Privacy policy — VerigoPay

1 Data controller

The controller of your personal data is Ca.Sa srl, a Belgian limited liability company (SRL), registered with the Belgian Crossroads Bank for Enterprises (BCE/KBO) under number BE 0784.675.956, with its registered office at Rue Jean-Baptiste Colyns 112 box 1, 1050 Ixelles, Belgium, publisher of the Verigopay service available at verigopay.com. Official record: view on the Belgian BCE website.

For any question about this policy or to exercise your rights, contact us at:

info@verigopay.com

You can also consult our legal notice for full publisher information.

2 Data collected.

Verigopay only collects the data strictly necessary to deliver the legal-risk verification service. In practice:

Work email address — to create your account and send you alerts.
Password — stored only in hashed form (bcrypt via Supabase Auth). Verigopay cannot read your password in clear.
Company name — to personalise your workspace and exports.
OAuth access tokens (Qonto, Odoo) — issued by these platforms when you authorise the connection. They are encrypted at rest in our database and only used to read your list of business counterparties.
List of counterparties (suppliers and customers) — synced from Qonto and Odoo: company name, identifier (VAT, SIREN, BCE), country.
Verification results — risk score, legal status, alerts generated by Verigopay. This data comes from the official public registries of each covered country: BODACC and INSEE/Sirene (France), BCE/KBO and Belgian Official Gazette (Belgium), CVR (Denmark), PRH (Finland), KRS (Poland), e-Äriregister (Estonia), ARES (Czechia) and CRO (Ireland). New official registries are added as the European rollout continues.

3 Data we never collect.

Verigopay is built for legal-risk verification — not for reading your books or your payments. We never collect:

Your bank transactions or account movements.
Your balances or cash flows.
Your card data or IBANs beyond identifying your counterparties.
The line-level detail of your invoices (line items, amounts, unit prices).
The personal data of your employees or consumer customers.

Guiding principle: Verigopay strictly applies the minimisation principle of GDPR article 5.1.c. We ask Qonto and Odoo for the narrowest possible OAuth scope.

4 Purposes

Data is used exclusively for the following purposes:

Counterparty legal-risk verification before payment (real-time queries to official registries).
Proactive alerts in case of insolvency, restructuring, liquidation or a detected change of director at one of your counterparties.
Tracking dashboard: display of check history, active signals, the health of your counterparty portfolio.
Contractual communication: messages relating to your account (billing, security, service updates).

Verigopay never uses your data for advertising, never sells it, and never uses it to train AI models.

5 Legal basis

The legal basis for processing is the performance of a contract (Article 6(1)(b) of the GDPR).

When you subscribe to Verigopay and connect your tools (Qonto, Odoo), you enter into a contract with us. The processing described above is necessary to perform that contract: without this data, the service cannot work.

6 Recipients and processors.

No data is shared with third parties for commercial purposes. Verigopay never sells, swaps or rents your data.

To operate the service, we rely on the following technical sub-processors, all contractually committed to GDPR compliance:

Sub-processor

Purpose

Hosting

Supabase

Database hosting, authentication

EU (Frankfurt)

Vercel

Hosting of the website and web app

EU/US — SCC

Resend

Sending transactional emails and alerts

Qonto and Odoo OAuth tokens are used to interact with these platforms strictly within the permissions you've granted. Verigopay is an approved Qonto Partner and complies with the Qonto partner confidentiality charter.

7 Retention

Your data is kept for the duration of the contract, plus 30 days after termination to allow a simple reactivation if you change your mind.

After that 30-day period, all your data is irreversibly erased from our production systems. Encrypted backups are purged within a maximum of 90 additional days.

The only data kept beyond is the mandatory accounting records (issued invoices), kept for 10 years in compliance with French tax obligations (article L123-22 of the French Commercial Code).

8 Your GDPR rights.

Under the GDPR, you have the following rights regarding your data at any time:

Right of access — obtain a copy of all data we hold about you.
Right to rectification — correct inaccurate or incomplete data.
Right to erasure (right to be forgotten) — permanently delete your account and associated data.
Right to portability — receive your data in a structured, machine-readable format (JSON or CSV).
Right to object — refuse any processing not strictly necessary to perform the contract.
Right to restriction — temporarily freeze processing while a request is being examined.

To exercise any of these rights, write to us at the address below. We will respond within 30 days at the latest.

info@verigopay.com

9 Cookies

Verigopay uses no tracking, advertising or third-party behavioural-analytics cookies.

We only use technical session cookies, strictly necessary for the service to work (managing your authentication session via Supabase Auth). These cookies are exempt from prior consent under the French CNIL guidelines (article 82 of the French Data Protection Act).

No cookie banner on Verigopay, because nothing here makes one necessary. It's deliberate.

10 Security

Verigopay implements the following technical and organisational measures to protect your data:

Encryption at rest — Qonto and Odoo OAuth tokens are encrypted before being stored in the database.
Encryption in transit — all communications use TLS 1.3.
Multi-tenant isolation — each customer's data is isolated using Supabase Row Level Security (RLS) policies. No customer can access another customer's data.
European hosting — the database is hosted in the European Union (Frankfurt).
Strong authentication — bcrypt-hashed passwords, short-lived sessions, optional 2FA.
Backups — encrypted automatic daily backups, kept for 30 days.
Audit logging — each access to sensitive data is logged.

11 Transfers outside the EU

Our users' business data (OAuth tokens, counterparty lists, verification results) remains stored within the European Union, on Supabase infrastructure (Frankfurt, Germany).

Our website host Vercel operates a global infrastructure that includes servers in the United States for performance reasons (CDN). When technical data transits these servers occasionally, the transfer is framed by the Standard Contractual Clauses adopted by the European Commission on 4 June 2021, ensuring a level of protection equivalent to the GDPR.

Note: no OAuth token, no counterparty data and no verification result transits through US servers. Only static HTML pages and assets may be served from the global Vercel CDN.

12 Right to complain

If you believe Verigopay's processing of your personal data breaches the GDPR, you have the right to lodge a complaint with the competent supervisory authority:

In France

CNIL — Commission Nationale de l'Informatique et des Libertés
3 Place de Fontenoy — TSA 80715 — 75334 Paris Cedex 07
www.cnil.fr

In Belgium

APD — Data Protection Authority
Rue de la Presse 35 — 1000 Brussels
www.autoriteprotectiondonnees.be

You can also lodge a complaint with the supervisory authority of your EU country of residence. Before doing so, we kindly invite you to contact us at info@verigopay.com — we'll address any concern as quickly as we can.