privacy

last updated — May 2026

no personal data collected

what verifi collects

verifi analyzes behavioral and hardware signals to determine whether a visitor is human. none of this is personally identifiable:

mouse movement patterns, velocity, and tremor (8-12hz FFT analysis)
scroll behavior, physics, and micro-corrections
keystroke timing intervals — not the keys themselves
click timing, position variance, and dwell duration
cursor path curvature and overshoot detection
requestAnimationFrame vsync jitter
GPU shader render timing
audio context floating-point precision
hardware interrupt timing jitter
battery API presence
media device enumeration (count only, not device names)
JS heap variance over time
system font render timing
touch pressure and radius variance (mobile)
browser environment signals: screen dimensions, language, pointer type

verifi does not read form field values, passwords, email addresses, or any content you type.

what verifi does not collect

no raw IP addresses stored — IPs are hashed with HMAC-SHA256 before storage
no cookies set
no cross-site tracking
no personally identifiable information
no keystroke content — only inter-key timing intervals
no camera or microphone access
no form values

local storage

verifi stores a trust score and session count in your browser's IndexedDB and localStorage. this data never leaves your device in identifiable form. you can clear it at any time by clearing your browser's site data for the page you're visiting.

IP reputation

on page load, verifi queries a reputation API to retrieve your IP address, then hashes it with HMAC-SHA256 using a server-side secret before any storage. the hash is a one-way transformation — the original IP cannot be recovered from it. the hash is stored alongside a bot likelihood score (0-100) and is used to apply stricter or more lenient verification on future visits.

known malicious IP ranges sourced from public threat intelligence feeds are pre-loaded into the reputation database in hashed form.

federated learning

verifi uses a small on-device neural network to improve bot detection. after a challenge, an anonymized weight delta — a set of floating-point numbers representing what the model learned — is sent to a central server. this contains no behavioral data, only the direction the model weights moved. it is mathematically equivalent to: "this session was more or less bot-like than average."

weight deltas are averaged across all sessions globally and redistributed. no individual session can be reconstructed from a weight delta.

signed tokens

after passing verification, verifi issues a short-lived signed token (HMAC-SHA256, 5 minute expiry) containing only: site ID, issue time, expiry time, human probability score, and confidence score. no personal data. tokens are verified server-side by the site you're visiting — verifi does not log token verifications.

data retention

NN weight deltas: kept for 90 days, then deleted
IP reputation hashes: kept indefinitely, updated on each visit
site registrations (name only): kept indefinitely
no session logs, no event logs, no raw IP logs

third parties

verifi uses Supabase to store federated model weights and hashed IP reputation data. verifi is deployed on Cloudflare Pages. IP lookup on page load uses whatismyip.com to retrieve the visitor's IP address for hashing.

gdpr

verifi does not process personal data as defined by GDPR. behavioral signals are not linked to any individual and cannot be used to identify a person. IP addresses are hashed before storage and cannot be reversed. no consent banner or data processing agreement is required to use verifi.

if you believe this analysis is incorrect for your jurisdiction, contact privacy@zo0p.dev.

contact

privacy@zo0p.dev