Effective date: 2026-05-25 Last updated: 2026-05-25
Decentral Media Inc. ("Decentral Media," "Company," "we," "us," or "our"), a Delaware C-corporation with its principal office in New York, NY, operates the Vera prediction-markets data API ("Vera" or the "Service"). This Privacy Policy explains what personal data we collect through the Service and the Vera marketing website, why we collect it, who we share it with, how long we keep it, and the rights you have over it.
Vera is a business-to-business product. We collect personal data primarily about the individuals who register, administer, and pay for accounts — not about end users of our customers' products. References below to "you" mean the natural person interacting with us, whether on behalf of yourself or a company.
This policy is designed to comply with the European Union General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act as amended by the CPRA (collectively, "CCPA"), and other applicable privacy laws.
1. The Data We Collect
1.1 Account information
When you register for Vera we collect the information you provide directly, including:
- Name and the name of your company or organization
- Work email address
- Billing address, country, and tax identifiers (collected and stored by our payment processor; see Section 3)
- Account password, stored only as a salted cryptographic hash
- Optional profile fields you choose to provide (role, use-case description)
1.2 Billing information
Payment card details, bank information, and full billing addresses are collected and stored by Stripe, our payment processor. We do not see or store full card numbers on our own systems. We receive from Stripe a customer identifier, the last four digits of the card, the card brand, the country of issue, and the status of charges.
1.3 Usage and technical information
When you call the Vera API or sign in to the dashboard, we automatically collect:
- The API key used (which identifies the account, not a natural person)
- Source IP address
- HTTP user agent
- Endpoint, method, status code, response size, and latency
- Timestamp of the request
- The query parameters and request body necessary to handle the request
We retain request bodies only to the extent needed for debugging, abuse prevention, and product analytics, on the schedule in Section 5.
1.4 Cookies and analytics on the marketing site
The Vera marketing site (the public-facing pages at vera.cryptobriefing.com) uses a small number of first-party cookies and a privacy-respecting analytics tool to understand which pages are visited and how visitors arrive. We do not use third-party advertising cookies, and we do not participate in cross-site behavioral advertising networks.
The authenticated dashboard uses only the cookies strictly necessary to keep you logged in and to protect against cross-site request forgery.
1.5 Communications
If you contact us by email, through the in-app support widget, or through a sales form, we keep the content of those communications and our responses for the period necessary to support you and resolve any related dispute.
1.6 What we do not collect
We do not knowingly collect:
- Special categories of personal data under GDPR Article 9 (race, religion, health, biometric, etc.)
- Information from children — see Section 9
- Personal data about your end users, except to the extent you choose to submit it in API requests, which we discourage
2. Why We Collect It (Legal Bases)
Under GDPR and similar frameworks, we rely on the following legal bases:
| Purpose | Categories used | Legal basis (GDPR) |
|---|---|---|
| Provisioning and operating your account | Account info, billing info | Contract performance (Art. 6(1)(b)) |
| Processing payments | Billing info | Contract performance |
| Sending operational emails (receipts, security notices, deprecation notices) | Account info | Contract performance |
| Detecting abuse, enforcing rate limits, preventing fraud | Usage info, IP, technical info | Legitimate interests (Art. 6(1)(f)) |
| Product analytics and improvement | Usage info, aggregated request metadata | Legitimate interests |
| Marketing emails to existing customers about the Service | Account info | Legitimate interests, with opt-out |
| Marketing emails to non-customers who opted in | Email address | Consent (Art. 6(1)(a)) |
| Complying with tax, accounting, and legal obligations | Account info, billing info, invoices | Legal obligation (Art. 6(1)(c)) |
| Establishing, exercising, or defending legal claims | All categories as relevant | Legitimate interests |
Where we rely on legitimate interests, we have balanced our interest against your rights and freedoms; you may object to that processing as described in Section 7.
3. Data Processors
We share personal data only with the third-party service providers ("processors") listed below, and only to the extent necessary for them to provide their service to us. Each is bound by a data processing agreement that restricts their use of personal data to the purposes we instruct.
| Processor | Purpose | Data categories | Location |
|---|---|---|---|
| Stripe, Inc. | Payment processing, tax calculation, invoicing | Account info, billing info, payment info | United States |
| Amazon Web Services, Inc. | Hosting, storage, networking, database | All categories as stored at rest | United States (us-east-1, us-east-2) |
| Neon, Inc. | Managed Postgres database hosting | Account info, subscription state, API-key metadata, request logs | United States (us-east-2) |
| Plausible Analytics or PostHog | Marketing-site and product analytics | Usage info, page views, anonymized IP | EU (Plausible) or US (PostHog) |
| Sentry, Inc. | Error and performance monitoring | Limited technical info, stack traces | United States |
| Loops or Resend | Transactional and marketing email delivery | Email address, account info, message content | United States |
Upstream data sources (not personal-data processors)
The Vera Service consumes structured news and prediction-market data from upstream sources to produce the event records and market snapshots returned by the API. These upstream relationships do not involve our customers' personal data, but we disclose them here so it is clear where the API content originates:
| Source | Role | What flows | Personal data involved? |
|---|---|---|---|
| Gloria Labs Inc. | Affiliated entity that operates the upstream AI ingestion and analytical pipeline. Data flows from Gloria Labs to Decentral Media Inc. for incorporation into the Vera API. | News events, news-to-market mappings, interpretive scoring outputs | No |
| Polymarket public APIs (Gamma, CLOB) | Source of prediction-market identifiers, prices, and resolution data. | Market metadata, price snapshots | No |
| Public news and social-media sources | Source of the news events that Gloria Labs ingests upstream of Vera. | Publicly published news content, public social posts | No, except where a public source itself contains personal data (e.g., a public tweet author's name), which we treat per its own publication context. |
Gloria Labs Inc. and Decentral Media Inc. are separate legal entities under common ownership. Personal data of Vera customers is held by Decentral Media Inc. and is not shared with Gloria Labs Inc. for its own purposes; Gloria Labs Inc. is the upstream data producer, not a downstream processor of customer data.
We do not sell personal data, we do not share personal data for cross-context behavioral advertising, and we do not provide personal data to data brokers. We do not share personal data with third parties for their own marketing purposes.
We may disclose personal data when required by law, valid legal process, or to protect the rights, property, or safety of the Company, our customers, or the public.
In the event of a merger, acquisition, financing, or sale of all or substantially all of our assets, personal data may be transferred as part of that transaction, subject to the acquiring party honoring this Policy or providing prior notice of any material change.
4. International Transfers
Decentral Media is based in the United States, and most of our processors are located in the United States. Where we transfer personal data from the European Economic Area, the United Kingdom, or Switzerland to the United States or another country that has not received an adequacy decision from the relevant supervisory authority, we rely on the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum where applicable), supplemented by appropriate technical and organizational measures.
A copy of the SCCs we use is available on request to dpo@cryptobriefing.com.
5. Data Retention
| Category | Retention period |
|---|---|
| Account information (name, email, company, hashed password) | Life of the account, then deleted within 90 days of account closure, except as required for tax and accounting (see below) |
| Billing records and invoices | Seven years from the date of the invoice, for tax compliance in the United States and equivalent obligations elsewhere |
| API request logs (including request body, IP, user agent) | 90 days, after which records are aggregated into anonymous usage statistics |
| Personally identifying fields within logs (IP, account identifiers) | Stripped from log records after 30 days; only an opaque request hash remains beyond that point |
| Support correspondence | Three years from the last message in the thread |
| Marketing analytics on the public site | Aggregated only; no personally identifying retention beyond the visitor session |
Backups follow the same retention as the primary records they cover, with a maximum additional rolling window of 35 days for disaster-recovery snapshots.
Where you exercise a right to deletion (Section 7), we will delete or anonymize personal data within the windows the law requires, except where retention is necessary for one of the limited reasons recognized by GDPR Article 17(3) — for example, compliance with a legal obligation, or the establishment, exercise, or defense of legal claims.
6. Security
We follow practices appropriate to the sensitivity of the data we hold, including:
- Encryption in transit (TLS 1.2 or higher) for all client-server and inter-service traffic
- Encryption at rest for primary databases, object storage, and backups
- Scoped IAM with least-privilege access; production access requires hardware-backed multi-factor authentication
- Quarterly access reviews and immediate revocation on personnel changes
- Centralized logging with anomaly detection; alerting on unusual access patterns
- Vulnerability scanning of dependencies and infrastructure on a continuous basis
- Annual third-party penetration testing of the production environment
- A documented incident-response plan, including breach-notification procedures consistent with GDPR Articles 33 and 34 and applicable U.S. state law
No system is perfectly secure. If we become aware of a personal-data breach that creates a risk to your rights and freedoms, we will notify affected users without undue delay and, where required, the relevant supervisory authority within 72 hours.
7. Your Rights
Depending on where you live, you have some or all of the following rights regarding your personal data:
Under GDPR (EU/EEA, UK, Switzerland):
- Access (Art. 15) — confirm whether we process your data and obtain a copy
- Rectification (Art. 16) — correct inaccurate or incomplete data
- Erasure (Art. 17) — request deletion, subject to the exceptions in Art. 17(3)
- Restriction (Art. 18) — limit our processing while a dispute is resolved
- Portability (Art. 20) — receive your data in a structured, commonly used, machine-readable format and transmit it to another controller
- Objection (Art. 21) — object to processing based on legitimate interests, including marketing
- Withdrawal of consent, where processing is based on consent
- Lodging a complaint with your local supervisory authority
Under CCPA (California residents):
- The right to know what personal information we have collected, the categories of sources, the purposes, and the categories of recipients
- The right to delete personal information, subject to the exceptions in Cal. Civ. Code § 1798.105(d)
- The right to correct inaccurate personal information
- The right to opt out of sale or sharing of personal information — note that we do not sell or share personal information as those terms are defined in the CCPA
- The right to limit use of sensitive personal information — note that we do not use sensitive personal information for the purposes that would trigger this right
- The right to non-discrimination for exercising any of the above rights
To exercise any of these rights, email vera@cryptobriefing.com (general privacy requests) or dpo@cryptobriefing.com (formal data-protection inquiries). We will respond within the period required by the applicable law — generally one month under GDPR and 45 days under CCPA, with an extension where permitted. You may also designate an authorized agent to act on your behalf, subject to our verification of the agent's authority.
We will verify your identity before fulfilling a request by reference to information already associated with your account. We will not disclose personal data to anyone we cannot reasonably identify as you.
8. Direct Marketing and Email Preferences
Operational emails — receipts, security notices, service-status alerts, deprecation notices, and material changes to legal documents — are part of providing the Service and cannot be opted out of while you have an active account.
Promotional and product-update emails can be unsubscribed from at any time using the link at the bottom of each message or by emailing vera@cryptobriefing.com.
9. Children
The Service is a B2B product and is not directed at, marketed to, or intended for use by individuals under 18. We do not knowingly collect personal data from anyone under 18. If we learn that we have collected personal data from a person under 18, we will delete it. Parents or guardians who believe their child has provided personal data to us should contact dpo@cryptobriefing.com.
10. Changes to This Policy
We may update this Policy from time to time. Where the changes are material — for example, a change in the categories of data we collect, the processors we use, or our retention practices — we will notify account holders by email at least thirty days before the change takes effect. Non-material changes (clarifications, typographical corrections) will be reflected by updating the "Last updated" date at the top of the Policy.
The current version is always available at the URL where you are reading this Policy. Prior versions are archived and available on request.
11. Contact
Privacy requests, including access, deletion, and correction: vera@cryptobriefing.com
Data Protection Officer and formal regulatory contact: dpo@cryptobriefing.com
Postal address: Decentral Media Inc. Attn: Privacy New York, NY
For data subjects in the EU/EEA or the UK, you may also contact your local supervisory authority. We will, where required, designate an EU or UK representative; the current designation, if any, is available on request.