Verdatum privacy policy

Last updated: 8 July 2026

This policy explains what personal data Verdatum processes, why, where it goes, and the rights you have over it. It is written to be checked: where a claim has a boundary, the boundary is stated.

Who we are

Verdatum is a trading name of The Coln Group Ltd, a company registered in England and Wales (company number 09788225, registered office 3rd Floor, 86–90 Paul Street, London, EC2A 4NE). The Coln Group Ltd is the data controller for the processing this policy describes.

Our data protection officer oversees this policy and handles privacy matters: privacy@verdatum.ai. For general support, use support@verdatum.ai, or write by post to the registered office.

What Verdatum is

Verdatum is a hosted service that connects AI agents to source-backed company intelligence — registry records, filings, ownership and control, and market data. Your organisation contracts for access; you use Verdatum through an AI assistant that supports the Model Context Protocol (MCP), such as Claude.

The short version

The data we process

Sign-in and entitlement data

Access to Verdatum is contracted at organisation level. When you connect, our authentication provider, WorkOS, Inc., verifies your work email address (directly or through your organisation's identity provider) and issues an access token. Verdatum validates the token and checks that your organisation holds a current contract.

Verdatum keeps no user database. The user records behind sign-in — your email address and organisation membership — are held by WorkOS as our processor. What reaches Verdatum's infrastructure is the token's pseudonymous user and organisation identifiers.

Purpose: authenticating you and enforcing your organisation's entitlement. Lawful basis: our legitimate interests and your organisation's contract (UK GDPR and EU GDPR article 6(1)(f) and, where you act for the contracting organisation, article 6(1)(b)).

Service logs

Each request produces structured log lines carrying the operation or tool name, status, timing, error category, and the pseudonymous WorkOS user and organisation identifiers. Log lines never carry tool arguments, answer content, document content or email addresses; this is enforced in code and verified by automated tests, not left to practice.

Purpose: operating the service, security, capacity planning and abuse prevention. Lawful basis: legitimate interests (article 6(1)(f)). Retention: 30 days in Google Cloud Logging.

Questions and answers: zero data retention

The content of your questions and the answers Verdatum constructs are processed in memory to serve the request and are not persisted. There is no answer archive and no query history on our side.

Two bounded exceptions:

Personal data inside answers

Public company registers publish personal data by law: the names, service addresses, nationalities, months and years of birth, appointments and control interests of company officers and persons with significant control (PSCs). When a question calls for it, Verdatum fetches that data from the register or provider, attaches the source reference, and returns it in the answer.

We process this data transiently to construct the answer; we do not build or maintain profiles of the individuals concerned. Lawful basis: legitimate interests (article 6(1)(f)) in providing source-backed company intelligence from records made public by law, in a manner consistent with the purpose for which the registers publish them.

If you are an officer or PSC and the register's record about you is wrong, the effective correction route is the register itself — Companies House or the SEC — because every Verdatum answer is rebuilt from the source. You can also contact us about our processing at privacy@verdatum.ai.

This policy serves as the public transparency notice for this processing (article 14(5)(b)): the data comes from public registers, is not retained by us, and individual notification of register subjects would be disproportionate to the transient processing involved.

Support correspondence

If you write to support@verdatum.ai we process what you send us to handle the matter, and keep the correspondence for as long as needed to resolve it and to evidence how it was handled. Lawful basis: legitimate interests (article 6(1)(f)).

Website visitors

The Verdatum website is a static site. It sets no cookies and runs no analytics or tracking. Hosting infrastructure records standard request logs, which include IP addresses, retained for 30 days for security and operations.

Where your data goes

Our processors

Processor Role Location
Google Cloud (Google Ireland Ltd) Hosting, logging and extraction cache, in the europe-west1 region (Belgium) EEA
WorkOS, Inc. Authentication, email verification and organisation membership United States
Mistral AI Optical character recognition of public registry filings; receives filing documents only, never your identity or questions France (EEA)

Data sources we query

To answer a question, Verdatum sends query-derived terms — organisation names, registry numbers, instrument identifiers and, where you ask about a person, that person's name — to the relevant sources: Companies House (UK), SEC EDGAR (US), OpenFIGI (US) and Twelve Data (market data). These sources never receive your identity. The registers are independent controllers of the public records they publish.

Your AI assistant platform

Your conversation, including Verdatum's answers once returned, is processed by the AI assistant platform you use (for example Anthropic, for Claude) under that platform's own terms and privacy policy. Our zero-retention posture is a claim about Verdatum's infrastructure only.

We do not sell personal data, and we do not use your data to train models.

International transfers

The service runs in Belgium (EEA), a jurisdiction the UK recognises as adequate. Transfers to WorkOS in the United States are governed by the standard contractual clauses (controller-to-processor and processor-to-processor modules) together with the UK international data transfer addendum, both incorporated in the WorkOS data processing agreement. Where any other provider is outside the UK and EEA, we rely on an adequacy decision or standard contractual clauses with the UK addendum, as applicable to that provider.

How long we keep data

Data Where Retention
Questions and answer content Service memory Duration of the request
Service logs (metadata, pseudonymous identifiers) Google Cloud Logging 30 days
Sign-in records (email, organisation membership) WorkOS For the life of your organisation's contract, then deleted per the WorkOS data processing agreement
Extraction cache (content of public filings) Google Cloud Storage Retained while operationally useful; contains only public filing content
Support correspondence Support mailbox As long as needed to resolve and evidence the matter

Your rights

Under the UK GDPR and, where it applies, the EU GDPR, you have the right to access your personal data, to have it rectified or erased, to restrict or object to its processing, and to data portability. Verdatum makes no automated decisions about you that have legal or similarly significant effect.

To exercise a right, contact privacy@verdatum.ai. We respond within one month. If you are unhappy with our answer you can complain to the Information Commissioner's Office (ico.org.uk) or, in the EEA, to your local supervisory authority.

One limitation, stated plainly: for register-published data about officers and PSCs, erasure and rectification are decisions for the register that publishes the record. We hold no copy to erase — answers are rebuilt from the source each time.

Security

All traffic is encrypted in transit. Provider credentials live in a managed secret store, never in code. Access to production follows least privilege. The payload-free logging posture described above is enforced structurally: log output that is not on an explicit safe list is dropped before it can be written.

This service is for organisations

Verdatum is a business-to-business service offered to contracted organisations. It is not directed at children and we do not knowingly process children's data.

Changes to this policy

We will post changes here and update the date at the top. Material changes are notified to contracted organisations before they take effect.