scalesys SRL
[REGISTERED ADDRESS PLACEHOLDER]
Romania
Email: info@useverso.io

We don't currently have a Data Protection Officer (we're not required to have one under Article 37 GDPR given our size and activities), but you can reach us with any privacy concerns at the email above.

2. What data we collect

2.1 Account data

Email address (collected via Clerk during signup)
Display name (if you provide one)
Authentication identifiers from Clerk

2.2 Customer Content

Brand information you enter (name, voice, audience, ICP documents)
Product information you enter
Reference images and assets you upload
Prompts and offers you submit
Performance labels and metrics you record (winners/losers, ROAS, CPM, etc.)

2.3 Generated data

Ads, scripts, and other Outputs we generate for you
Internal logs of generation runs, errors, and AI provider responses

2.4 Billing data

Subscription tier, status, and billing cycle
Stripe customer ID and subscription ID (we don't store your card number — Stripe does)

2.5 Usage and technical data

IP address (transiently logged for security and abuse prevention)
Browser type, operating system, language
Pages visited, features used, timestamps
Error logs (which may include partial request data for debugging)

2.6 Cookies

See our Cookie Policy for details.

3. How we use your data and our legal bases

Under GDPR, we must have a lawful basis for processing your personal data. Here's how we use each category:

Purpose	Data used	Legal basis (GDPR Art. 6)
Providing the Service (generating ads, storing brands, etc.)	Account, Customer Content, Generated data	Performance of contract (6(1)(b))
Billing and payment processing	Billing data, account data	Performance of contract (6(1)(b))
Transactional emails (welcome, payment failed, cancellation)	Account data	Performance of contract (6(1)(b))
Security, fraud prevention, debugging	Usage and technical data, IP logs	Legitimate interests (6(1)(f))
Improving the Service (analyzing usage patterns)	Usage data (aggregated where possible)	Legitimate interests (6(1)(f))
Compliance with legal obligations (tax records, lawful requests)	Billing data, account data	Legal obligation (6(1)(c))
Marketing emails (if you opt in)	Account data	Consent (6(1)(a)) — withdrawable anytime

4. AI training and your data

We do NOT use your Customer Content or Outputs to train AI models. When you submit a prompt or brand information, it's sent to our AI providers (Anthropic and Google) solely to generate the response you requested. We pay these providers and have data processing agreements with them that prohibit using your data to train their public models.

Some level of operational logging and abuse monitoring may occur on the AI provider side, governed by their own privacy policies (linked in Section 5).

5. Who we share data with

We share your data only with the providers we need to run the Service. We don't sell your data to anyone, ever.

Provider	Purpose	Data shared	Location
Clerk	Authentication and user management	Email, name, auth tokens	USA
Stripe	Payment processing and subscription billing	Email, name, billing info, payment method (Stripe holds card details, not us)	USA, Ireland
Anthropic	AI text generation (Claude model)	Prompts, brand info you submit for generation	USA
Google	AI image generation (Gemini model)	Prompts, reference images	USA, EU
Render	Hosting and database	All data stored at rest	USA, Frankfurt (EU)
Resend	Transactional email delivery	Email address, email content	USA
Cloudflare R2	Object storage (reference images, ICPs, generated assets)	Uploaded files	Global

We may also disclose data if required by law (court order, subpoena) or to protect against fraud or abuse.

6. International data transfers

Some of our providers are located in the United States. When personal data of EU/EEA individuals is transferred to the US, we rely on the EU-US Data Privacy Framework (where the provider is certified) or Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented by appropriate organizational and technical safeguards.

7. How long we keep data

Data	Retention
Account data (active users)	For as long as your account exists
Account data (deleted accounts)	30 days after deletion, then permanently deleted
Customer Content and Outputs	For as long as your account exists; deletable on request
Billing records	10 years (Romanian tax law requirement)
Server logs (with IPs)	30 days
Backups	Up to 90 days after which they cycle out

8. Your rights (GDPR + similar laws)

If you're in the EU/EEA, UK, or California, you have rights regarding your personal data. We extend these to all users worldwide as a best practice:

Access — get a copy of the personal data we hold about you
Rectification — correct inaccurate or incomplete data
Erasure ("right to be forgotten") — request deletion of your data, subject to legal retention requirements
Restriction — limit how we process your data while a dispute is resolved
Portability — receive your data in a structured, machine-readable format and transfer it elsewhere
Objection — object to processing based on legitimate interests
Withdraw consent — where processing is based on consent, withdraw it anytime (without affecting prior lawful processing)
Complaint — lodge a complaint with your local data protection authority (in Romania: ANSPDCP)

To exercise any of these rights, email info@useverso.io. We'll respond within 30 days (or sooner where required by law).

9. Children

Verso isn't intended for users under 18. We don't knowingly collect personal data from children. If you believe a child has provided personal data, contact us and we'll delete it.

10. Security

We take reasonable technical and organizational measures to protect your data: encryption in transit (TLS) and at rest, access controls, audit logs, and regular security review of our providers. No system is 100% secure, but we treat your data like we'd want ours treated.

If we ever experience a data breach that puts your rights at risk, we'll notify affected users and (where required) the relevant data protection authority within 72 hours, per Article 33 GDPR.

11. Automated decision-making

We don't use your personal data for automated decisions that produce legal effects or significantly affect you. The AI generation features generate creative content from your input — they don't make decisions about you.

12. Changes to this policy

We may update this Privacy Policy as our practices evolve. Material changes will be communicated via email and/or in-app notice. The "Last updated" date at the top reflects the current version.

13. Contact

Questions, requests, or concerns? Email info@useverso.io.