UGCVerifyHow it worksPricingCoverageVerifySign in

Privacy Policy

Effective date: 16 June 2026

This Privacy Policy explains how Karajan Ltd ("UGCVerify", "we", "us") collects, uses, and shares personal data when you use the UGCVerify content-screening service (the "Service"). It is written to address the EU General Data Protection Regulation and UK GDPR ("GDPR") and U.S. state privacy laws (including the California Consumer Privacy Act/CPRA, "CCPA").

1. Who we are

Karajan Ltd, Begbies, 9 Bonhill Street, London, EC2A 4DJ, England and Wales, is the controller (GDPR) / business (CCPA) responsible for personal data processed about account holders and team members.

For content files you upload, you (our Customer) determine the purposes and means of processing; you are the controller/business and we act as your processor/service provider for that content. We process it under our Terms of Service and, where required, a data processing agreement.

Privacy contact: sam@ugcverify.com. Data protection contact: sam@ugcverify.com.

2. The personal data we collect and why

DataSourcePurposeLawful basis (GDPR)
Account emailYouAuthenticate you via magic link; account admin; service communicationsContract; legitimate interests for security
Organisation / workspace data and team-member ("seat") emailsYou / your adminProvide multi-user workspace; manage seatsContract; legitimate interests
Uploaded content files (image/video), optional caption and target marketYouPerform the requested screening; generate the receiptPerformance of our contract with you (processed on your instructions)
Screening metadata and signed receiptsGenerated by the ServiceProduce, store, and verify receipts; provide the public verification function; support and auditContract; legitimate interests (integrity of the verification function)
Billing data (held by Stripe; we receive limited transaction/subscription metadata)You via StripeTake payment; manage subscriptionContract; legal obligation (tax/accounting)
Technical/usage and security logsAutomaticallyOperate, secure, and troubleshoot the ServiceLegitimate interests

2.1 Under CCPA, the categories above correspond to identifiers, commercial information, internet/network activity, and (in uploaded content) potentially audio/visual and biometric-type information. We do not sell personal data and we do not "share" it for cross-context behavioural advertising.

3. Uploaded content, special-category data and likeness

3.1 Content files you upload may contain images or recordings of identifiable people, their likeness, and potentially data that is "special category" under GDPR or "sensitive" under U.S. law.

3.2 We process content files only to perform the screening you request and to generate the receipt, acting on your instructions as processor. You are responsible for having a lawful basis (and, where required, explicit consent) to upload such content and for any necessary notices to the individuals depicted. See the Acceptable Use section of the Terms.

3.3 We do not use content files for advertising, and we do not use them to train detection models except to the limited extent strictly necessary to deliver the screening you requested.

4. How long we keep your data

We keep personal data only as long as we need it for the purposes set out in this policy, in line with the UK GDPR storage-limitation principle.

  • Uploaded content (images, video, audio, text you submit for screening): We do not store your uploaded files. Files are held only transiently while we run a screening, then deleted automatically as soon as the screening completes, whether it succeeds or fails. Any file left behind by an interrupted request is deleted within 24 hours.
  • Screening receipts: When you run a screening we create a durable, cryptographically sealed receipt. The receipt records a one-way hash of your content (not the file itself), the file name, the media type, the indicative verdict and confidence, the disclosure-screening result, the digital seal and a verification token. We keep receipts for the life of your account plus 90 days, so that receipts stay verifiable. You can ask us to redact the caption text and file name from a receipt at any time (see "Your rights"); we redact those personal-data fields while keeping the seal intact, so the receipt still shows as validly sealed but with the content marked as redacted at your request.
  • Account and login data (your email, sessions): Kept for the life of your account plus 30 days, then deleted. Login and magic-link tokens are short-lived and expire automatically.
  • Organisation and billing records: We keep limited subscription and billing information for 6 years to meet UK tax and accounting requirements. We never store your card details; these are handled by our payment processor.
  • Marketing / lead information: Kept for up to 24 months from our last interaction, or until you object or ask us to delete it, whichever is sooner.
  • Technical logs: Kept for up to 90 days for security and troubleshooting, then deleted.

All verdicts produced by UGCVerify are indicative and automated, and are issued with a signed caveat in every receipt. They are not legal advice or a guarantee of compliance.

5. Service providers we use

We use a small number of trusted service providers ("processors") to run UGCVerify. Each is bound by a data-processing agreement and may only process your data on our instructions. We list them by role:

  • Payment processing — handles billing and subscriptions; we never store your card details.
  • Object storage — holds uploaded content transiently during screening only.
  • Email and authentication — sends magic-link and service emails.
  • Automated content-analysis provider — receives content to perform the automated detection that powers our indicative verdicts.
  • Hosting and infrastructure — runs the application and database.

Our primary database is hosted in the EU (Frankfurt). Some providers are based in, or process data in, the United States; where that happens we rely on the UK's approved international-transfer safeguards (such as the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses). You can request the current list of our providers by contacting us at sam@ugcverify.com.

6. International transfers

6.1 Some providers (including Stripe and the automated detection provider) may process data outside your country, including in the United States.

6.2 Where personal data is transferred out of the UK/EEA, we rely on appropriate safeguards such as the UK International Data Transfer Agreement / Addendum or the EU Standard Contractual Clauses, plus any required transfer risk assessment.

7. Your rights

7.1 GDPR (EU/UK): you have rights to access, rectify, erase, restrict, and object to processing, to data portability, and to withdraw consent where processing is based on consent. You may complain to your supervisory authority (in the UK, the Information Commissioner's Office).

7.2 CCPA (California) and similar U.S. laws: you have rights to know, access, delete, and correct personal information, and to opt out of sale/sharing (note: we do not sell or share). We will not discriminate against you for exercising these rights.

7.3 How to exercise: contact sam@ugcverify.com or sam@ugcverify.com. We will verify your identity and respond within the time required by law.

7.4 Content depicting third parties. If you are an individual depicted in uploaded content, the Customer who uploaded it is the controller; we will route your request to that Customer and assist them as their processor. Because receipts are durable for verification, erasure of a receipt may be limited where the verification function depends on it; we will assess each request against applicable law.

8. Cookies

8.1 We use strictly necessary cookies / local storage for authentication and security. If we add analytics or non-essential cookies, we will update this Policy and obtain consent where required.

9. Security

9.1 We use appropriate technical and organisational measures, including: encryption in transit and (where supported) at rest, a private (non-public) object store for content, access controls, and cryptographically signed receipts (Ed25519) so that receipt integrity can be independently verified. No method is perfectly secure.

9.2 If a personal-data breach occurs, we will notify as required by applicable law.

10. Children

10.1 The Service is for business users aged 18+ and is not directed to children. We do not knowingly collect personal data from children through account sign-up.

11. Changes

11.1 We may update this Policy and will post the new version with an updated effective date; material changes will be notified.

12. Contact

Controller: Karajan Ltd, Begbies, 9 Bonhill Street, London, EC2A 4DJ, England and Wales.

Privacy: sam@ugcverify.com. Data protection contact: sam@ugcverify.com.