Privacy Policy
Effective Date: March 2026 | Version 1.0
1. Scope & Who This Applies To
This Privacy Policy applies to Vara Wellness, Inc. (“Vara,” “we,” “our,” or “us”) and covers your use of the Vara mobile application, website (varawellness.co), and any related services (collectively, the “Services”).
By accessing or using the Services, you acknowledge that you have read and understood this Privacy Policy. This Policy is incorporated into and forms part of our Terms of Service.
2. Information We Collect
2.1 Information You Provide Directly
Account & Profile Information:
- Email address and display name or username
- Profile photo or avatar (optional)
- Account preferences and notification settings
Wellness & Lifestyle Information:
- Goals, habits, routines, and task completion data
- Journal entries, reflections, and personal notes
- Mood check-ins and self-reported wellness indicators
- Focus, stress, sleep, hydration, or recovery inputs you choose to log
This information is entirely voluntary. You choose what to share. Vara’s core features work without requiring you to share sensitive personal details.
2.2 Information Collected Automatically
When you use the Services, we automatically collect certain technical information:
- Device type, operating system, and app version
- Feature interactions, session duration, and usage patterns
- Approximate location based on network data (we do not collect precise GPS location)
- Diagnostic data, error logs, and performance metrics
This information is used solely to operate, maintain, and improve the Services. It is not used for advertising and is not sold to third parties.
">2.3 What We Do Not Collect
Vara does not intentionally collect:
- Medical records, diagnoses, or clinical test results
- Biometric identifiers (fingerprints, facial scans, etc.)
- Regulated health information subject to HIPAA or equivalent laws
- Precise GPS location data
- Payment card numbers or banking information (handled entirely by the App Store or Google Play)
3. How We Use Your Information
| Purpose | What It Covers | Legal Basis |
|---|---|---|
| Service Delivery | Providing core features: habits, journaling, routines, focus tools | Contract performance |
| Personalization | Tailoring suggestions and content to your usage patterns | Legitimate interest / Consent |
| AI-Assisted Features | Generating wellness prompts, insights, and recommendations | Consent (opt-in features) |
| App Improvement | Analyzing usage trends, fixing bugs, developing new features | Legitimate interest |
| Communications | Account notifications, support responses, optional updates | Contract / Consent |
| Security & Fraud Prevention | Detecting misuse, protecting accounts, maintaining integrity | Legitimate interest / Legal obligation |
| Legal Compliance | Meeting applicable legal and regulatory obligations | Legal obligation |
4. AI Features & How Your Data Is Processed
4.1 How AI Features Work
Certain Vara features use artificial intelligence to generate personalized wellness suggestions, journal prompts, routine recommendations, and educational insights. When you actively use an AI-powered feature, relevant context from your session may be transmitted to our AI processing partner to generate a response.
4.2 What Data Is Transmitted
Only the minimum necessary data is transmitted when you use AI features. This may include:
- Content you have entered in the current journal or reflection session
- Your stated goals or routine preferences relevant to the feature
- General usage context needed to generate a relevant response
We do not transmit your email address, full name, payment information, or other identifying details to AI processing systems.
4.3 Our AI Processing Partner
AI features are currently powered by OpenAI’s API. Relevant details:
- OpenAI processes transmitted data under their API Data Usage Policy (openai.com/policies).
- As of the effective date of this policy, OpenAI does not use API inputs to train its models by default. This is subject to OpenAI’s own policies, which may change independently of Vara.
- We will update this section if our AI processing partner changes.
4.4 Opting Out of AI Features
AI-powered features are entirely optional. Vara’s core features—habit tracking, journaling, goal setting, and routines—work without engaging any AI feature. If you prefer not to have data transmitted to AI systems, simply do not use AI-powered prompts or features within the App.
5. Data Sharing & Disclosure
5.1 We Do Not Sell Your Data
Vara does not sell, rent, trade, or share your personal information for advertising or third-party marketing purposes.
5.2 Service Providers
We share limited data with trusted third-party service providers who help us operate and improve the Services. Each provider receives only the minimum data necessary for their specific function.
| Provider | Purpose | Data Shared |
|---|---|---|
| Google Firebase / Google Cloud | Data storage, authentication, infrastructure | Account data, usage data, app content |
| OpenAI | AI-powered wellness features | Session content when AI features are actively used |
| Sentry | Error monitoring and crash reporting | Anonymized diagnostic and error data |
| Apple App Store / Google Play | App distribution and subscription billing | Transaction data (managed by platform) |
| RevenueCat | Subscription management and analytics | Subscription status, anonymized purchase data |
All service providers are contractually obligated to use your data only for their authorized function, maintain appropriate security safeguards, and comply with applicable privacy laws.
5.3 Legal & Safety Obligations
We may disclose personal information if required to:
- Comply with applicable laws, regulations, or valid legal processes (such as a court order or subpoena)
- Enforce our Terms of Service or protect Vara’s rights
- Protect the safety of our users or the public
- Prevent fraud, misuse, or security threats
Where permitted by law, we will attempt to notify you before disclosing your information in response to a legal request.
5.4 Business Transfers
If Vara is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you before your data is transferred and becomes subject to a materially different privacy policy.
6. Data Retention
| Scenario | Retention Approach |
|---|---|
| Active account | Data retained while your account is active and as needed to provide the Services |
| Account deletion | Personal data removed from active systems within 30 days of deletion request |
| Backup copies | Residual copies in backups may persist for up to 90 days before full deletion |
| Legal obligations | Certain data may be retained longer where required by applicable law |
| Anonymized data | Aggregated or anonymized data may be retained indefinitely for product improvement |
When you delete your account through the Settings menu, we initiate the deletion process immediately.
7. Data Security
We implement reasonable administrative, technical, and organizational safeguards to protect your data, including:
- Encryption of data in transit (TLS) and at rest
- Access controls limiting data access to authorized personnel only
- Regular monitoring for unauthorized access or security incidents
- Use of established, reputable infrastructure providers (Google Firebase / Google Cloud)
No system is entirely secure. We cannot guarantee absolute protection against unauthorized access, disclosure, or loss. If you believe your account has been compromised, please contact us immediately at support@varawellness.co.
8. Your Rights & Choices
Depending on your location, you may have the following rights regarding your personal data:
| Right | What It Means |
|---|---|
| Access | Request a copy of the personal data we hold about you |
| Correction | Request correction of inaccurate or incomplete data |
| Deletion | Request deletion of your personal data (subject to legal retention obligations) |
| Portability | Request your data in a structured, machine-readable format |
| Restriction | Request that we limit how we process your data in certain circumstances |
| Objection | Object to processing based on legitimate interests |
| Withdraw Consent | Withdraw consent for any processing based on consent at any time |
| Opt-Out of Communications | Unsubscribe from non-essential emails at any time |
To exercise any of these rights, contact us at support@varawellness.co or through the Settings menu in the App. We will respond within 30 days. We will never discriminate against you for exercising your privacy rights.
9. Children’s Privacy
The Services are not intended for children under the age of 13 (or under 16 in the European Economic Area). We do not knowingly collect personal information from children below these age thresholds.
If we become aware that a child below the applicable age threshold has provided personal information, we will delete that data promptly. If you believe a child has created an account, please contact us at support@varawellness.co.
10. International Data Transfers
Vara is based in the United States. If you access the Services from outside the US, your information may be transferred to, stored, and processed in the United States or other countries where our service providers operate.
Where required by applicable law (including GDPR), we ensure appropriate safeguards are in place for international data transfers, such as Standard Contractual Clauses or equivalent mechanisms.
11. Regional Privacy Rights
11.1 California Residents (CCPA / CPRA)
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
- The right to know what personal information we collect, use, share, or sell
- The right to delete personal information we have collected from you
- The right to correct inaccurate personal information
- The right to opt out of the sale or sharing of personal information (we do not sell or share data for advertising)
- The right to limit use of sensitive personal information
- The right to non-discrimination for exercising your privacy rights
To submit a California privacy request, contact us at support@varawellness.co. We will verify your identity before processing your request.
11.2 European Economic Area & UK (GDPR / UK GDPR)
If you are located in the EEA or UK, you have rights under the General Data Protection Regulation (GDPR) or UK GDPR, including:
- The right to access your personal data
- The right to rectification of inaccurate data
- The right to erasure (“right to be forgotten”)
- The right to restriction of processing
- The right to data portability
- The right to object to processing
- The right to lodge a complaint with your local supervisory authority
Our legal bases for processing personal data under GDPR include: performance of a contract (providing the Services), legitimate interests (improving the Services, security), and consent (AI features, optional communications).
To submit a GDPR request or lodge a complaint, contact us at support@varawellness.co.
12. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, the Services, or applicable law. When we make material changes, we will notify you by:
- Sending an in-app notification
- Emailing you at the address associated with your account
- Updating the “Effective Date” at the top of this document
Your continued use of the Services after changes take effect constitutes your acceptance of the updated Privacy Policy. If you do not agree with material changes, you may delete your account.
13. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please reach out:
| Channel | Details |
|---|---|
| support@varawellness.co | |
| Website | https://varawellness.co |
| Privacy Rights Requests | support@varawellness.co (subject: “Privacy Request”) |
| Mailing Address | Vara Wellness, Inc. |
By using Vara, you acknowledge that you have read, understood, and agreed to this Privacy Policy.
Effective March 2026 | Version 1.0 | varawellness.co/privacy