Privacy Policy
Effective July 15, 2026
1. Who we are
“VeriFyve GCO,” “we,” “us,” and “our” refer to the operator of the VeriFyve GCO institutional compliance platform (the “Service”). This Policy explains how we collect, use, and safeguard information in connection with the Service, and it applies to verifyvegco.com, authorized sub-domains, and any related APIs.
2. Our role: processor for institutional customers
When a financial institution licenses GCO, the institution is the controller of its policy library, employee training records, control evidence, complaint records, and audit trails. GCO acts as a processor or service provider that handles that data on the institution’s written instructions and pursuant to any executed Data Processing Addendum (DPA). Employees, board members, and complainants whose data is stored in GCO should direct privacy requests to the institution first.
3. Information we process
3.1 Provided by the institution
- Institutional account details (institution name, charter type, regulator, primary contacts, billing contact).
- Authorized user records: name, work email, role, permission groups, sign-in metadata.
- Policy documents, revision history, approvals, and reviewer comments.
- Training assignments, attestations, quiz results, completion timestamps.
- Control tasks, evidence uploads, sign-offs, and overdue records.
- Complaint intake records (which may include consumer identifiers), lifecycle notes, resolution documentation.
3.2 Collected automatically
- Device and connection data: IP address, browser, operating system, time zone.
- Application logs, audit trails, and diagnostic telemetry needed to secure and operate the Service.
3.3 Not collected
GCO does not embed third-party advertising SDKs, ad-tech pixels, or data-broker tags. We do not build advertising profiles of your employees or your customers.
4. How we use information
- Provide, secure, and support the Service.
- Send transactional emails: control reminders, training assignments, policy-review nudges, security alerts, invoices.
- Investigate abuse, protect against fraud, enforce our Legal & Disclaimers, and comply with law.
- Generate anonymized, aggregated benchmarks (e.g., control completion rates by asset-size band) — only after all institution and person identifiers are removed.
We do not sell institutional data. We do not use policy content, control evidence, or complaint records to train foundation AI models. Institution uploads that are sent to an AI provider for a customer-initiated feature (for example, a policy summary) are sent under zero-retention terms where the provider offers them.
5. Sub-processors
GCO uses a small number of vetted sub-processors for cloud hosting, database, storage, email delivery, error monitoring, and AI inference. Each is bound by a written agreement that requires appropriate security controls and prohibits secondary use. A current list is available to institutional customers on request at privacy@verifyvegco.com.
6. Security
GCO applies administrative, technical, and physical safeguards appropriate to the sensitivity of institutional compliance records: encryption in transit and at rest, role-based access, audit logging, least-privilege service accounts, and periodic access review. No system is perfectly secure; institutional customers should combine GCO with their own information-security program.
7. Retention
We retain institutional data for the duration of the Agreement and for any additional period the institution instructs (in writing) for regulatory record-retention purposes. On termination, and subject to the Agreement, data is exported to the institution on request and then deleted from active systems within a commercially reasonable period; backup copies age out on standard cycles.
8. Examiner and regulator access
GCO is a system of record designed for examination. Institutional customers may generate examiner-ready exports directly from the platform. GCO will cooperate with lawful, properly served requests from bank regulators, credit-union regulators, or law enforcement directed at the institutional customer, and will, where legally permitted, notify the customer before responding so the customer can assert any applicable privileges.
9. Employees, board members, and complainants
Individuals whose data is stored in GCO (for example, an employee with training records, or a consumer whose complaint the institution logged) should direct privacy requests — access, correction, deletion — to the institution that controls that record. GCO will support the institution in responding.
10. International transfers
The Service is hosted in the United States. Where required, we use Standard Contractual Clauses or other lawful transfer mechanisms.
11. Children
GCO is a business-to-business platform and is not directed to children. We do not knowingly collect personal information from children.
12. Changes to this policy
We may update this Policy from time to time. Material changes will be communicated to institutional administrators through the Service or by email.
13. Contact
Privacy questions and DPA requests: privacy@verifyvegco.com.