Privacy Policy

2.1 Google Account Information

When you sign in with Google OAuth, we collect the following information from your Google account:

• Email address
• Full name
• Profile picture (if provided)
• Google account ID (unique identifier)
• Google OAuth access and refresh tokens (encrypted)

2.2 Business Profile Data

When you connect your Google Business Profile to VARDA, we collect:

• Business name and legal name
• Business address (street, city, postal code, country)
• Phone number
• Website URL
• Google Business account ID and location ID
• Business category and type

2.3 Review Data

We import and store reviews from your connected Google Business Profile:

• Review text content
• Star ratings (1-5)
• Reviewer names
• Review dates (creation and update timestamps)
• Google review IDs
• AI analysis results including:
  • Policy violation detection (violation types, confidence scores)
  • Sentiment analysis (positive, neutral, negative)
  • Theme extraction (service, pricing, staff, etc.)
  • Detected language

2.4 Payment Information

Payment processing is handled securely by Stripe. We collect and store:

• Stripe customer ID
• Payment method ID (encrypted token, not full card details)
• Payment history and transaction records
• Payment amounts and timestamps
• Removal request IDs associated with payments

Important: We do not store your full credit card numbers, CVV codes, or expiration dates. All sensitive payment data is securely handled by Stripe, a PCI-DSS compliant payment processor.

2.5 Usage and Technical Data

We automatically collect certain technical information when you use VARDA:

• IP address
• Browser type and version
• Device information
• Session cookies and authentication tokens
• Log data (access times, pages viewed)

3.1 Review Analysis and Violation Detection

We use AI-powered analysis to scan your Google Business reviews for policy violations. Review text is sent to Mistral AI's API for analysis against Google's official review policies and European legal frameworks. This includes detecting spam, fake content, harassment, off-topic reviews, defamation, commercial disparagement, and other violations.

3.2 Removal Request Processing

When you request removal of a review, we generate legal arguments citing specific policy violations and facilitate the submission process to Google on your behalf. We track the status of removal requests and notify you of updates.

3.3 Billing and Payment Processing

We process payments using Stripe. Audit fees are charged immediately upon purchase. Subscription fees for ongoing monitoring and AI tools are billed monthly in advance. We maintain payment records for accounting and tax compliance purposes.

3.4 Service Communication

We use your contact information to send you updates about:

• Removal request status changes
• Account activity and security notifications
• Service updates and feature announcements
• Payment confirmations and receipts

3.5 Service Improvement

We analyze usage patterns and anonymized data to improve our AI models, enhance service quality, and develop new features. Personal identifiers are removed before analysis.

3.6 Legal Compliance

We may use your data to comply with legal obligations, respond to legal requests, enforce our Terms of Service, and protect our rights and the rights of our users.

4.1 Google APIs

VARDA integrates with Google's APIs to access your Business Profile and reviews:

• Google OAuth 2.0: For secure authentication and authorization
• Google Business Profile Management API: To fetch business account and location information
• Google My Business API: To retrieve reviews from your connected business locations

Your data shared with Google is subject to Google's Privacy Policy. We only request the minimum permissions necessary to provide our service.

4.2 Mistral AI

We use Mistral AI's API to analyze review content:

• Mistral Large 2: For review analysis, violation detection, and generating detailed legal arguments for removal requests
• EU Data Residency: Mistral AI is a French company with EU data residency, ensuring GDPR compliance and better understanding of French legal frameworks

Review text is sent to Mistral AI for analysis. Mistral AI processes your data according to their data usage policies and does not use your data to train their models. As a French company, Mistral AI ensures full GDPR compliance and EU data residency.

4.3 Stripe

Stripe processes all payments securely:

• Payment Processing: Secure credit card transactions
• Payment Method Storage: Encrypted storage of payment method tokens
• Invoice Generation: Automated receipt and invoice creation

Stripe is PCI-DSS Level 1 certified and handles all sensitive payment data. We only store payment method IDs and transaction records, not full card details.

4.4 Resend

Resend handles all transactional emails (account verification, removal status notifications, receipts):

• Email Delivery: Sends transactional emails on our behalf
• Data Processed: Email addresses, message content

4.5 Sub-Processor Summary (RGPD Art. 28)

4.6 Data Processing Agreements

All third-party service providers are bound by data processing agreements (DPAs) that ensure they handle your data in compliance with GDPR and other applicable privacy laws. We regularly audit our third-party providers to ensure continued compliance.

5.1 Hosting Infrastructure

VARDA's application and data are hosted on Microsoft Azure cloud infrastructure. Azure provides enterprise-grade security, compliance certifications (including ISO 27001, SOC 2, GDPR compliance), and redundant data centers to ensure high availability and data protection.

5.2 Database Storage

Your data is stored in a PostgreSQL database hosted on Azure. The database is:

• Encrypted at rest using Azure's transparent data encryption
• Accessible only through encrypted connections (SSL/TLS)
• Regularly backed up with point-in-time recovery capabilities
• Protected by network security groups and firewall rules

5.3 Data Location

By default, your data is stored in Azure data centers located within the European Economic Area (EEA) to ensure GDPR compliance. If you are located outside the EEA, your data may be stored in Azure data centers in your region for performance optimization.

5.4 Security Measures

We implement multiple layers of security to protect your data:

• Encryption in transit (HTTPS/TLS 1.3)
• Encryption at rest (database and file storage)
• Regular security audits and vulnerability assessments
• Access controls and authentication (OAuth 2.0)
• Intrusion detection and monitoring
• Regular security patches and updates

7.1 Essential Cookies

These cookies are necessary for the service to function:

• Session Cookies: Maintain your login session and authentication state
• Security Cookies: Protect against cross-site request forgery (CSRF) attacks
• Preference Cookies: Remember your language and display preferences

These cookies cannot be disabled as they are essential for service functionality.

7.2 Analytics Cookies

We use analytics cookies to understand how users interact with our service, identify issues, and improve performance. These cookies collect anonymized usage data.

7.3 Cookie Management

You can control cookies through your browser settings. However, disabling essential cookies may limit your ability to use certain features of VARDA. Most browsers allow you to:

• View and delete cookies
• Block cookies from specific sites
• Block all cookies
• Set preferences for when cookies are set

8.1 Account Data

We retain your account information (email, name, Google account data) for as long as your account is active. If you delete your account, we will delete or anonymize your personal data within 30 days, except where retention is required by law.

8.2 Review Data

Review data is retained while your account is active and your Google Business Profile remains connected. If you disconnect your business profile, we will delete associated review data within 90 days, unless you have active removal requests.

8.3 Payment Records

Payment records and transaction data are retained for 7 years from the date of transaction as required by tax and accounting laws. This includes invoices, receipts, and payment method tokens.

8.4 Removal Request Records

Records of removal requests are retained for 3 years after resolution to maintain service history and handle potential disputes. After this period, records are anonymized or deleted.

8.5 Deletion Requests

Upon receiving a valid deletion request, we will delete your personal data within 30 days, except where retention is required by law. Some data may be retained in anonymized form for analytics and service improvement.