Privacy Policy

Effective Date: December 5, 2025

1. Introduction

Varity ("Varity," "we," "us," or "our") operates the varity.io website and the Varity decentralized infrastructure platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our services.

Our Core Promise: Varity is fundamentally different from traditional cloud providers. We have built our infrastructure so that we mathematically cannot access your data. Your data is encrypted client-side using Lit Protocol before it ever leaves your browser, and only you hold the decryption keys.

2. Our Decentralized Privacy Architecture

Unlike AWS, Google Cloud, or Microsoft Azure, Varity is built on 100% decentralized infrastructure. This means:

2.1 Five-Layer Privacy Architecture

Your data is protected by our comprehensive five-layer privacy system:

  • Layer 1 - Encryption at Rest: All data is encrypted using Lit Protocol with wallet-based keys (AES-256-GCM underlying encryption) before leaving your browser. Only you can decrypt your data with your wallet signature.
  • Layer 2 - Distributed Storage: Encrypted data is stored on Filecoin/IPFS through Pinata, distributed across independent storage providers worldwide with 3x redundancy. No single point of failure exists.
  • Layer 3 - Data Availability: AnyTrust DA (Arbitrum's native data availability solution) ensures your data remains available and verifiable without compromising privacy.
  • Layer 4 - Decentralized Compute: All processing occurs on Akash Network's decentralized compute infrastructure. No corporate entity can access your data during processing.
  • Layer 5 - Blockchain Settlement: All access events are logged immutably on our Arbitrum L3 blockchain, providing a transparent and tamper-proof audit trail.

2.2 What This Means for You

  • Varity cannot read, access, or modify your stored data
  • No government or third party can compel us to provide your data (we don't have the keys)
  • Your data cannot be sold, shared, or used for advertising
  • There is no "master key" or backdoor access

3. Information We Collect

3.1 Information You Provide

  • Account Information: Email address (if you choose email authentication), wallet address (for blockchain authentication)
  • Profile Information: Name, company name, and other optional profile details
  • Payment Information: Billing details processed through our payment processors (Stripe) - we do not store full payment card numbers
  • Communications: Support requests, feedback, and correspondence with our team

3.2 Information Collected Automatically

  • Usage Data: Anonymized and aggregated usage metrics (feature usage, performance data)
  • Device Information: Browser type, operating system, device identifiers for security purposes
  • Log Data: IP addresses, access times, pages viewed (retained for 30 days for security)
  • Blockchain Data: Transaction hashes and wallet addresses (publicly available on-chain)

3.3 Information We Do NOT Collect

  • Your encrypted data content (we cannot decrypt it)
  • Your encryption keys or wallet private keys
  • Data from your integrated business tools (QuickBooks, Salesforce, etc.)
  • AI chat contents or queries (processed in encrypted form)

4. How We Use Your Information

We use the limited information we collect to:

  • Provide, maintain, and improve our services
  • Process payments and manage subscriptions
  • Send important service updates and security alerts
  • Respond to support requests and communications
  • Detect and prevent fraud, abuse, and security incidents
  • Comply with legal obligations
  • Improve our platform based on anonymized usage patterns

We do NOT:

  • Sell your personal information
  • Use your data for advertising or profiling
  • Share your data with third parties for their marketing purposes
  • Train AI models on your data

5. Data Sharing and Disclosure

We may share limited information with:

  • Service Providers: Payment processors (Stripe), email services, and analytics providers who are contractually bound to protect your information
  • Legal Requirements: When required by law, subpoena, or legal process (note: we cannot provide encrypted data as we don't have decryption keys)
  • Business Transfers: In connection with a merger, acquisition, or sale of assets, with continued privacy protections
  • With Your Consent: When you explicitly authorize sharing

6. International Data Transfers

Your data is stored on Filecoin's decentralized network, which operates globally. Account information may be processed in the United States and other countries. We ensure appropriate safeguards are in place for any international transfers of personal data.

7. Data Retention

  • Account Data: Retained while your account is active and for 30 days after deletion
  • Encrypted Data: Stored until you delete it (you control this entirely)
  • Usage Logs: 30 days for security purposes
  • Payment Records: 7 years as required by tax and financial regulations
  • Blockchain Records: Permanent (immutable by design, but contain no personal data)

8. Your Rights and Choices

Depending on your location, you may have the following rights:

  • Access: Request a copy of the personal information we hold about you
  • Correction: Update or correct inaccurate information
  • Deletion: Request deletion of your account and associated data
  • Portability: Export your data in standard formats at any time
  • Objection: Object to certain processing of your data
  • Withdrawal of Consent: Withdraw consent where processing is based on consent

To exercise these rights, contact us at hello@varity.so. We will respond within 30 days.

9. European Users (GDPR)

If you are in the European Economic Area (EEA), United Kingdom, or Switzerland:

  • We process your data based on: (a) contract performance, (b) legitimate interests, (c) legal obligations, or (d) your consent
  • You have additional rights under GDPR including the right to lodge a complaint with a supervisory authority
  • For data transfers outside the EEA, we use Standard Contractual Clauses

10. California Users (CCPA/CPRA)

California residents have additional rights under the California Consumer Privacy Act:

  • Right to Know: Request disclosure of personal information collected
  • Right to Delete: Request deletion of personal information
  • Right to Opt-Out: We do not sell personal information
  • Non-Discrimination: We will not discriminate against you for exercising your rights

11. Children's Privacy

Our services are not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately at hello@varity.so.

12. Security

We implement robust security measures including:

  • Client-side encryption using Lit Protocol (AES-256-GCM)
  • Wallet-based key management (no centralized key storage)
  • TLS/SSL encryption for all data in transit
  • Regular security audits and penetration testing
  • Multi-factor authentication options
  • Immutable blockchain audit trails

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page and updating the "Effective Date." For significant changes, we will provide additional notice via email or in-app notification.

14. Contact Us

If you have questions about this Privacy Policy or our privacy practices, please contact us:

  • Email: hello@varity.so
  • Address: Varity Inc., 1601 N Main St #3159, Jacksonville, FL 32206
  • Data Protection Officer: hello@varity.so