Vaarta — Privacy Policy
Last updated: [PUBLISH DATE] Effective: [PUBLISH DATE]
This Privacy Policy explains how [LEGAL ENTITY NAME] ("Vaarta", "we", "us", "our") collects, uses, shares, and protects information in connection with the Vaarta competitive‑intelligence platform, the Vaarta Competitive Signals API, our websites at vaartahq.com and app.vaartahq.com, and related integrations (collectively, the "Service").
We act as a data controller for personal data about our customers and their authorized users, and as a data processor / data fiduciary's processor for data our customers configure us to collect and process on their behalf. Where we process personal data on a customer's instructions, our [Data Processing Addendum] governs and prevails over this Policy on conflicting points.
1. Quick summary (not a substitute for the full policy)
- We collect the minimum needed to run the Service: account identity (via Clerk), subscription status (via LemonSqueezy, our Merchant of Record), the competitor configuration you create, optional integration credentials (e.g., Slack), and security/usage logs.
- We never receive or store your full payment card details — those go directly to our Merchant of Record.
- The competitive‑intelligence data we collect is gathered from publicly available sources about the companies you choose to track. It is not surveillance of private individuals.
- We use a defined list of subprocessors (Section 12). We do not sell your personal data.
- You have rights over your data (Section 11), including access, correction, and deletion.
2. Definitions
- Personal data / personal information — information relating to an identified or identifiable natural person.
- Customer — the organization (tenant) that subscribes to the Service.
- Authorized user — an individual the Customer permits to access the Service.
- Collected competitive data — information about third‑party companies (the Customer's "competitors") gathered by the Service from public sources.
- Subprocessor — a third party that processes personal data on our behalf to deliver the Service.
- Merchant of Record (MoR) — the entity that legally sells subscriptions to you, processes payment, and remits applicable taxes (for Vaarta, this is LemonSqueezy).
3. Information we collect
3.1 Account and identity data (via Clerk)
When you sign up, authentication and identity are handled by Clerk. We receive and store a limited record: your organization identifier (clerk_org_id), organization name, and the association between your account and your tenant. Your credentials, password, and social‑login tokens are held by Clerk, not by us.
3.2 Billing and subscription data (via LemonSqueezy, our Merchant of Record)
Subscriptions are sold and processed by LemonSqueezy, which acts as the Merchant of Record. LemonSqueezy collects and processes your payment information (card details, billing address, tax identifiers) as part of the transaction. We do not receive or store your full card number or CVV. We store only: a customer identifier (ls_customer_id), a subscription identifier (ls_subscription_id), your plan tier, and subscription status. LemonSqueezy's own privacy terms govern its processing of your payment data.
3.3 Service configuration data
To deliver competitive intelligence, you provide and we store: the competitor names and URLs you wish to track, optional review/profile identifiers (e.g., G2/Capterra slugs, LinkedIn URLs, stock tickers), your delivery preferences (email address for digests, time zone, cadence), and similar settings.
3.4 Integration data
If you connect optional integrations, we store the credentials and configuration needed to operate them:
- Slack: workspace/team ID and name, the bot access token, the target channel ID, and the identity of the installing user. Used solely to post your digests and respond to your
/competitorcommand. (See Section 8.) - Webhooks: the destination URL and a signing secret you configure.
- Future integrations (e.g., HubSpot): the minimum tokens/identifiers needed to render your signals in that tool.
3.5 Usage, device, and log data
We collect technical data needed to operate, secure, and improve the Service: IP address (used for rate‑limiting and to enforce our SSRF/abuse protections), request timestamps, API key usage counts, error and delivery logs, and similar diagnostic information.
3.6 Communications
If you contact support or correspond with us, we keep those communications and any information you include.
3.7 Collected competitive data (about third parties)
On your instruction, the Service gathers information about the companies you choose to track, from publicly available sources — competitor websites and pricing/changelog pages, public review platforms (e.g., G2, Capterra), public professional/job postings, public social and news mentions (e.g., Reddit, X, news outlets), and public regulatory/financial filings (e.g., stock data, SEC EDGAR filings, public trademark records). This data is processed to detect changes and produce briefings. Where such public sources incidentally contain personal data (e.g., the name of a review author or a job poster), we process it only as needed to produce competitive signals, minimize its retention, and never use it to build profiles of those individuals.
4. How we use information
We use information to:
- Provide, operate, and maintain the Service (multi‑tenant collection, synthesis, and delivery of competitive signals).
- Authenticate users and enforce plan entitlements.
- Process subscriptions and manage your account (via our MoR).
- Deliver outputs through your chosen channels (dashboard, email, Slack, webhook, API).
- Secure the Service — prevent abuse, fraud, and unauthorized access; enforce rate limits and SSRF protections.
- Provide support and respond to requests.
- Improve the Service and develop features, using aggregated or de‑identified data where feasible.
- Comply with legal obligations and enforce our Terms.
We do not use your data for third‑party advertising, and we do not sell your personal data.
5. Legal bases (EU/UK GDPR) and notice (India DPDP)
Where the GDPR applies, we rely on: performance of a contract (providing the Service you subscribe to), legitimate interests (securing and improving the Service, preventing abuse), consent (where required, e.g., certain integrations or marketing), and legal obligation.
Where India's Digital Personal Data Protection Act, 2023 (DPDP) applies, we process personal data for the lawful purpose of providing the Service for which you have signed up, on the basis of your consent and/or the legitimate uses recognized under the Act. Our Grievance Officer is listed in Section 14.
Where US state laws (e.g., CCPA/CPRA) apply, we describe your rights in Section 11 and confirm we do not "sell" or "share" personal information as those terms are defined.
6. Automated processing and AI
The Service uses automated systems — including Google's Gemini API — to classify, score, de‑duplicate, and summarize the competitive data it collects, and to generate briefing summaries. Inputs to these AI systems consist of collected competitive data and limited configuration; we do not send your authentication credentials or payment data to these systems. We do not make decisions producing legal or similarly significant effects about individuals solely by automated means. AI‑generated summaries may contain errors and are provided for informational purposes (see our Terms).
7. Cookies and similar technologies
We use strictly necessary cookies for authentication and session management (via Clerk) and to keep the Service secure and functional. We do not use third‑party advertising or cross‑site tracking cookies. Where local law requires consent for non‑essential cookies, we will request it. [Confirm cookie inventory with counsel before publication.]
8. Slack data handling (integration‑specific disclosure)
If you install the Vaarta Slack app:
- What we access: the ability to post messages to the channel you select during installation (
chat:write, via an incoming webhook channel grant), and to receive and respond to the/competitorslash command. - What we store: your workspace/team ID and name, the bot token, the selected channel ID, and the installing user's identifier — in our access‑controlled database with encryption at rest.
- What we do with it: post the digests you have configured and answer your slash‑command queries with competitive signals. We do not read your channel message history, and we request only the scopes necessary for these functions.
- On uninstall / disconnect: revoking the app in Slack invalidates the token; you may also request deletion of the stored installation record (Section 11), which we honor without undue delay.
- We comply with Slack's developer and data‑handling requirements for listed apps.
9. How we share information
We share personal data only as follows:
- With subprocessors that provide infrastructure and functionality (Section 12), under contracts requiring appropriate safeguards.
- With our Merchant of Record (LemonSqueezy) to process your subscription.
- At your direction, with integrations you connect (e.g., posting to your Slack channel or your webhook endpoint).
- For legal reasons — to comply with law, lawful requests, or to protect rights, safety, and the integrity of the Service.
- In a business transfer — in connection with a merger, acquisition, or asset sale, subject to this Policy.
We do not sell personal data and do not share it for cross‑context behavioral advertising.
10. Third‑party public data sources (distinct from subprocessors)
To produce competitive intelligence, we read from public third‑party sources, including search providers and data feeds (e.g., Serper.dev, NewsData.io), web content (directly and via Firecrawl), public review/professional/social/news pages, and public financial/regulatory sources (e.g., Yahoo Finance market data, SEC EDGAR, public trademark records). These sources are data sources we collect from, not recipients of your personal data. Their own terms govern the underlying public data.
11. International data transfers
We operate from India and use infrastructure providers that may store and process data in the United States, the European Union, and other regions. Where we transfer personal data across borders, we rely on appropriate safeguards (e.g., Standard Contractual Clauses or equivalent mechanisms) as required by applicable law. [Confirm transfer mechanisms and any EU/UK representative requirement (GDPR Art. 27) with counsel.]
12. Data retention
We retain personal data only as long as necessary for the purposes described, then delete or de‑identify it:
- Account and configuration data: for the life of your subscription and a reasonable period afterward, then deleted on request or on account closure.
- Stored web snapshots: retained as Markdown (we do not retain raw HTML) for change detection.
- Review content: full review bodies older than 12 months are pruned.
- Diagnostic/collector logs: pruned after approximately 30 days.
- Billing records: retained by our MoR and by us as required for tax/accounting law.
- Slack installation records: retained until you uninstall or request deletion.
13. Your rights
Subject to applicable law, you may:
- Access the personal data we hold about you.
- Correct inaccurate or incomplete data.
- Delete your data ("right to erasure" / DPDP right to erasure).
- Port your data (receive it in a portable format).
- Object to or restrict certain processing (GDPR).
- Withdraw consent where processing is based on consent.
- Opt out of sale/sharing (CCPA/CPRA) — note we do not sell or share.
- Lodge a complaint with your supervisory authority or India's Data Protection Board, and to raise grievances with our Grievance Officer (Section 14).
To exercise rights, contact us at [privacy@vaartahq.com]. We verify requests and respond within the timeframe required by law. For data we process on a Customer's behalf, we will refer your request to that Customer.
14. Security
We apply administrative, technical, and organizational measures appropriate to the risk, including: encryption in transit (TLS) and at rest; access controls and the principle of least privilege; bearer‑token authentication for internal APIs; HMAC signing of webhook payloads; SSRF protections on user‑supplied URLs; and reliance on specialized providers (Clerk for authentication, LemonSqueezy for payments) for the most sensitive data. No method of transmission or storage is perfectly secure, and we cannot guarantee absolute security.
15. Children
The Service is for business use and is not directed to children. We do not knowingly collect personal data from anyone under the age of [16 / 18, per applicable law]. If you believe a child has provided us data, contact us and we will delete it.
16. Changes to this Policy
We may update this Policy. We will post the revised version with a new "Last updated" date and, for material changes, provide additional notice (e.g., in‑app or by email). Continued use after the effective date constitutes acceptance.
17. Contact us
- General / privacy: [privacy@vaartahq.com]
- Support: [support@vaartahq.com]
- Postal address: [REGISTERED COMPANY ADDRESS, India]
- Grievance Officer (India DPDP): [NAME], [grievance@vaartahq.com]
- EU/UK representative (if applicable): [NAME / "Not currently appointed — confirm requirement with counsel"]
Appendix A — Subprocessors
We maintain this list and will update it as our infrastructure changes. Material additions will be notified per any applicable Data Processing Addendum.
| Subprocessor | Purpose | Data processed | Region |
|---|---|---|---|
| Clerk | Authentication & identity / org management | User identity, org metadata | US / global |
| LemonSqueezy (Merchant of Record) | Payments, subscriptions, tax remittance | Billing & payment data, contact email | US / global |
| Neon | Primary database (PostgreSQL) | Account, configuration, signals, integration records | US / EU (per region) |
| Cloudflare R2 | Object storage (snapshots, briefing outputs) | Collected competitive content, generated briefings | Global edge |
| Vercel | Web application hosting | Request data, logs | US / global |
| Hetzner | Pipeline/compute hosting (collection & cron) | Collected data in transit/processing | EU (Germany) |
| Resend | Transactional email delivery (digests/briefings) | Recipient email address, message content | US / global |
| Google (Gemini API) | AI classification, scoring, summarization | Collected competitive data, limited config | US / global |
Public data sources we read from (not recipients of your personal data): Serper.dev (search), NewsData.io (news), Firecrawl (web content retrieval), and public sources including G2, Capterra, LinkedIn, Reddit, X, news outlets, Yahoo Finance market data, SEC EDGAR, and public trademark records.
Optional, customer‑initiated recipients: Slack (if you install the Slack app); your configured webhook endpoint(s); and future integrations (e.g., HubSpot) you choose to connect.