Verity

Privacy Policy

Last updated: July 1, 2026

1. Introduction

Shadow Solutions ("we", "us", or "our"), based in Chicago, Illinois, operates the Verity hotel guest verification platform ("Verity" or the "Service"). Verity is a software-as-a-service solution that enables hotel operators to capture signed, timestamped guest attestations during check-in and to fight chargebacks through OTP verification, digital attestation, and evidence reports. This Privacy Policy explains how we collect, use, disclose, and protect information in connection with the Service.

2. Information We Collect

Hotel Operator Data

When a hotel operator registers for and uses Verity, we collect:

  • Name and email address
  • Hotel name and property information
  • Account credentials (passwords are stored as cryptographic hashes)

Guest Data

On behalf of hotel operators, we collect the following information from guests during the check-in verification process:

  • Phone number (used for SMS-based verification)
  • IP address, and the approximate location derived from it
  • Precise geolocation data (GPS-based latitude, longitude, and accuracy), collected with your permission via your device's browser
  • Device information (browser type, operating system)
  • A device fingerprint (a non-reversible identifier derived from device and browser characteristics, including a canvas hash) used to detect fraud and link verification events to a device
  • Attestation timestamps
  • Credit card last 4 digits
  • Driver's license number and issuing state
  • Check-in and check-out dates

Automatically Collected Information

We automatically collect certain information when you access or use the Service:

  • Server logs (access times, pages viewed, referring URLs)
  • Usage analytics and interaction data
  • Cookies and similar tracking technologies

3. How We Use Information

We use the information we collect for the following purposes:

  • Providing the guest verification and attestation service
  • Generating compliance-ready evidence reports for chargeback disputes (Visa, Mastercard, American Express)
  • Maintaining audit trails of attestation events
  • Communicating with operators about their accounts and the Service
  • Improving, maintaining, and securing the Service

4. Data Processing Role

With respect to guest data, the hotel operator acts as the data controller, determining the purposes and means of processing guest personal information. Verity and Shadow Solutions act as the data processor, processing guest data solely on behalf of and under the instructions of the hotel operator. Hotel operators are responsible for ensuring they have the appropriate legal basis for collecting and processing guest data through the Service.

5. SMS Communications

Verity uses SMS messaging exclusively for transactional purposes related to the check-in verification process. We do not send marketing or promotional messages to guests. SMS messages are delivered through our integration with Twilio. The hotel operator is responsible for obtaining appropriate guest consent before initiating the SMS-based verification process.

6. Data Sharing

We do not sell personal information. We may share information with the following categories of recipients:

  • Twilio — for SMS delivery as part of the verification process
  • Amazon Web Services (AWS) — for hosting, data storage (S3), transactional email (SES), and document text extraction (Textract) during driver's license verification
  • Vercel — for hosting the web application
  • Stripe — for hotel operator billing only (not guest payment data)
  • ipwho.is — for deriving an approximate location from an IP address during verification
  • Google Maps and OpenStreetMap Nominatim — for geocoding and map display in verification and reporting
  • Law enforcement — when required by valid legal process (subpoena, court order, or equivalent)
  • Card networks — only when a hotel operator generates a chargeback dispute evidence report, which may be submitted to Visa, Mastercard, or American Express

7. Data Security

We implement industry-standard security measures to protect the information we process, including:

  • Encryption of data at rest and in transit
  • Role-based access controls
  • Regular security audits and vulnerability assessments
  • Hosted on Amazon Web Services infrastructure that is itself SOC 2 Type II and PCI DSS Level 1 certified (these are Amazon's data-center certifications)

8. Data Retention

Guest attestation data is retained for 18 months after the guest's check-out date, after which it is permanently deleted. This window supports chargeback dispute cycles, which are typically 120 days but may extend longer for certain dispute categories. Records connected to an open dispute are retained until the dispute is resolved. Hotel operators may request earlier deletion of their data by contacting us, subject to any legal or contractual retention obligations.

9. Your Rights

Hotel operators may exercise the following rights with respect to their data:

  • Access and review data stored in your Verity account
  • Export attestation records and reports
  • Request deletion of your account and associated data

Guests should contact the hotel operator directly to exercise any data rights (access, correction, deletion) related to their personal information. As a data processor, we will assist hotel operators in responding to such requests.

10. Children's Privacy

The Service is not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child under 18, we will take steps to delete such information promptly.

11. International Data

All data collected through the Service is stored and processed in the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States. By using the Service, you consent to this transfer and processing.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify hotel operators of material changes by email and/or by posting a prominent notice on the Service. Changes become effective upon posting unless otherwise stated. Your continued use of the Service after changes are posted constitutes your acceptance of the updated Privacy Policy.

13. Contact

If you have questions or concerns about this Privacy Policy or our data practices, please contact us:

Shadow Solutions

Chicago, Illinois

Email: privacy@shadowsolutions.tech