Legal
GDPR
Last updated: 15 April 2026
The General Data Protection Regulation (GDPR) and its UK equivalent (UK GDPR) set out rules for how personal data must be collected, used, and protected. This page explains how Verizap Technologies Pvt. Limited - the Indian company behind Filto - operates under these frameworks, both as a service provider to EU/UK customers and as a data processor acting on behalf of our clients.
1. Overview
Verizap Technologies Pvt. Limited (“Verizap”), incorporated in India and operating the Filto product, is committed to compliance with GDPR and UK GDPR where those regulations apply - specifically when processing personal data of individuals located in the EU or UK. This applies to how we handle data about our own customers and how we process data on behalf of clients using our verification services.
As an Indian company, Verizap also complies with India's Digital Personal Data Protection Act 2023 (DPDP Act) in respect of Indian data subjects.
Our platform is designed with data minimisation and purpose limitation as defaults: we collect only what we need, process it only for defined purposes, and delete it when it is no longer required.
2. Dual Roles: Controller and Processor
Filto operates in two distinct GDPR roles depending on context:
Data Controller
Verizap Technologies Pvt. Limited is the data controller for personal data we collect about our own customers - account information, billing data, usage data, and communications. We determine why and how this data is processed.
This is governed by our Privacy Policy.
Data Processor
When our clients submit contact or company records to the Filto platform for verification, Verizap acts as a data processor. The client is the data controller - they determine what data to submit and for what purpose. Verizap processes it only as instructed.
As a processor, we process Client Data only to provide the requested verification service, and never for our own independent purposes. Enterprise clients can request a Data Processing Agreement (DPA) that formalises this relationship.
3. Lawful Bases for Processing
We identify a lawful basis for each category of personal data processing. The primary bases we rely on are:
4. Data Subject Rights
Under GDPR and UK GDPR, individuals have the following rights regarding their personal data. Filto will respond to all valid requests within 30 days.
Right of access (Article 15)
You may request a copy of all personal data we hold about you, along with information about how it is processed.
Right to rectification (Article 16)
You may ask us to correct inaccurate or incomplete personal data.
Right to erasure (Article 17)
You may request deletion of your personal data. This right is subject to legal retention obligations.
Right to restrict processing (Article 18)
In certain circumstances, you may ask us to pause processing of your data while a dispute is resolved.
Right to data portability (Article 20)
You may receive your personal data in a structured, commonly used, machine-readable format.
Right to object (Article 21)
You may object to processing based on legitimate interest, including direct marketing. We will cease such processing unless we can demonstrate compelling legitimate grounds.
Right to withdraw consent (Article 7)
Where processing is based on consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of prior processing.
To exercise any of these rights, submit a request via the privacy page. You also have the right to lodge a complaint with a supervisory authority - in the UK, the Information Commissioner's Office (ICO); in the EU, your national DPA.
5. International Data Transfers
Verizap Technologies Pvt. Limited is incorporated in India. Where personal data of EU or UK individuals is transferred to and processed in India, we ensure appropriate safeguards are in place. India is not currently the subject of an EU or UK adequacy decision, so transfers are covered by:
- Standard Contractual Clauses (SCCs) approved by the European Commission for transfers to third countries
- UK International Data Transfer Agreements (IDTAs) for transfers from the UK
- Additional technical and organisational safeguards including encryption and access controls
Our primary infrastructure is hosted on Hetzner Cloud within the EEA. Processing by Verizap personnel in India is governed by the transfer mechanisms above. A copy of applicable SCCs or IDTAs is available to enterprise clients on request.
6. Sub-processors
Verizap uses a limited number of sub-processors to operate the Filto platform. All sub-processors are bound by data processing agreements that require them to maintain standards consistent with GDPR requirements.
Sub-processors are used for the following categories of services:
- Cloud infrastructure and hosting
- Payment processing
- Customer support tooling
- Error monitoring and observability
- Analytics (subject to cookie consent)
Enterprise clients can request a full sub-processor list as part of the DPA process.
7. Data Processing Agreement
Clients who require a formal Data Processing Agreement (DPA) - for example, to meet their own GDPR compliance obligations - can request one. The DPA governs Verizap Technologies Pvt. Limited's role as a data processor when handling Client Data submitted for verification.
The DPA covers:
- Subject matter, nature, and purpose of processing
- Categories of data subjects and personal data
- Verizap's obligations as processor (Article 28 GDPR)
- Sub-processor authorisation and notification
- Security measures
- Data subject rights assistance
- Deletion and return of data on termination
Contact us to request a DPA.
8. Contact
For any GDPR-related queries - including DPA requests, data subject rights, or general compliance questions - submit a request via the privacy page.
We will respond within 30 days. If your request is complex or involves a large volume of data, we may extend this period by a further two months, in which case we will inform you.