How we handle data.
This policy explains what we collect, how we use it, who we share it with, and the rights you and your customers have. If you have a question that isn't answered here, write to privacy@veryquery.com.
The operator.
VeryQuery is operated by Very Machine, Inc., a Delaware corporation. When this policy says “we,” “us,” or “VeryQuery,” it means Very Machine, Inc. When it says “you,” it generally means the merchant who has an account with us.
For any privacy question, data-subject request, or to reach our privacy team, write to privacy@veryquery.com. For legal matters, legal@veryquery.com.
Two kinds of data, two different roles.
VeryQuery handles two distinct categories of personal information, and our role differs for each.
Merchant data (we are the controller)
For information about you as our customer (your account, billing, support correspondence), we are the controller: we decide how and why it's processed.
Shopper data (we are the processor)
For information your shoppers generate through your storefront that you then send to us (search queries, pseudonymous session and user identifiers, merchant-controlled metadata), we are a processor. You are the controller of that data. We process it only on your instructions and for the purpose of providing the service to you.
If you need a Data Processing Addendum (DPA) to cover shopper-data processing, one is available on request to privacy@veryquery.com.
What we collect about you.
Information you give us
- Account details: name, email, company name, role.
- Billing information: processed by our payment processor. We store only the information needed to identify your subscription (customer id, last-four of card, billing address, country), not full card numbers.
- Support correspondence and any content you include in it.
Information we collect automatically
- Operational logs tied to your API key: request timestamps, endpoints hit, response statuses, and latency. Used for billing, diagnostics, abuse prevention, and capacity planning.
- Dashboard session metadata: login time, IP address, user agent. Used for security and account protection.
Why we use it
- To create and maintain your account, authenticate you, and provide the service.
- To bill you and collect payment.
- To communicate about the service: operational notices, security alerts, and policy changes. Marketing messages, if any, are opt-out.
- To detect, investigate, and prevent abuse, fraud, and security incidents.
- To comply with legal obligations and enforce our agreements.
What we process on your behalf.
All shopper-facing traffic reaches the service through your backend. We do not interact with your shoppers directly and we do not set cookies or trackers on your storefront.
The categories of data that may flow to us from your integration include:
- Catalog content you ingest: product titles, descriptions, attributes, and images.
- Search queries your shoppers issue (text, and optionally images or voice audio they attach).
- Pseudonymous session identifiers and user identifiers you choose to attach to each search.
- An optional opaque metadata blob you attach to each search.
The pseudonymous-identifier commitment
When you send us a userId or sessionId, it must be pseudonymous. Do not send us email addresses, names, phone numbers, government identifiers, or any other raw personally identifiable information through these fields or through the optional metadata blob. This boundary is a condition of using the service and is restated in our documentation and API specification.
We rely on this commitment when designing our data handling. If raw PII reaches us through these fields despite this rule, you remain the controller of that data and you remain responsible for compliance with applicable law.
What we do with your data.
We use your data to provide, operate, secure, and improve the service. Specifically:
- To process your catalog into the representations we use for search and retrieval.
- To answer your shoppers' queries and return matching item identifiers.
- To generate the analytics, dashboards, and intelligence outputs the service provides to you.
- To monitor capacity, diagnose problems, and improve performance.
- To prevent abuse and protect the security of the platform and its users.
What we don't do
- We do not sell your data. We will not sell, rent, or license your data, your catalog, or your shoppers' queries to third parties.
- We do not use your data to target your shoppers with advertising.
- We do not share your account information with other merchants.
Aggregated and de-identified outputs
We may produce aggregated or de-identified information derived from platform-wide usage (for example, aggregate demand patterns). Aggregated or de-identified outputs do not identify you, your shoppers, or your catalog, and may be used to improve or describe the service generally.
Who we rely on.
To deliver the service we work with a small set of established providers. We use them in the following categories:
- Payment processor, for subscription billing and card handling.
- Transactional email service, for service emails (receipts, alerts, account notices).
- Cloud AI services, for the AI models used in search and intelligence. These providers operate under contractual commitments that restrict them from using your data for their own purposes or for training their general models.
- Infrastructure providers, for hosting, networking, and content delivery.
Every provider is bound by written data-protection terms consistent with this policy. A current list of named sub-processors is available on request to privacy@veryquery.com.
Where data lives.
Very Machine, Inc. is based in the United States. When you use the service, your data (and shopper data you send us) may be transferred to, stored in, and processed in the United States and in other countries where we or our sub-processors operate.
For transfers of personal data subject to the EU General Data Protection Regulation (GDPR), the UK General Data Protection Regulation (UK-GDPR), or equivalent laws, we rely on appropriate safeguards, including the European Commission's Standard Contractual Clauses and the UK International Data Transfer Addendum where applicable. If you require these safeguards formalized alongside a DPA, contact privacy@veryquery.com.
Rights you can exercise.
Depending on where you live, you may have the right to:
- Access the personal data we hold about you;
- Correct inaccurate personal data;
- Request deletion of your personal data;
- Object to or restrict certain processing;
- Request a copy of your data in a portable format;
- Withdraw consent where we rely on it as the basis for processing;
- Lodge a complaint with your local data-protection authority.
California residents have specific rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), including the right to know what personal information is collected, the right to deletion, the right to correction, and the right to opt out of the sale or sharing of personal information. We do not sell or share personal information under the CCPA's definitions.
To exercise any of these rights, write to privacy@veryquery.com. We will respond within the timeframe required by applicable law.
If you are a shopper whose pseudonymous data reached us through a merchant's use of the service, your request is generally best directed to that merchant (the controller). We will support the merchant's response and, where required by law, respond to you directly.
How long we keep data.
While your account is active, we retain your data for as long as needed to provide the service and meet our legal obligations.
After your account terminates, we retain your data for 30 days and then permanently delete it from our active systems. Residual copies in routine backups are purged on the normal backup lifecycle.
We may retain a limited subset of account and transaction records beyond this window where required by tax, accounting, fraud-prevention, or other legal obligations, or for the establishment or defense of legal claims.
What we set in a browser, and what we don't.
Our merchant dashboard (merchant.veryquery.com) uses a first-party session cookie required for authentication. Without it, signed-in sessions cannot be maintained.
We do not set advertising cookies, third-party tracking cookies, or analytics cookies on our marketing site or dashboard. We do not participate in cross-site tracking.
How we protect data.
We apply administrative, technical, and physical safeguards that are reasonable and appropriate to the nature of the data we handle and the risks involved. These include encryption in transit for all API and dashboard traffic, principle-of-least-privilege access controls for internal staff, and isolation of customer data along account boundaries.
No method of transmission or storage is perfectly secure. If we become aware of a security incident that meaningfully affects your data, we will notify you without undue delay and in accordance with applicable breach-notification laws.
Not a service for minors.
The service is designed for businesses and is not directed at children. We do not knowingly collect personal information from children under 13 (or under 16 where the GDPR applies) as part of our controller-side processing.
As our merchant, you agree not to use the service to process personal information about children in a way that would require parental consent under applicable law unless you have independently obtained that consent and put appropriate protections in place.
How we update this policy.
We may update this policy. If we make material changes, we will notify registered account holders by email at least 30 days before the change takes effect. The “Last updated” date at the top of this page always reflects the current version.
Past versions are available on request.
How to reach us.
- Privacy
- privacy@veryquery.com
- Legal
- legal@veryquery.com
- Security
- security@veryquery.com
- General
- hello@veryquery.com
- Entity
- Very Machine, Inc. · Delaware, USA