Privacy Policy

• "Personal Data" means any information relating to an identified or identifiable natural person (data subject). This includes information such as names, contact details, identification numbers, online identifiers, or other factors specific to an individual.
• "Processing" means any operation performed on Personal Data, such as collection, recording, organization, storage, alteration, retrieval, use, disclosure, or deletion.
• "Services" refers to Varni Labs' cloud-based software platform and related services which allow business users (finance teams) to process financial documents (e.g. invoices, purchase orders) and associated data.
• "Client" (or "Customer") means a business entity that has subscribed to or is using Varni Labs' Services.
• "User" means an individual authorized by a Client to use our Services (e.g. a Client's employee or contractor).
• "Service Data" means any data, including Personal Data, that Clients or Users upload or submit to our Services (such as the content of invoices, purchase orders, or other financial documents).

Other capitalized terms not defined here shall have the meanings ascribed to them in our Terms of Service or applicable agreements.

• Providing and Improving the Services: To operate our SaaS platform and deliver features to our Clients and Users. This includes processing documents and data as instructed by Clients, managing user accounts, authenticating users, performing analyses and extractions on financial documents, and customizing the user experience.
• Communications and Customer Support: To communicate with you about your use of the Services, send you important updates or notifications (such as changes in functionality, security alerts, or support messages), and respond to your inquiries or support requests.
• Marketing and Informational Updates: To send promotional materials, newsletters, or information about new products, services, or events that may be of interest to our enterprise clients. We do not sell your personal data to third parties for marketing or any other purposes.
• Analytics and Business Operations: To conduct internal analytics such as measuring user engagement, conversion rates, or other business performance metrics. We use aggregated or de-identified data wherever possible for these purposes.
• Compliance with Legal Obligations: To fulfill our legal or regulatory requirements. For example, we may process certain data to comply with finance and tax laws, to respond to lawful requests by public authorities, or to meet accountability standards under data protection laws.
• Enforcement and Protection of Rights: To enforce our Terms of Service and other agreements, and to protect the rights and safety of Varni Labs, our users, or others.

We will not use Personal Data for new purposes that are incompatible with the above without providing you notice and, if required, obtaining your consent.

• Service Providers (Subprocessors): Varni Labs uses trusted third-party companies to support and enhance our Services. These subprocessors may include cloud hosting providers, data center operators, email and notification services, customer support software, analytics tools, payment processors, and similar service providers. All our service providers are bound by contractual obligations to process Personal Data only under our instructions.
• Business Partners: In some cases, we may partner with other companies to deliver certain services or integrations. Such sharing will be governed by contract and limited to what is needed for the integration or service requested.
• Affiliates: If Varni Labs is part of a group of companies, we may share Personal Data with our corporate affiliates for purposes consistent with this Policy.
• Legal Compliance and Protection: We may disclose Personal Data if required to do so by law or legal process, or if we have a good-faith belief that such disclosure is necessary to comply with applicable laws, regulations, legal obligations or governmental requests; enforce our contracts and terms; or protect the rights, property, or safety of Varni Labs, our customers, or the public.
• Business Transfers: If Varni Labs is involved in a merger, acquisition, sale of assets, bankruptcy, or other corporate change, Personal Data may be transferred to a successor or affiliate as part of that transaction.

Whenever we transfer Personal Data across national borders, we take steps to ensure that appropriate safeguards are in place to protect your data. In cases where data is transferred from the EEA/UK to a country that is not deemed to have "adequate" data protection by the European Commission, we rely on legally recognized transfer mechanisms such as Standard Contractual Clauses (SCCs) or other approved safeguards.

Our goal is to ensure that your Personal Data remains protected no matter where it is processed. You can contact us for more information about the safeguards we have in place for international data transfers.

• Performance of a Contract: We process Personal Data when it is necessary to fulfill our obligations under a contract with you or your company.
• Legitimate Interests: We process Personal Data as needed for Varni Labs' legitimate interests, provided that our interests are not overridden by your data protection rights. Our legitimate interests include: delivering and improving our Services; understanding how customers use our products; ensuring IT security and fraud prevention; marketing our services to business contacts; and exercising or defending legal claims.
• Consent: In certain cases, we rely on your consent to process Personal Data. You have the right to withdraw consent at any time, and we will cease processing your data for the purpose you consented to going forward.
• Legal Obligation: We process Personal Data when necessary for compliance with a legal obligation to which Varni Labs is subject.
• Vital Interests and Public Interest: While unlikely, we may process data to protect someone's vital interests or for a task in the public interest, if relevant legal standards are met.

Our key security measures include:

• Encryption: We employ encryption to protect Personal Data in transit and at rest. Data transmitted between your device and our platform is secured via TLS/SSL encryption, and sensitive data stored on our servers is encrypted at the database or disk level.
• Access Controls: We maintain strict access controls over Personal Data. Only authorized Varni Labs personnel and our subprocessors who need access to perform their duties are permitted to access client data, on a least-privilege principle.
• Monitoring and Testing: Our systems are continuously monitored for security events. We use firewalls, intrusion detection systems, and antivirus/anti-malware tools. Regular vulnerability scans, penetration testing, and security assessments are conducted.
• Secure Development Practices: We follow secure coding standards and privacy by design principles in our software development lifecycle.
• Certifications and Audits: Varni Labs maintains compliance with recognized information security standards and undergoes regular independent audits. We have achieved SOC 2 Type 2 and SOC 1 Type 2 attestation, and are ISO/IEC 27001 certified.
• Organizational Policies: We have implemented company-wide security and privacy policies, including employee training on data protection, incident response procedures, and vendor risk management.

• Account and Profile Data: For active Clients and Users, we retain your account information for the duration of the business relationship. If you cease using the Services or your account is terminated, we will delete or anonymize your Personal Data within a reasonable period after account closure, except where we need to keep it for legitimate business or legal purposes.
• Service Data (Uploaded Documents): Documents and data you upload to the platform are stored per the settings of your account. You or your organization may have control over how long document data is kept.
• Communications and Support Inquiries: If you correspond with us, we may retain those communications as long as necessary to resolve your query and for our records.
• Logs and Analytics: Our system logs and analytics data are generally retained only for a short period for the purposes of analysis and security.
• Legal Retention Requirements: In certain cases, we need to retain Personal Data for a longer period if required by applicable laws or regulations.

When we no longer have a legitimate business need or legal requirement to retain Personal Data, we will either delete it or anonymize it in a secure manner.

• Right to Access: You have the right to request confirmation of whether we are processing your Personal Data, and if so, to request a copy of the Personal Data we hold about you.
• Right to Rectification: You have the right to request that we correct or update any inaccurate or incomplete Personal Data that we hold about you.
• Right to Erasure: You have the right to request that we delete your Personal Data in certain circumstances (also known as "the right to be forgotten").
• Right to Restrict Processing: You have the right to ask us to restrict or suspend the processing of your Personal Data in certain scenarios.
• Right to Data Portability: You have the right to request a copy of certain Personal Data in a structured, commonly used, machine-readable format.
• Right to Object: You have the right to object to our processing of your Personal Data in some cases. You can object at any time if we are processing your Personal Data for direct marketing purposes.
• Right to Withdraw Consent: If we rely on consent to process your Personal Data, you have the right to withdraw that consent at any time.
• Right not to be subject to Automated Decisions: Varni Labs does not make any legally significant decisions about you solely by automated means.
• Right to Complain: If you believe we have infringed your data protection rights, you have the right to lodge a complaint with a supervisory authority.

To exercise any of your rights, please contact us using the information in the Contact section below.

• GDPR Compliance: We have implemented a comprehensive data protection program aligned with the GDPR's principles of lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, and accountability. We also offer a Data Processing Addendum (DPA) to our customers.
• SOC 2 Type 2: We undergo annual SOC 2 Type 2 audits conducted by independent auditors. This audit evaluates the effectiveness of our controls over the Trust Services Criteria (Security, Availability, Confidentiality, Processing Integrity, and Privacy).
• SOC 1 Type 2: Varni Labs also maintains a SOC 1 Type 2 attestation, which focuses on controls relevant to customers' financial reporting.
• ISO/IEC 27001: We are certified under ISO/IEC 27001, an international standard for information security management. This certification means Varni Labs has implemented a robust Information Security Management System (ISMS).

We encourage you to review this Policy periodically to stay informed about how we are protecting your information. Your continued use of our Services after any modifications to this Policy will constitute your acknowledgment of the changes and agreement to be bound by the updated Policy, where permitted by law.

By using Varni Labs' Services or website, you acknowledge that you have read and understood this Privacy Policy. We appreciate the trust you place in us to handle your data responsibly. If you have any questions or feedback about this Policy, please do not hesitate to contact us at the email or address provided above.