Privacy Policy
What personal data we collect, why, how we share it, and your rights under GDPR and CCPA.
1. Controller
MJD TESTING SERVICES LTD (Company No. SC707843), registered at 9 Marguerite Grove, Kirkintilloch, G66 4HD, Scotland is the controller of the personal data described in this notice. You can reach our privacy contact at support@mjdtestingservices.com.
2. Data we collect
Account data — your name, email, and password hash.
Inspection content — the photos, descriptions, and notes you upload, the verdicts we return, and the diagnostic reels we render for you.
Billing data — name, billing address, and partial card information stored by Stripe; we never receive your full card number.
Technical data — IP address, device, browser, locale, and event logs needed to run and secure the service.
3. Why we use it (legal bases)
To deliver the service you requested (contract — Art. 6(1)(b) GDPR).
To meet our legal obligations, for example tax, accounting, fraud, and consumer-rights duties (legal obligation — Art. 6(1)(c)).
To improve and secure the service, debug models, and prevent abuse (legitimate interests — Art. 6(1)(f)).
To send essential service and billing notices (contract & legitimate interests). Marketing emails are sent only with separate consent.
4. Sharing
We use a small number of processors to run Verifyr: Stripe for payments, Supabase for storage and identity, Vercel for hosting, and reputable AI inference providers for image and chat analysis. Each is bound by data-processing agreements consistent with GDPR Art. 28.
We do not sell your personal data. We do not share inspection content for advertising.
5. International transfers
Some processors are based outside the UK / EEA. Where that is the case, transfers rely on UK and EU Standard Contractual Clauses or adequacy decisions.
6. Retention
Account & inspection content — kept while your account is active and for 12 months after deletion, then removed from production systems. Backups expire on a rolling 35-day cycle.
Billing records — retained for at least 6 years to satisfy UK and EU tax law.
Aggregated, de-identified model-improvement data has no fixed expiry; it does not identify you.
7. Your rights
Under GDPR, you have rights of access, rectification, erasure, restriction, portability, and objection, plus the right to lodge a complaint with a supervisory authority (in the UK: the Information Commissioner’s Office).
Under CCPA / CPRA, California residents may request access, correction, deletion, and limits on the sharing of “sensitive personal information”. We do not “sell” or “share” data for cross-context behavioural advertising.
To exercise any right, email support@mjdtestingservices.com; we verify identity and respond within statutory deadlines.
8. Children
Verifyr is not directed at children under 13. We do not knowingly collect personal data from them; if you believe we have, tell us and we will delete it.
9. Security
Data is encrypted in transit (TLS 1.2+) and at rest. Access to production data is gated to a small number of operators using SSO with hardware-key MFA, and is logged.
10. Updates
Effective date: 2026-05-19. Material changes are notified in-app at least 14 days before taking effect.