Trust Center

Customer data lives in a SQLite database on the user's own device. Vrge does not host customer business data on its own servers.

All third-party data sources (Gmail, Calendar, Drive, etc.) connect using read-only scopes. Vrge cannot send email, modify calendars, or alter source data.

Names, emails, addresses, and dollar amounts are tokenised before any cloud AI inference call. Full-content mode requires explicit per-source opt-in with a 'what gets sent' preview.

AI-detected entities never write to the customer's database directly. Every observer-generated change requires explicit user approval through the Inbox.

Every accepted proposal can be undone within 24 hours via transactional rollback. The applied_proposals log records full snapshots for that purpose.

Each entity created via the observer carries an origin record — source event, AI model, confidence score, accept time. Auditable end-to-end.

Full export to portable JSON/CSV — entities, proposals, AI history, origin records. Works even with an expired license. No DRM, no lock-in.

Customer email, file, or business data is never submitted to any AI provider for training. Inference-only API calls, when authorised by the user.

All traffic between Vrge endpoints (website, license, auto-updater, Managed AI proxy) and customer devices uses TLS 1.2 or higher.

On the optional Team self-hosted server, user passwords are bcrypt-hashed with per-user salts. JWT for session management with rotation.

OAuth refresh and access tokens for connected sources never leave the customer's device. Vrge servers cannot impersonate connected accounts.

The marketing site uses Cloudflare Web Analytics — aggregate page views and coarse geography only, no cookies, no fingerprinting, no personal identifiers.

Triage commitment within one business day of report. Public scope and rules of engagement on the Security page. Safe-harbour language for good-faith research.

We have not yet commissioned a formal third-party penetration test. We will publish results when one is complete.

Required for Gmail/Calendar OAuth verification at restricted scopes. Pack drafted; assessment pending Google's verification process.

Targeted once Managed AI tier reaches sustained scale. We are honest that we are not certified today and will not display badges we have not earned.

Article 28 controller–processor template available. Standard Contractual Clauses (Module 2) incorporated. Sub-processor change notification with 30-day objection window.

Privacy policy details CCPA categories of information collected. We do not sell or 'share' personal information as those terms are defined under CCPA.

TRD Ventures LLC is not a HIPAA-covered entity, and Vrge is not a HIPAA-compliant system today. Customers in healthcare should not store, process, or transmit Protected Health Information through the Service.

Complete current list of third-party services that may process data on Vrge's behalf, with purpose, data categories, and jurisdiction for each.

Vrge does not collect, transmit, or store payment card data. All payments are processed by Lemon Squeezy as Merchant of Record — they are PCI DSS Level 1 compliant.

Customer business data resides where the customer chooses — their device, their self-hosted server. Vrge-operated services run primarily in the United States; the marketing site is on Cloudflare's global network.