Legal

Varnym Privacy Policy

Last updated: March 15, 2026

1. Controller Identity and Contact

Varnym LLC is the operator and data controller for personal data processed through Varnym websites and products, including WhatAList, MathOnPaper, and TheRefillPlanet (collectively, the "Services").

Privacy contact: admin@varnym.com

EEA or UK residents requiring contact with an EU/UK representative or Data Protection Officer should use the same address and identify their jurisdiction in their message.

2. Scope of This Policy

This Privacy Policy explains what personal data we collect, why we collect it, how we use and share it, how long we retain it, and what rights and choices you have when using Varnym Services.

This policy applies globally and is supplemented by jurisdiction-specific disclosures in our Regional Privacy Addendum. In the event of a conflict between this policy and the Regional Addendum, the Addendum governs for residents of the applicable jurisdiction.

3. Data We Collect and Sources

Account and Profile Data — collected directly from you: name, email address, phone number, profile attributes, communication preferences, and account settings.

Authentication and Access Data — generated during use: login method, session tokens, OTP verification records, device identifiers used for sign-in, and multi-factor authentication metadata.

SMS and Messaging Consent Data — collected when you opt in: consent status, opt-in timestamp, opt-in source, phone number consented, and revocation records required for TCPA and carrier compliance.

Usage and Diagnostics Data — generated automatically: product interactions, feature usage patterns, crash diagnostics, performance logs, and device/browser/OS attributes needed for reliability and abuse prevention.

Communications Data — collected when you contact support: ticket content, correspondence records, and communication preference history.

Network and Security Logs — generated automatically: IP address, request timestamps, rate-limiting signals, fraud indicators, and security event logs.

Payment Data — collected for paid features: transaction identifiers and billing confirmation metadata. Full payment card data is processed exclusively by a PCI DSS-compliant payment processor and is never stored by Varnym LLC.

We do not intentionally collect special category data (health information, racial/ethnic origin, political opinions, biometric or genetic data). If you believe you have submitted such data, contact admin@varnym.com promptly.

4. How We Use Data

Service delivery: Account creation, authentication, OTP verification, and product functionality.

Security and fraud prevention: Detecting and preventing unauthorized access, abuse, and fraudulent activity.

Service improvement: Understanding usage patterns, diagnosing issues, improving reliability, and developing features.

Customer support: Responding to requests, troubleshooting, and maintaining support records.

Legal and compliance: Meeting legal obligations, enforcing our Terms, defending claims, and cooperating with regulatory inquiries.

Communications: Sending transactional and security-related messages, and — where consented — service updates.

Payment processing: Facilitating purchased features and maintaining billing records.

5. Legal Bases for Processing

Depending on your location and the specific processing activity, we rely on the following legal bases:

Contract performance — account creation, authentication, OTP delivery, and core service functionality.

Legitimate interests — fraud prevention, abuse detection, security monitoring, service improvement analytics, and defending legal claims, balanced against your rights.

Legal obligation — regulatory record-keeping, responding to lawful legal process, and maintaining TCPA-equivalent compliance records.

Consent — SMS communications, optional analytics, and any other processing where we notify you and obtain your agreement. Consent may be withdrawn at any time without affecting prior lawful processing.

6. Communications and Consent

Where you opt in to SMS, we record your consent status, opt-in timestamp, source, and revocation records. This data is retained for the life of your account plus three (3) additional years for TCPA record-keeping and carrier compliance, and is not used for marketing or shared for advertising.

SMS consent is channel-specific. Opting in to SMS does not automatically opt you in to other messaging channels. To opt out, reply STOP to any message at any time.

7. Automated Decision-Making and Profiling

We use automated signals for fraud prevention, rate limiting, and abuse detection. These systems assess behavioral signals such as login patterns and request frequency to protect users and service integrity. They do not produce legal or similarly significant decisions about you based on personal characteristics.

If you believe an automated decision has materially affected you, contact admin@varnym.com to request human review. EEA/UK users have specific rights under GDPR Article 22 described in the Regional Addendum.

8. Data Sharing

We do not sell your personal data. We share data only in the following circumstances:

Service providers — Vendors supporting operations (hosting, authentication, error monitoring, payment processing, support tooling) under data processing agreements restricting use to serving our needs.

Legal process and safety — In response to valid legal process (court orders, subpoenas, lawful government requests), or to protect users, Varnym LLC, or the public from harm or illegal activity.

Corporate transactions — In connection with a merger, acquisition, asset sale, or reorganization, data may be transferred to a successor entity subject to this policy and applicable notice requirements.

With your consent — For other purposes with your prior, informed consent.

9. Do Not Sell or Share

Varnym LLC does not sell personal information for money and does not share personal information with third parties for cross-context behavioral advertising. If our practices change, we will update this policy and implement required opt-out mechanisms before any such change takes effect.

10. Cookies and Similar Technologies

Strictly Necessary — Required for authentication sessions and security. Cannot be disabled.

Functional — Enable enhanced behaviors such as preference memory. Disabling may affect functionality.

Analytics — Help us understand feature usage and error rates. Where required by law, we obtain consent before enabling analytics cookies.

Advertising — We currently do not use advertising or third-party marketing cookies. If this changes, we will update this policy and obtain required consent.

You may manage cookies through your browser settings. Where required by law, a cookie consent mechanism will be presented. Blocking certain cookies may affect Service functionality.

11. International Data Transfers

Personal data may be transferred to and processed in countries other than your country of residence, including the United States. When transferring data from the EEA, UK, or other jurisdictions requiring transfer safeguards, we rely on Standard Contractual Clauses (SCCs), the UK Addendum to SCCs, or other mechanisms recognized under applicable law. For details, see the Regional Privacy Addendum.

12. Data Retention Schedule

Account and profile data — Life of account; up to 90 days following deletion for recovery, then deleted or anonymized except for legal holds.

Authentication and session logs — 12 months from creation for security and anomaly detection, then deleted.

SMS consent records — Account life plus 3 years after closure for TCPA compliance.

OTP and security event logs — 90 days for anti-abuse purposes, then purged.

Support and correspondence records — 3 years from last interaction, unless subject to legal hold.

Usage and analytics data — 24 months in identifiable form, then aggregated or anonymized.

Payment and billing records — 7 years from transaction date for tax and financial compliance.

Legal hold data — Duration of proceedings or investigation, then deleted per standard schedule.

13. Security

We apply technical and organizational security measures proportionate to the data sensitivity and risk. These include encryption in transit (TLS), role-based access controls, audit logging, environment separation, incident response procedures, and regular security review of critical components.

No method of electronic transmission or storage is 100% secure. While we strive to use commercially reasonable means to protect personal data, we cannot guarantee absolute security.

14. Data Breach Notification

In the event of a personal data breach posing a risk to your rights and freedoms, we will notify the applicable supervisory authority within 72 hours where required by GDPR or equivalent law, and notify affected users within applicable statutory timelines under US state breach notification laws. We provide information about the nature of the breach and recommended protective steps.

15. Your Rights

Depending on your location, you may have rights to access, correct, delete, export, restrict, or object to processing of your personal data. You may also withdraw consent at any time for consent-based processing without affecting prior lawful processing.

To submit a rights request, contact: admin@varnym.com. Full details on request types, timelines, appeal processes, and supervisory authorities are available at Privacy Rights.

16. Children's Privacy

Varnym Services are not intended for children under 13 years of age in the United States (as defined by COPPA) or under 16 years of age in the EEA and UK (unless applicable member state law sets a lower minimum and parental consent is obtained). We do not knowingly collect personal data from children below the applicable age. If you believe a child has provided data in violation of this policy, contact admin@varnym.com and we will promptly investigate and delete that data.

17. Policy Changes

We may update this Privacy Policy from time to time. For material changes, we will provide at least 30 days' advance notice by posting the revised policy with an updated "Last updated" date and — where technically feasible — by notifying you through your registered contact information. Continued use after the effective date constitutes acceptance.

18. Contact

Privacy requests and inquiries: admin@varnym.com

Regional disclosures: Regional Privacy Addendum. Request process details: Privacy Rights.