Skip to content
Varto
Privacy Policy/Last Updated: Apr 24, 2026
Exit

Privacy Policy

This Privacy Policy explains how Varto collects, uses, discloses, and protects information when you access or use our websites, applications, and related services (the "Services"). Last updated April 24, 2026.

1. Who We Are / Contact

Varto is a product of Varto OS LLC, a business management platform for service professionals. For privacy questions, data requests, or to exercise your rights, contact us at: support@varto.business.

2. Key Definitions

Provider
A Varto account holder — the business owner or operator using our platform.
End Customer
A Provider's customer (e.g., someone booking an appointment or receiving an invoice).
Customer Data
Information that a Provider or End Customer submits to the Services — client records, bookings, invoices, messages, and uploaded content.

3. Roles: Provider vs. End Customer

Varto provides the platform that Providers use to run their business operations.

Important Distinction
  • Provider Data: We act as a data controller for account information we collect directly from Providers.
  • Customer Data: We act as a data processor on behalf of Providers for Customer Data (client lists, bookings, invoices).

Providers are responsible for ensuring they have the legal right to collect, use, and share Customer Data with Varto, including compliance with applicable data protection and marketing laws. We generally do not have a direct relationship with End Customers — End Customers should contact the relevant Provider for requests related to their personal data.

4. Information We Collect

A. Information You Provide Directly
  • Provider Profile: Email, business name, settings, and branding assets.
  • Customer Data: Client contacts, bookings, invoices, expenses, messages, and uploaded files (including images and documents).
  • Support: Support requests, communications, and technical metadata you submit.
B. AI-Powered Features

If you use AI features, certain data is sent to third-party AI providers to deliver functionality. Below is a breakdown of what data is sent to each provider and for what purpose.

OpenAI (GPT-4o, Whisper)
  • Audio recordings → speech-to-text transcription
  • Message text, client name & service type → message composition & language translation
  • Aggregated business metrics → daily briefing generation
  • Project descriptions → estimate pricing suggestions
  • Intake form responses → summarization for provider review

Privacy policy: openai.com/policies/privacy-policy

Google (Gemini, Cloud Vision)
  • Receipt & invoice images → data extraction and parsing
  • Service names & descriptions → AI-generated cover photo creation
  • Receipt images → OCR text extraction (optional fallback)

Privacy policy: policies.google.com/privacy

Anthropic (Claude)
  • Receipt & invoice images → data extraction and parsing (alternative provider)

Privacy policy: anthropic.com/privacy

AI Data HandlingData is processed in real-time and not used by Varto to train AI models. AI providers may temporarily retain data (typically up to 30 days) for abuse prevention and safety monitoring, after which it is deleted in accordance with their policies.
C. Payment & Subscription Information

We do not store your full credit card number, CVV, or banking credentials. Payments are processed by third-party processors. We receive only limited metadata needed to manage your subscription.

Web subscriptions (Stripe)

We receive a customer identifier, card brand and last four digits, billing country, and subscription status — used to provision your subscription, display billing history, and comply with tax obligations.

Privacy policy: stripe.com/privacy

iOS App Store (Apple)

We receive only a transaction identifier, product ID, subscription status, renewal date, and original transaction date — used to grant Pro access in your Varto account.

Privacy policy: apple.com/legal/privacy

Android Google Play (Google)

We receive only the purchase token, product identifier, and subscription state — used to grant Pro access in your Varto account.

Privacy policy: policies.google.com/privacy

Subscription state sync (RevenueCat)

We use RevenueCat to synchronize subscription status across iOS and Android. RevenueCat receives an anonymous user identifier and subscription metadata — not payment credentials. Used solely to keep your Pro entitlement accurate across devices.

Privacy policy: revenuecat.com/privacy

Subscription and transaction metadata may be retained for up to 7 years to comply with tax, audit, and fraud-prevention obligations. Your payment credentials are never retained by Varto.

D. Automatically Collected Information
  • Device Information: Device type, OS version, unique identifiers, and mobile network information.
  • Usage Data: Feature usage, session activity, crash reports, and in-app interactions.
  • Log Data: IP address, browser type, access timestamps, and pages accessed.

5. Cookies & Tracking Technologies

We use cookies and similar technologies to operate and improve the Services.

  • Essential Cookies: Required for core functionality — keeping you logged in, maintaining session state. Cannot be disabled.
  • Analytics Cookies: Help us understand how the Services are used (e.g., Google Analytics, PostHog). You can opt out via your browser settings or cookie preferences.
  • Do Not Track (DNT): Our systems do not currently respond to browser "Do Not Track" signals.

You can control cookies through your browser settings. Disabling certain cookies may affect the functionality of the Services.

6. Mobile Application & Device Permissions

When you use the Varto mobile app, we may request access to certain device features. All permissions are optional and can be denied or revoked at any time through your device settings.

A. Camera & Photo Library

Used to photograph receipts, documents, and service images. Images are processed for expense tracking and AI-powered receipt scanning. We do not access your camera or photos without your explicit action.

B. Contacts

With your permission, you can import contacts to quickly add clients. We only access contacts you explicitly choose to import. Contact data is not shared with third parties for marketing.

C. Calendar

Allows the app to sync appointments and bookings with your device calendar. We only read and write events related to Varto bookings.

D. Microphone

Enables voice memo and voice-to-invoice features. Audio is processed using AI transcription services and is not stored permanently on our servers after processing.

E. Push Notifications

Used to send booking reminders, payment updates, and account notifications. Manage preferences in app settings or disable entirely through your device settings.

F. Secure Storage

Authentication tokens are stored using device-secure storage (Keychain on iOS, Keystore on Android). This data never leaves your device and is protected by your device's security features.

Data We Do NOT Collect
  • Precise location data or GPS coordinates
  • Health or fitness data
  • Biometric data (Face ID / Touch ID are handled by your device, not our app)
  • Cross-app or cross-site tracking data
  • We do not sell personal data to advertisers or data brokers

7. How We Use Information

We use the information we collect to:

  • Operate and maintain the Services
  • Provide AI-powered features (receipt scanning, voice transcription, message composition)
  • Process subscriptions and send transactional notifications
  • Sync your data across devices
  • Send push notifications for bookings and reminders
  • Improve and develop new features
  • Prevent fraud, abuse, and enhance security
  • Comply with legal obligations

We may use anonymized and aggregated data derived from Service usage to improve our products and for analytics. This data does not identify you or your clients.

8. How We Share Information

We do not sell personal information. We share data only as described below.

Service Providers (Subprocessors)

These providers process data on our behalf and under our instructions:

SupabaseDatabase & authentication
StripeWeb billing · Privacy Policy
Apple Inc.iOS in-app purchases · Privacy Policy
Google LLCAndroid in-app purchases · Privacy Policy
RevenueCatSubscription state sync · Privacy Policy
BrevoTransactional email delivery
OpenAIAI processing (transcription, message composition, briefings) · Privacy Policy
Google (AI)AI processing (receipt extraction, cover images, OCR) · Privacy Policy
AnthropicAI processing (receipt extraction, alternative provider) · Privacy Policy
Cloudflare TurnstileBot protection / CAPTCHA
ExpoPush notifications
Legal Requirements

We may disclose information if required by law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of Varto, our users, or the public.

Business Transfers

In connection with a merger, acquisition, restructuring, or sale of assets, your information may be transferred as part of that transaction. We will notify you before your data is transferred and becomes subject to a different privacy policy.

9. Data Retention

  • Account Data: Retained while your account is active and for 30 days after a deletion request, during which you may cancel the request.
  • Customer Data: Retained until deleted by the Provider or until account closure, unless required by law to retain longer.
  • AI Processing Data: Not stored permanently by Varto. AI providers may temporarily retain data for up to 30 days for safety monitoring, after which it is deleted and never used for model training.
  • Subscription & Transaction Metadata: Retained for up to 7 years to comply with tax, audit, and fraud-prevention obligations.
  • Backup Data: May persist in encrypted backups for up to 90 days after deletion.

After the applicable retention period, data is permanently and irreversibly removed from our systems.

10. Security

We implement industry-standard safeguards to protect your data:

  • Encryption in Transit: TLS 1.3 for all data in transit.
  • Encryption at Rest: AES-256 for stored data.
  • Authentication: Secure token-based authentication with automatic expiration.
  • Access Controls: Row-level security ensures you can only access your own data.
  • Infrastructure: Hosted on SOC 2 compliant cloud infrastructure.

However, no method of transmission over the Internet is 100% secure. We cannot guarantee absolute security, and you use the Services at your own risk. If you believe your account has been compromised, contact us immediately at support@varto.business.

11. International Data Transfers

Your data may be transferred to and processed in the United States and other countries where our service providers operate. Data protection laws in these countries may differ from those in your jurisdiction.

Where required by applicable law (such as GDPR), we rely on Standard Contractual Clauses (SCCs) or other lawful transfer mechanisms to ensure adequate protection for international transfers of personal data.

12. Your Choices & Rights

For Providers
Access & Portability

Export your data at any time through Account Settings, or contact us to request a complete data export.

Deletion

Delete your account and all associated data through Account Settings. Deletion includes a 30-day grace period. After the grace period, all data is permanently removed.

Marketing Opt-Out

Unsubscribe via links in any marketing email. Reply STOP to SMS. Manage push notification preferences in app settings.

Device Permissions

Revoke any mobile app permission at any time through your device's Settings app.

For End Customers

Requests related to personal data held by a Provider (e.g., client records) should be directed to that Provider, as they control that data. If you believe a Provider is misusing your data, you may contact us at support@varto.business.

California Residents (CCPA)

You have the right to know what personal information we collect about you, request deletion of that information, and opt out of the sale of personal information (we do not sell personal information). Contact us to exercise these rights. We will not discriminate against you for exercising your privacy rights.

European Economic Area Residents (GDPR)

You have the right to access, rectify, erase, restrict processing of, and port your personal data, and to object to certain processing. Our legal bases for processing are contract performance and legitimate interests. Contact us to exercise these rights. You also have the right to lodge a complaint with your local supervisory authority.

13. Children's Privacy

The Services are not intended for children under 13 (or 16 in the EEA). We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately at support@varto.business and we will delete it promptly.

14. Automated Decision-Making

We do not use automated decision-making processes that produce legal or similarly significant effects on individuals. AI features in the Services (such as estimate pricing suggestions or message composition) are tools to assist Providers — all final decisions remain with the human user.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we do, we will post the updated policy on this page with a revised "Last Updated" date. For material changes, we will make reasonable efforts to notify you (e.g., via email or an in-app notice). Your continued use of the Services after changes are posted constitutes your acceptance of the updated policy.

We encourage you to review this page periodically to stay informed about how we protect your information.

Privacy Policy | Varto