Privacy policy

Last updated: May 2026

This Privacy Policy explains how Vern AI Pty Ltd ("Vern", "we", "us", "our") collects, uses, shares, and protects information when you use our AI-powered data migration and customer onboarding platform at vern.so (the "Service").

This Privacy Policy should be read together with our Terms of Use. Capitalised terms not defined here have the meaning given in the Terms of Use.

For privacy questions or requests, contact:

Vern AI Pty Ltd P/24 Campbell Street, Haymarket, NSW 2000, Australia Privacy: vish@vern.so

1. Our role: controller vs processor

Vern handles personal information in two distinct capacities:

  • As a Controller — for personal information of our own users (e.g. signup details, billing contacts, support requests) and visitors to our website. This Privacy Policy explains how we handle that information.

  • As a Processor — for personal information about your End Customers that you upload to, or instruct Vern to extract, transform, or import on your behalf ("Customer Data"). For Customer Data, you (our customer) are the data controller, and we process it under your instructions in accordance with Section 6 of our Terms of Use. If you are an end customer of one of our customers, please contact them directly with privacy questions about how your data is handled.

2. Information we collect

Account and contact information

  • Name, work email, password hash, and company name when you create an account.

  • Role and team information (where you provide it) for legitimate business-use verification.

  • Information you provide when contacting us for support or sales.

Billing information

  • Payment is processed by Stripe; we receive limited billing metadata (such as plan, billing email, last four digits of card, country) but do not store full card numbers.

Usage and security data

  • Product usage events: features used, jobs run, agent runs, errors, and similar.

  • Session and access logs: IP address, browser/device information, timestamps, and authentication events — used for security, audit, and abuse prevention.

  • API and integration logs: metadata about calls made to and from Vern.

Customer Data (processed on your behalf)

  • Files, exports, and records you upload or that Vern extracts from source systems on your instructions.

  • Schema, mapping, transformation, and validation outputs generated during migrations.

  • Audit records of changes made during migration jobs.

Cookies and similar technologies

We use a small number of cookies and similar technologies for authentication, security, and product analytics. You can control non-essential cookies through your browser; disabling essential cookies will affect login and security features.

We do not knowingly collect personal information from anyone under 18.

3. How we use information

We use information we collect about you (as Controller) to:

  • Provide, maintain, and secure the Service and your account.

  • Process payments and manage subscriptions.

  • Communicate with you about the Service, including security and policy updates, and respond to support requests.

  • Detect, investigate, and prevent fraud, abuse, and security incidents.

  • Improve the Service — including analysing usage patterns and resolving technical issues.

  • Comply with legal obligations and enforce our Terms of Use.

We process Customer Data only on your documented instructions as set out in our Terms of Use, except where applicable law requires otherwise. We do not use Customer Data to train foundation models or any general-purpose AI models. We may use aggregated, de-identified operational data (such as schema patterns or migration metadata) to improve the Service.

4. Sub-processors and service providers

We use the following sub-processors to deliver the Service. An up-to-date list is available in our Trust Center.

We require sub-processors to be bound by data protection terms substantially equivalent to ours. We will give reasonable advance notice of material changes to this list.

5. Sharing and disclosure

We share information only as needed to operate the Service and as described in this policy:

  • With sub-processors and service providers, as listed above.

  • With your authorised users and integrations, as you configure them.

  • For legal reasons — to comply with valid legal process, to enforce our Terms, to protect the rights, property, or safety of Vern, our customers, or others, or to investigate suspected fraud or abuse.

  • In a corporate transaction — in connection with a merger, acquisition, financing, or sale of assets, subject to standard confidentiality protections; we will give you notice if your data would become subject to a different privacy policy.

We do not sell personal information.

6. Where data is stored and international transfers

Customer Data and most account data are stored on infrastructure operated by AWS in North America (United States). Some processing also occurs in other jurisdictions where our sub-processors operate.

If you access the Service from outside the United States (including from Australia, the EEA, or the United Kingdom), your information will be transferred to and processed in countries with data protection laws that may differ from those of your home country. We rely on appropriate safeguards for these transfers, including contractual protections with our sub-processors and, where applicable, the European Commission's Standard Contractual Clauses or the UK International Data Transfer Addendum.

Enterprise customers may contact us about custom data residency options.

7. Data retention

  • Account data: retained while your account is active and for a reasonable period afterwards for legal, audit, and dispute-resolution purposes.

  • Customer Data: retained for the term of your subscription and for up to 30 days after termination to allow export, after which it is deleted in accordance with our Terms of Use, unless retention is required by law.

  • Operational and security logs: retained for periods consistent with our ISO 27001 controls and applicable legal requirements.

  • Billing records: retained as required by tax and accounting law.

8. Security

Vern operates an information security program certified to ISO/IEC 27001. Our controls include:

  • Encryption in transit (TLS) and at rest.

  • Role-based access controls and multi-factor authentication for personnel.

  • Logging, monitoring, and anomaly detection.

  • Vendor risk management and sub-processor reviews.

  • Incident response and business continuity procedures.

  • Regular internal and independent audits.

Detailed information about our security posture is available in our Trust Center.

In the event of a personal data breach affecting your information, we will notify you and, where required, the relevant supervisory authority within applicable timeframes, and provide guidance on protective steps you can take.

9. Your rights

Depending on where you are located, you may have rights in relation to your personal information, including the right to:

  • Access the personal information we hold about you.

  • Request correction of inaccurate or incomplete information.

  • Request deletion of your personal information.

  • Object to or restrict certain processing.

  • Request portability of information you provided.

  • Withdraw consent where processing is based on consent.

To exercise these rights, contact us at vish@vern.so. We may need to verify your identity before responding. We respond within 30 days where required by law; complex requests may take longer.

If you are an End Customer of one of our customers, please direct your request to that customer (the controller of your data). We will support our customer in responding.

We may decline or limit a request where retention is required by law, where it would unduly affect the rights of others, or where the request is manifestly unfounded.

10. Compliance

We aim to handle personal information in accordance with applicable laws, including:

  • The Australian Privacy Act 1988 (including the Australian Privacy Principles).

If you believe we have not handled your personal information appropriately, please contact us first at vish@vern.so. You also have the right to lodge a complaint with the Office of the Australian Information Commissioner (oaic.gov.au) or your local data protection authority.

11. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. If a change is material, we will give you reasonable advance notice — by email to your account address, in-app notice, or a prominent notice on our website. Continued use of the Service after the effective date of the change means you accept the updated policy.

12. Contact

Vern AI Pty Ltd P/24 Campbell Street, Haymarket, NSW 2000, Australia Privacy: vish@vern.so Trust Center: trust.vern.so