Privacy Policy
This page is a working draft published so the site's footer links resolve. It is not final and is not legal advice. Items in [BRACKETS] require input from DVARA and its counsel, and every factual statement (subprocessors, retention periods, transfer mechanisms) must be confirmed against current operations before this page is considered effective. Do not rely on it until the DRAFT banner is removed.
Effective date: [EFFECTIVE DATE]
Controller: [LEGAL ENTITY NAME], [REGISTERED ADDRESS] ("DVARA," "we," "us"). Contact: privacy@dvarahq.com.
This Privacy Policy explains how we handle personal data when you visit our websites (dvarahq.com and its subdomains), create an account, or use the DVARA platform. It reflects the two distinct roles we play:
- DVARA as controller — for website visitors, trial signups, account holders, billing, support, and marketing. This Policy governs that processing.
- DVARA as processor — for content our customers route through the managed Cloud Service (prompts, completions, tool calls, and audit records derived from them — "Customer Content"). That processing is governed by our customers' instructions and our Data Processing Agreement ("DPA"), not by this Policy. If your data was submitted to DVARA by one of our customers, that customer is the controller — please direct privacy requests to them; we will assist them in responding.
- Self-hosted deployments — Customer Content in self-hosted installations never reaches DVARA. Telemetry from self-hosted software is opt-in and off by default.
1. Personal Data We Collect (as Controller)
| Category | Examples | Source |
|---|---|---|
| Account data | Name, work email, company, password hash, plan | You, at signup |
| Billing data | Payment card (processed by Stripe — we do not store full card numbers), billing address, transaction history | You / payment processor |
| Usage and telemetry (Cloud Service) | Feature usage events, request counts and token volumes, plan-limit consumption, dashboard activity, log and diagnostic data including IP address and user agent | Automatically |
| Website analytics | Pages viewed, referrer, approximate location (from IP), device/browser type | Automatically, via Google Analytics |
| Support and communications | Emails to support/sales, scheduler bookings (via Zoho), call notes | You |
| Marketing | Newsletter subscription, content downloads | You |
We do not intentionally collect special-category/sensitive data about you as controller, and we ask that you not include it in support communications.
Operational note on Customer Content. The Cloud Service stores audit records of governed traffic for the retention period of the customer's plan (30 days on Trial and Solo, 90 days on Starter, 1 year on Growth). Audit records may include redacted or tokenized content depending on customer configuration. This is processor-role data governed by the DPA, not by this Policy.
2. How We Use Personal Data
- Provide, operate, secure, and support the Services (contract performance).
- Process payments and manage subscriptions (contract performance / legal obligation).
- Monitor service health, prevent abuse and fraud, and enforce our Terms (legitimate interests).
- Improve the Services using telemetry and aggregated statistics (legitimate interests). We do not use Customer Content to train machine-learning models.
- Send service notices (contract performance) and, with your consent or as otherwise permitted, product news — every marketing email includes an unsubscribe link (consent / legitimate interests).
- Comply with law, respond to lawful requests, and protect rights (legal obligation / legitimate interests).
We do not sell personal data and do not share it for cross-context behavioral advertising.
3. How We Share Personal Data
We share personal data with service providers (subprocessors, for processor-role data) bound by contract to process only on our instructions:
| Provider | Purpose | Location |
|---|---|---|
| DigitalOcean | Cloud infrastructure and managed PostgreSQL for the Cloud Service | United States |
| Stripe | Payment processing | United States |
| Google Analytics | Website analytics | United States |
| Resend | Transactional email delivery | United States |
| Zoho | Demo and sales scheduling | United States |
The authoritative, current subprocessor list is maintained by DVARA and available on request; DPA customers receive advance notice of additions.
We may also disclose personal data: to comply with law or valid legal process; to protect the rights, safety, or property of DVARA, our customers, or others; and in connection with a merger, financing, or sale of assets, with notice of any resulting change in this Policy.
4. International Transfers
We are based in the United States, and the Cloud Service is hosted in the United States. Where personal data of EEA, UK, or Swiss individuals is transferred internationally, we rely on the Standard Contractual Clauses and implement supplementary safeguards as appropriate. [ATTORNEY: confirm transfer mechanism — SCCs vs EU–US Data Privacy Framework certification.] We do not currently offer non-US data residency for the Cloud Service; we will not represent residency options that are not actually available.
5. Retention
- Account and billing data: for the life of the account and 7 years thereafter, as required for tax and accounting.
- Telemetry and logs: 12 months.
- Website analytics: up to 14 months, per the Google Analytics configuration.
- Support communications: 24 months.
- Customer Content audit records (processor role): per the customer's plan retention (30 days Trial/Solo, 90 days Starter, 1 year Growth), then deleted; deleted within 30 days of account termination per the Terms.
- Trial accounts: data deleted 30 days after trial expiry.
6. Your Rights
Depending on your location, you may have rights to access, correct, delete, port, or restrict processing of your personal data, to object to processing based on legitimate interests, and to withdraw consent at any time (without affecting prior processing).
- EEA / UK: rights under the GDPR / UK GDPR, including the right to complain to your supervisory authority. Our legal bases are noted in Section 2. [ATTORNEY: confirm whether an EU/UK representative under Art. 27 is required.]
- California: rights under the CCPA/CPRA to know, delete, correct, and opt out of sale/sharing (we do not sell or share as defined), and to non-discrimination.
- Other jurisdictions (for example, other US state privacy laws, Canada PIPEDA): equivalent rights as applicable.
Exercise rights by emailing privacy@dvarahq.com. We will verify your identity and respond within the legally required period. If we hold your data as a processor for one of our customers, we will refer your request to that customer.
7. Cookies and Similar Technologies
We use strictly necessary cookies for authentication and session management, and analytics cookies set by Google Analytics to understand website usage. Where required (for example, for EEA/UK visitors), we present a cookie-consent mechanism before setting non-essential cookies. [ATTORNEY: confirm cookie-consent banner scope for the final analytics configuration.] You can also control cookies through your browser settings.
8. Security
We apply administrative, technical, and physical safeguards appropriate to the data we process, including encryption in transit (TLS) and at rest, access controls, and audit logging. No system is perfectly secure; we will notify affected customers and authorities of personal-data breaches as required by law.
9. Children
The Services are not directed to children under 18, and we do not knowingly collect their data. If you believe a child has provided personal data, contact us and we will delete it.
10. Changes to This Policy
We will post updates here and revise the effective date; material changes will be notified by email or in-product notice at least 14 days in advance. The current version always governs.
11. Contact
[LEGAL ENTITY NAME]
[REGISTERED ADDRESS]
privacy@dvarahq.com
See also the Terms of Service.