Varnym
Home Terms Privacy Regional

Legal

Regional Privacy Addendum

Last updated: March 15, 2026

This Regional Privacy Addendum supplements the global Varnym Privacy Policy and provides jurisdiction-specific disclosures required by local law. Where this Addendum conflicts with the main Privacy Policy, this Addendum governs for residents of the applicable jurisdiction.

1. European Economic Area (EEA) — GDPR

Controller. Varnym LLC acts as the data controller for personal data of EEA residents. Contact: admin@varnym.com

Legal Bases. We process EEA personal data on the following GDPR legal bases:

Article 6(1)(b) Contract — account creation, authentication, OTP delivery, and core service functionality.

Article 6(1)(c) Legal Obligation — regulatory record-keeping, lawful government requests, and TCPA-equivalent compliance records.

Article 6(1)(f) Legitimate Interests — fraud prevention, abuse detection, security monitoring, and service analytics, balanced against your rights. You may object to processing on this basis.

Article 6(1)(a) Consent — SMS messages and optional analytics you explicitly opt into. Consent may be withdrawn at any time.

International Transfers. For EEA-to-U.S. transfers, we rely on Standard Contractual Clauses (SCCs) adopted under GDPR Article 46(2)(c). To request a copy of applicable SCCs, contact admin@varnym.com.

Data Subject Rights. EEA residents have rights under GDPR to: access (Art. 15); rectification (Art. 16); erasure (Art. 17); restriction (Art. 18); portability (Art. 20); objection (Art. 21); and rights regarding automated decision-making (Art. 22). We respond within 30 days and may extend by 2 additional months with notice for complex requests.

Supervisory Authority. EEA residents may lodge complaints with their national data protection authority. Find your authority at: https://edpb.europa.eu/about-edpb/about-edpb/members_en

2. United Kingdom — UK GDPR and DPA 2018

Controller. Varnym LLC is the data controller for UK personal data. Contact: admin@varnym.com

Legal Bases. We process UK personal data on legal bases equivalent to those in the EEA section above, applied under UK GDPR as incorporated by the European Union (Withdrawal) Act 2018.

International Transfers. For UK-origin transfers to jurisdictions without a UK adequacy regulation, we rely on the UK Addendum to the EU Standard Contractual Clauses issued by the UK ICO.

Supervisory Authority. UK residents may complain to the Information Commissioner's Office (ICO): https://ico.org.uk | Helpline: 0303 123 1113.

3. California — CCPA/CPRA

Categories Collected (Past 12 Months): Identifiers (name, email, phone, device ID, IP); Internet or electronic network activity (usage logs, crash data); Geolocation (IP-derived approximate location for fraud prevention and compliance only); Commercial information (billing records for paid features); Inferences (fraud risk and security signals from behavioral data). We do not collect financial account information, health/medical data, or biometric data.

Do Not Sell or Share. Varnym LLC does not sell personal information for money and does not share personal information for cross-context behavioral advertising. No opt-out is required because no sale or sharing occurs. If this changes, we will add a "Do Not Sell or Share" link before any sale begins.

Global Privacy Control (GPC). We recognize the GPC signal as an opt-out from sale and sharing for California residents where required under CPRA.

California Consumer Rights: Right to know, access, correct, delete, opt out of sale/share, limit use of sensitive PI, non-discrimination, and appeal. We respond within 45 days and may extend 45 days with notice.

Shine the Light (Cal. Civil Code § 1798.83). We do not disclose personal information to third parties for their direct marketing purposes. To verify, contact admin@varnym.com with "Shine the Light Request" in the subject line.

4. Other US State Privacy Laws

Residents of Virginia (CDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), Oregon (OCPA), Montana, Iowa, Delaware, and other states with enacted consumer privacy laws have rights to access, correct, delete, obtain a portable copy, opt out of targeted advertising (not applicable — we do not engage in targeted advertising), and appeal denied requests.

Appeal Process. Submit written appeals to admin@varnym.com with "Privacy Rights Appeal" in the subject line. We respond within the statutory timeframe for your state (typically 45–60 days). If denied again, we provide information for escalation to your state attorney general.

5. Canada — PIPEDA and Quebec Law 25

We process Canadian personal data in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and provincial equivalents including Quebec's Law 25.

Rights. Canadian residents may request access to and correction of personal information. Quebec residents additionally have rights to de-indexation and re-indexation and to be informed of automated decision-making producing effects on them (we do not use automated decision-making for significant individual effects).

Response. We respond within 30 days. Complaints may be filed with the Office of the Privacy Commissioner of Canada: https://www.priv.gc.ca

6. Brazil — LGPD

We process Brazilian personal data under the Lei Geral de Proteção de Dados (LGPD, Law No. 13,709/2018). Varnym LLC acts as the operator (operador) under LGPD.

Legal Bases (LGPD Art. 7): Consent; contract performance; legitimate interest; and legal obligation.

Rights: Confirmation of processing, access, correction, anonymization/blocking/deletion, portability, deletion of consent-based data, information about sharing, and revocation of consent. We respond within 15 days. Complaints may be filed with the ANPD: https://www.gov.br/anpd

7. Australia — Privacy Act 1988

We process Australian personal information in accordance with the Privacy Act 1988 (Cth) and Australian Privacy Principles (APPs).

Rights: Access to personal information we hold; request correction of inaccurate or incomplete personal information. We respond within 30 days.

Overseas Disclosure: Data may be disclosed to overseas recipients (including in the US) for hosting and operations. We take reasonable steps to ensure overseas recipients protect information consistently with the APPs.

Complaints may be filed with the OAIC: https://www.oaic.gov.au

8. Contact for Regional Privacy Matters

For all regional privacy inquiries, rights requests, or complaints: admin@varnym.com

Please identify your jurisdiction and the specific right or question in your message.