Privacy

A plain-language summary of what we collect, why we collect it, and how it's stored. The legally binding version follows the public launch.

Status: Veriti is currently in invite-only closed beta. This page is a plain-language statement of practice, not the final privacy policy. The legally binding policy will be reviewed by counsel and published before public launch. If you need that policy today (eg for a procurement or DPA process), email legal@veriti.so.

Who we are

Veriti is operated by Veriti Music Technologies AS, registered in Norway. The data controller for Veriti customer data is Veriti Music Technologies AS.

What we collect from you directly

  • Account info: email and password (the password is hashed by Supabase Auth; we never see the plaintext).
  • Profile: display name, PRO affiliation, and your writer IPI if you provide one.
  • Connection credentials: when you connect TONO or DistroKid, we store your login credentials AES-256-GCM-encrypted at rest. The encryption key is held outside the database and rotated on a schedule. We use the credentials only to fetch your royalty data on your behalf.

What we collect on your behalf (from external services)

  • From your TONO portal: composition catalog (titles, ISWCs, writers, status), Avregning per-work statements, Kontoutskrift bank statements, NCB online/distribution statements.
  • From DistroKid: the "Excruciating Detail" earnings CSV — per-track × store × country × month payouts.
  • From CISAC ISWC-Net: composition lookups by title × contributor and by IPI. Results stored as cache.
  • From Spotify: your artist catalog metadata and album cover art. Cached for 24 hours.
  • From MusicBrainz: fallback composition data when higher-priority sources are silent.

What we don't collect

  • Behavioral / advertising cookies.
  • Listening data, location data, or device tracking.
  • Credentials for any source we don't directly integrate with. If you see a credential prompt for a service we don't list above, it's a phishing attempt — please report it.

How long we keep things

Your account and source-of-truth data are retained for as long as your account is active. When you delete your account, all data (including encrypted credentials) is deleted within 30 days, with backups purged within 90 days. External-service caches expire on their own schedule (24 hours for Spotify cover art, 90 days for CISAC lookups).

Your rights

You can request access to, correction of, or deletion of your data at any time via legal@veriti.so or by following the process in the GDPR page.

Questions

Anything unclear: legal@veriti.so.