Privacy Policy

1. Who We Are / Contact

For privacy questions or requests, contact: support@varto.business.

2. Key Definitions

Provider

A Varto account holder (the business owner/operator).

End Customer

A Provider's customer (e.g., someone booking an appointment).

Customer Data

Information that a Provider (or End Customer) submits (e.g., client records, invoices).

3. Roles: Provider vs. End Customer

Varto provides the platform that Providers use to run their business operations.

4. Information We Collect

A. Information you provide directly

• Provider Profile: Email, business name, settings, and branding assets.
• Customer Data: Client contacts, bookings, invoices, expenses, and messages.
• Support: Tickets and technical metadata you submit.

B. Content for AI Features

If you use AI features, certain data is sent to third-party AI providers for processing. You will be asked to consent before any data is sent. Below is a breakdown of which data is sent to each provider and for what purpose.

Data is processed in real-time and is not used for model training. AI providers may temporarily retain data for up to 30 days for abuse monitoring and safety, after which it is deleted.

C. Payment Information

We use third-party processors (e.g., Stripe). We do not store full credit card numbers.

D. Automatically Collected Information

• Device Information: Device type, operating system version, unique device identifiers, and mobile network information.
• Usage Data: App interactions, feature usage patterns, session duration, and crash reports.
• Log Data: IP address, browser type, access times, and pages viewed.

5. Cookies & Tracking Technologies

We use cookies and similar tracking technologies to track the activity on our Service and store certain information.

• Essential Cookies: Required for the operation of the Service (e.g., keeping you logged in).
• Analytics Cookies: Help us understand how you use the Service (e.g., Google Analytics, PostHog). You can typically opt-out of these via your browser settings.
• Do Not Track (DNT): Our systems currently do not respond to browser "Do Not Track" signals.

6. Mobile Application & Device Permissions

When you use the Varto mobile application, we may request access to certain device features. These permissions are optional and you can deny or revoke them at any time through your device settings.

A. Camera & Photo Library

We request camera access to allow you to photograph receipts, documents, and service images. Photo library access allows you to select existing images. Images are processed for expense tracking and AI-powered receipt scanning. We do not access your camera or photos without your explicit action.

B. Contacts

With your permission, you can import contacts from your device to quickly add clients. We only access contacts you explicitly choose to import. Contact data is stored securely and is not shared with third parties for marketing purposes.

C. Calendar

Calendar access allows the app to sync your appointments and bookings with your device calendar. This is a two-way sync that helps you manage your schedule. We only read and write events related to Varto bookings.

D. Microphone

Microphone access enables voice memo features for creating invoices and notes. Audio recordings are processed using AI transcription services and are not stored permanently on our servers after processing.

E. Push Notifications

We send push notifications for booking reminders, payment updates, and important account information. You can manage notification preferences in app settings or disable them entirely through your device settings.

F. Secure Storage

We use your device's secure storage (Keychain on iOS, Keystore on Android) to safely store authentication tokens. This data never leaves your device and is protected by your device's security features.

G. Data We Do NOT Collect

• We do not collect precise location data or GPS coordinates.
• We do not collect health or fitness data.
• We do not collect biometric data (Face ID/Touch ID are handled by your device, not our app).
• We do not track you across other apps or websites.
• We do not sell your data to advertisers or data brokers.

7. How We Use Information

We use information to:

• Operate and maintain the Services
• Process payments and send transactional notifications
• Sync your data across devices
• Provide AI-powered features (receipt scanning, voice transcription)
• Send push notifications for bookings and reminders
• Improve our services and develop new features
• Prevent fraud and ensure security
• Comply with legal obligations

8. How We Share Information

We do not sell personal information. We disclose info to:

• Service Providers: We share data with the following third-party services as needed to operate the platform:
  • Database & Authentication: Supabase
  • Email: Brevo
  • AI Processing:
    • OpenAI (GPT-4o, Whisper) — audio transcription, message composition & translation, daily briefings, estimate pricing, intake summarization. Privacy Policy
    • Google (Gemini, Cloud Vision) — receipt/invoice data extraction, cover photo generation, OCR text extraction. Privacy Policy
    • Anthropic (Claude) — receipt/invoice data extraction (alternative provider). Privacy Policy
  • CAPTCHA: Cloudflare Turnstile
  • Push Notifications: Expo
• Legal Compliance: To comply with laws or subpoenas.
• Business Transfers: In the event of a merger or acquisition.

9. Data Retention

We retain information as long as necessary to provide the Services and fulfill the purposes described in this policy. Specifically:

• Account Data: Retained while your account is active and for 30 days after deletion request.
• Customer Data: Retained according to your settings and applicable legal requirements.
• AI Processing Data: Images and audio for AI features are processed in real-time and not stored permanently. Some data maybe retained by AI providers for up to 30 days for abuse monitoring, after which it is deleted and never used for model training.
• Backup Data: May persist in backups for up to 90 days after deletion.

Providers can delete their account and all associated data through Account Settings. Deletion includes a 30-day grace period during which you can cancel the request. After the grace period, all data is permanently removed.

10. Security

We implement industry-standard security measures to protect your data:

• Encryption: All data is encrypted in transit (TLS 1.3) and at rest (AES-256).
• Authentication: Secure token-based authentication with automatic expiration.
• Access Controls: Row-level security ensures you can only access your own data.
• Infrastructure: Hosted on SOC 2 compliant cloud infrastructure.

However, no method of transmission over the Internet is 100% secure. We cannot guarantee absolute security.

11. International Data Transfers

Your information, including Personal Data, is processed at the Company's operating offices and in any other places where the parties involved in the processing are located. This means that this information may be transferred to — and maintained on — computers located outside of your state, province, country, or other governmental jurisdiction where the data protection laws may differ than those from your jurisdiction.

By using the Service, you consent to the transfer of your information to the United States.

12. Your Choices & Rights

13. Children's Privacy

The Services are not intended for children under 13 (or 16 in the EEA). We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately and we will delete it.

14. Changes to this Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date.

You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.