Privacy practice.

1. Scope

This notice describes how Veronara handles personal data on veronara.com and the institutional surfaces listed in our Subprocessors. Institutional deployments of HealthOS are governed by the Data Processing Agreement (DPA) and the Master Services Agreement (MSA) executed with each customer.

2. Data we collect

On first visit to veronara.com: no cookies, no fingerprinting, no third-party trackers. Privacy-preserving page-level analytics are collected via self-hosted Plausible without tracking individual users.

If you submit an engagement request via /engage, we collect the fields you submit — name, title, institution, country, scale, and free-text description — for institutional engagement purposes only.

3. Legal basis

Under GDPR Article 6(1)(f), processing is based on our legitimate interest in responding to institutional inquiries and serving institutional customers. For residents of jurisdictions requiring consent (and for sensitive categories), we operate on explicit consent collected at the point of submission.

4. How we use it

Engagement submissions are routed to our institutional engagement team via the CRM specified in our Subprocessors. We do not sell or share submissions. We do not operate automated sales sequences.

5. Retention

Engagement submissions are retained for the duration of the active institutional engagement plus three years, after which they are deleted from active systems. Backups follow rolling retention per subprocessor policy.

6. Your rights

Depending on your jurisdiction, you may have rights to access, correct, delete, port, or object to the processing of your data. To exercise these rights, contact privacy@veronara.com. We acknowledge requests within the statutory timeline applicable to your jurisdiction.

7. International transfers

For visitors in the EU, UK, and UAE, data is processed in-region wherever possible. Cross-border transfer to the US or other regions occurs only under Standard Contractual Clauses (SCCs) or equivalent transfer mechanisms. Regional residency is documented on Data Residency.

8. Security

Technical and organizational security measures are documented on Security. Subprocessors are contractually bound to equivalent protection. Security researchers may report vulnerabilities to security@veronara.com.

9. Cookies

We do not set cookies on first visit. Session cookies are set only if you interact with /engage (for form CSRF protection) and are httpOnly, Secure, and SameSite=Lax. No third-party tracking cookies.

10. Changes

This notice may be updated. Material changes are dated and preserved without silent edit. Institutional customers are notified of material changes per their DPA.

11. Contact

Privacy and data protection correspondence: privacy@veronara.com. EU representative and UK representative details available on request where applicable.