GDPR
Your rights under the GDPR and how to exercise them with Veriti.
Status: Veriti is in invite-only closed beta. This page describes the rights you have under the GDPR and how Veriti currently handles them. The legally binding policy will be reviewed by counsel and published before public launch.
Data controller
Veriti Music Technologies AS, registered in Norway, is the data controller for personal data processed via the Veriti product. Contact legal@veriti.so for any GDPR-related questions or requests.
Your rights
Right of access (Art. 15)
You can request a copy of the personal data we hold about you. We respond within 30 days. The export includes your profile data, your artist records, your scan results, your encrypted-credential metadata (without the plaintext, which we cannot recover), and your portal activity. Stored at-rest encrypted credentials are NOT included in the export — that's by design, since exporting them would decrypt them.
Right to rectification (Art. 16)
You can edit your profile information, your IPI, and your PRO affiliation directly from /portal/settings. For data we have synced from third-party sources (your TONO catalog, for example), corrections need to happen at the source — Veriti reflects what TONO/CISAC/DistroKid currently say about you.
Right to erasure (Art. 17)
You can delete your account from /portal/settings or by emailing legal@veriti.so. On deletion, all personal data is removed within 30 days; database backups are purged within 90 days. Encrypted credentials are destroyed immediately on account deletion.
Right to restriction (Art. 18)
You can ask us to temporarily restrict processing of your data while a correction or dispute is being resolved. We honor this within 7 days of receiving the request.
Right to data portability (Art. 20)
Your synced earnings data, your composition catalog, and your DistroKid CSV reconstructions are all exportable in machine-readable formats (CSV, JSON). Veriti was designed to be un-lock-in-able from day one — the data we surface is your data and remains yours.
Right to object (Art. 21)
You can object to processing at any time. For most processing activities we do, objection is equivalent to disconnecting the relevant integration — once you disconnect TONO from Veriti, we stop processing the data we fetch from TONO.
Rights related to automated decision-making (Art. 22)
Veriti does not make automated decisions with legal effects on you. The product surfaces information and suggests actions (eg "file a fix request for this missing ISWC"), but all actions require explicit user confirmation. There is no algorithm that decides who gets royalties without a human in the loop.
Where data is stored
Production data is stored in Supabase (Postgres) in the EU region. Application servers run in Vercel's EU-region data centers. We do not transfer personal data outside the EEA in the normal course of operation. External services we call (TONO, CISAC, DistroKid, Spotify, MusicBrainz) operate their own data residency — see their respective privacy policies.
How to file a request
Email legal@veriti.so with your account email and the specific right you'd like to exercise. We'll confirm receipt within 3 business days and complete the request within 30 days (extendable to 60 if the request is complex — you'll be notified).
Complaints
If you believe we've mishandled your data, you have the right to lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet). We'd appreciate the chance to address your concern first via legal@veriti.so.