Verslay

Privacy Policy

Last updated: March 16, 2026

This Privacy Policy explains how Verslay (“we,” “us,” or “our”) collects, uses, stores, and protects your personal information when you use the Verslay platform (“Service”).

1. Information We Collect

Account Information

When you create an account, we collect:

  • Email address
  • Full name (optional)
  • Password (hashed, never stored in plaintext)
  • Authentication provider data (if using Google OAuth sign-in)

Business Memory Data

When you use Verslay agents, the Service stores business context you provide in a structured memory system. This includes:

  • Company information, team structure, and business preferences you share
  • Episodic events and milestones recorded during agent interactions
  • Agent activity logs (which agents were used, when, and general outcomes)

This data is stored in your personal memory space and is never shared with other users.

Connected Service Data

When you connect third-party services (Google, HubSpot), we store OAuth tokens that allow our agents to act on your behalf. We access only the data necessary to perform the tasks you request. We do not store copies of your emails, calendar events, or CRM records — we access them in real-time during agent execution.

Usage Data

We automatically collect:

  • Agent deployment counts and invocation metrics
  • Feature usage patterns (pages visited, features used)
  • Technical data (browser type, device type, IP address for security purposes)

2. How We Use Your Information

  • Service delivery: To operate the platform, execute agent tasks, and maintain your business memory.
  • Personalization: To provide contextual, personalized agent responses based on your stored business context.
  • Security: To protect your account, detect fraud, and enforce our Terms of Service.
  • Improvement: To analyze anonymized usage patterns and improve the Service.
  • Communication: To send essential service notifications (security alerts, plan changes, password resets).

3. Data Storage and Security

Infrastructure

Your data is stored on the following infrastructure:

  • Database: Supabase (PostgreSQL) with row-level security — your data is isolated from other users at the database level.
  • Authentication: Supabase Auth with HTTP-only secure cookies.
  • Frontend: Vercel (serverless, encrypted in transit).
  • MCP Server: Railway (encrypted in transit).

Encryption

  • All data is encrypted in transit using TLS/HTTPS.
  • OAuth tokens for connected services are encrypted at rest using AES-256-GCM.
  • API keys are stored as SHA-256 hashes — the original key is never retained.
  • Passwords are hashed by Supabase Auth and never stored in plaintext.

Access Controls

  • Row-level security (RLS) policies ensure you can only access your own data.
  • Service role access is restricted to specific server-side operations that require elevated permissions.
  • Admin access is limited to authorized personnel and all admin actions are logged.

4. Third-Party Services

We integrate with the following third-party services:

ServicePurposeData Accessed
SupabaseDatabase, authentication, file storageAll user data
Google (Gmail, Calendar)Email and calendar agent functionalityEmails, calendar events (real-time, not stored)
HubSpotCRM agent functionalityContacts, deals, companies (real-time, not stored)
Anthropic (Claude)AI model providerConversation context (processed by claude.ai, not Verslay servers)
VercelFrontend hostingWeb traffic, server-side rendering
RailwayMCP server hostingAPI requests, tool execution

5. Data Retention

  • Active accounts: Data is retained for the lifetime of your account.
  • Deleted accounts: Data is permanently deleted within 30 days of account closure.
  • Activity logs: Retained for 12 months for analytics and troubleshooting.
  • OAuth tokens: Deleted immediately when you disconnect a service.

6. Your Rights

You have the right to:

  • Access your data at any time through the dashboard (memory, activity, connections).
  • Edit your business memory and profile information.
  • Delete your memory data, disconnect services, or close your account entirely.
  • Export your data by contacting us at the address below.
  • Revoke connected service access at any time from your connections page.

7. Cookies

We use cookies for:

  • Authentication: HTTP-only secure session cookies to maintain your login state.
  • CSRF protection: Temporary cookies used during OAuth connection flows.

We do not use third-party tracking cookies or advertising cookies.

8. Children’s Privacy

The Service is not intended for children under 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it.

9. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you via email or a prominent notice on the Service at least 14 days before the changes take effect.

10. Contact

For privacy-related questions or data requests, contact us at privacy@verslay.com.