Privacy Policy

Effective Date: April 2026 | Version 1.1

Your privacy is foundational to what Vara does. This policy is written to be clear and honest, not buried in complexity. It explains exactly what we collect, why we collect it, who we share it with, and what rights you have over your data.

1. Scope & Who This Applies To

This Privacy Policy applies to Vara Wellness, Inc. ("Vara," "we," "our," or "us") and covers your use of the Vara mobile application, website (varawellness.co), and any related services (collectively, the "Services"). By accessing or using the Services, you acknowledge that you have read and understood this Privacy Policy. This Policy is incorporated into and forms part of our Terms of Service. Vara is a general wellness and brain-health tool. It is not a medical device, healthcare provider, or mental health treatment. Nothing in this policy or the Services constitutes medical advice. If you are in a mental health or medical emergency, please contact emergency services immediately.

2. Information We Collect

2.1 Information You Provide Directly

Account & Profile Information: Email address and display name or username Profile photo or avatar (optional) Account preferences and notification settings Wellness & Lifestyle Information: Goals, habits, routines, and task completion data Journal entries, reflections, and personal notes Mood check-ins and self-reported wellness indicators Focus, stress, sleep, hydration, or recovery inputs you choose to log This information is entirely voluntary. You choose what to share. Vara's core features work without requiring you to share sensitive personal details.

2.2 Information Collected Automatically

When you use the Services, we automatically collect certain technical information: Device type, operating system, and app version Feature interactions, session duration, and usage patterns Approximate location based on network data (we do not collect precise GPS location) Diagnostic data, error logs, and performance metrics This information is used solely to operate, maintain, and improve the Services. It is not used for advertising and is not sold to third parties.

2.3 What We Do Not Collect

Vara does not intentionally collect: Medical records, diagnoses, or clinical test results Biometric identifiers (fingerprints, facial scans, etc.) Regulated health information subject to HIPAA or equivalent laws Precise GPS location data Payment card numbers or banking information (handled entirely by the App Store or Google Play)

3. How We Use Your Information

PurposeWhat It CoversLegal BasisService DeliveryProviding core features: habits, journaling, routines, focus toolsContract performancePersonalizationTailoring suggestions and content to your usage patternsLegitimate interest / ConsentAI-Assisted FeaturesGenerating wellness prompts, insights, and recommendationsConsent (opt-in features)App ImprovementAnalyzing usage trends, fixing bugs, developing new featuresLegitimate interestCommunicationsAccount notifications, support responses, optional updatesContract / ConsentSecurity & Fraud PreventionDetecting misuse, protecting accounts, maintaining integrityLegitimate interest / Legal obligationLegal ComplianceMeeting applicable legal and regulatory obligationsLegal obligation

We do not use your personal data for advertising, profiling for third-party marketing, or any purpose not described in this policy.

4. AI Features & How Your Data Is Processed

4.1 How AI Features Work

Certain Vara features use artificial intelligence to generate personalized wellness suggestions, journal prompts, routine recommendations, and educational insights. When you actively use an AI-powered feature, relevant context from your session may be transmitted to our AI processing partner to generate a response.

4.2 What Data Is Transmitted

When you use AI-powered features, relevant information from your account may be transmitted to our AI processing partner. Depending on the specific feature, this may include: Your display name, to personalize responses such as daily plans Content from journal entries, including recent entries when you request a weekly summary or recap Your goals, habits, routines, and related progress data (including titles, categories, cadence, and completion records) Mood check-ins and self-reported context relevant to the feature you are using Messages from your conversations with Vara's AI companion, including up to your most recent twenty messages for context Your current screen or context within the app, and general time-of-day Any free-text prompt or instruction you provide to the AI feature We do not transmit your email address, Firebase user ID, payment information, or device identifiers to AI processing systems. Some AI features transmit only aggregate, non-identifying information — for example, our weekly narrative feature sends only numeric averages and habit completion percentages, without journal content or message content.

4.3 Our AI Processing Partner

AI features are currently powered by OpenAI's API. Relevant details: OpenAI processes transmitted data under their API Data Usage Policy (openai.com/policies). As of the effective date of this policy, OpenAI does not use API inputs to train its models by default. This is subject to OpenAI's own policies, which may change independently of Vara. We will update this section if our AI processing partner changes. AI-generated outputs are informational and non-deterministic. They are not medical advice, mental health therapy, or professional guidance of any kind. You remain responsible for how you interpret and apply AI-generated content.

4.4 Opting Out of AI Features

Most AI-powered features are optional. You can use Vara's core tracking features — habits, goals, routines, journaling, and reflections — without engaging with AI suggestions, summaries, or the AI companion. If you prefer not to have your content transmitted to AI systems for these features, simply do not use AI-powered prompts or features within the App. The one exception is community post moderation. See Section 4.5 below.

4.5 Community Post Moderation

To keep Vara's community safe and aligned with our community standards, every post submitted to the community is automatically checked by an AI moderation service provided by OpenAI before it becomes visible. When you submit a community post: The full text of your post is sent to OpenAI's moderation system The URL of any image attached to your post is sent to OpenAI's moderation system for automated content review Our community standards are sent alongside your post as context This moderation step runs on every post regardless of your other AI settings. It is a core part of keeping the community safe, and it is not separately opt-out. OpenAI processes moderation requests under their API terms and does not use moderation inputs to train their models. If you prefer not to have content processed through community moderation, you can still use all other Vara features — tracking, journaling, goals, habits, routines, and reflections — without posting in the community.

5. Data Sharing & Disclosure

5.1 We Do Not Sell Your Data

Vara does not sell, rent, trade, or share your personal information for advertising or third-party marketing purposes.

5.2 Service Providers

We share limited data with trusted third-party service providers who help us operate and improve the Services. Each provider receives only the minimum data necessary for their specific function.

ProviderPurposeData SharedGoogle Firebase / Google CloudData storage, authentication, infrastructureAccount data, usage data, app contentOpenAIAI-powered wellness features and community post moderationFeature-specific content when AI features are used (see Section 4.2); full community post content and image URLs for automated moderation (see Section 4.5)SentryError monitoring and crash reportingAnonymized diagnostic and error dataApple App Store / Google PlayApp distribution and subscription billingTransaction data (managed by platform)RevenueCatSubscription management and analyticsSubscription status, anonymized purchase data

All service providers are contractually obligated to use your data only for their authorized function, maintain appropriate security safeguards, and comply with applicable privacy laws.

5.3 Legal & Safety Obligations

We may disclose personal information if required to: Comply with applicable laws, regulations, or valid legal processes (such as a court order or subpoena) Enforce our Terms of Service or protect Vara's rights Protect the safety of our users or the public Prevent fraud, misuse, or security threats Where permitted by law, we will attempt to notify you before disclosing your information in response to a legal request.

5.4 Business Transfers

If Vara is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you before your data is transferred and becomes subject to a materially different privacy policy.

6. Data Retention

ScenarioRetention ApproachActive accountData retained while your account is active and as needed to provide the ServicesAccount deletionWhen you request deletion, we begin the removal process immediately and remove personal data from active systems within 30 daysBackup copiesResidual copies may persist in routine system backups for up to 90 days after account deletion before being fully purgedLegal obligationsCertain data may be retained longer where required by applicable lawAnonymized dataAggregated or anonymized data may be retained indefinitely for product improvement

7. Data Security

We implement reasonable administrative, technical, and organizational safeguards to protect your data, including: Encryption of data in transit (TLS) and at rest Access controls limiting data access to authorized personnel only Regular monitoring for unauthorized access or security incidents Use of established, reputable infrastructure providers (Google Firebase / Google Cloud) No system is entirely secure. We cannot guarantee absolute protection against unauthorized access, disclosure, or loss. If you believe your account has been compromised, please contact us immediately at support@varawellness.co.

8. Your Rights & Choices

Depending on your location, you may have the following rights regarding your personal data:

RightWhat It MeansAccessRequest a copy of the personal data we hold about youCorrectionRequest correction of inaccurate or incomplete dataDeletionRequest deletion of your personal data (subject to legal retention obligations)PortabilityRequest your data in a structured, machine-readable formatRestrictionRequest that we limit how we process your data in certain circumstancesObjectionObject to processing based on legitimate interestsWithdraw ConsentWithdraw consent for any processing based on consent at any timeOpt-Out of CommunicationsUnsubscribe from non-essential emails at any time

To exercise any of these rights, contact us at support@varawellness.co or through the Settings menu in the App. We will respond within 30 days. We will never discriminate against you for exercising your privacy rights.

9. Children's Privacy

The Services are not intended for children under the age of 16. We do not knowingly collect personal information from children below this age threshold. If we become aware that a child below the applicable age threshold has provided personal information, we will delete that data promptly. If you believe a child has created an account, please contact us at support@varawellness.co.

10. International Data Transfers

Vara is based in the United States. If you access the Services from outside the US, your information may be transferred to, stored, and processed in the United States or other countries where our service providers operate. Where required by applicable law (including GDPR), we ensure appropriate safeguards are in place for international data transfers, such as Standard Contractual Clauses or equivalent mechanisms.

11. Regional Privacy Rights

11.1 California Residents (CCPA / CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA): The right to know what personal information we collect, use, share, or sell The right to delete personal information we have collected from you The right to correct inaccurate personal information The right to opt out of the sale or sharing of personal information (we do not sell or share data for advertising) The right to limit use of sensitive personal information The right to non-discrimination for exercising your privacy rights To submit a California privacy request, contact us at support@varawellness.co. We will verify your identity before processing your request.

11.2 European Economic Area & UK (GDPR / UK GDPR)

If you are located in the EEA or UK, you have rights under the General Data Protection Regulation (GDPR) or UK GDPR, including: The right to access your personal data The right to rectification of inaccurate data The right to erasure ("right to be forgotten") The right to restriction of processing The right to data portability The right to object to processing The right to lodge a complaint with your local supervisory authority Our legal bases for processing personal data under GDPR include: performance of a contract (providing the Services), legitimate interests (improving the Services, security), and consent (AI features, optional communications). To submit a GDPR request or lodge a complaint, contact us at support@varawellness.co.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Services, or applicable law. When we make material changes, we will notify you by: Sending an in-app notification Emailing you at the address associated with your account Updating the "Effective Date" at the top of this document Your continued use of the Services after changes take effect constitutes your acceptance of the updated Privacy Policy. If you do not agree with material changes, you may delete your account.

13. Cookies and Similar Technologies

The Vara website (varawellness.co) uses cookies and similar technologies to operate the site, remember your preferences, and understand aggregate site usage. Types of cookies we may use include: Strictly necessary cookies for site functionality, such as keeping you signed in Analytics cookies to understand aggregate, anonymized site traffic patterns (Google Analytics / Firebase Analytics) You can control or disable cookies through your browser settings. Disabling strictly necessary cookies may affect site functionality. Our mobile app does not use browser cookies but does use the analytics and diagnostic services described in Section 5.2. Where required by law (including in the EEA and UK), the site displays a cookie consent banner on your first visit. You can change your cookie preferences at any time through that banner.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please reach out:

ChannelDetails

Email - support@varawellness.co
Website - https://varawellness.co
Privacy Rights Requests - support@varawellness.co (subject: "Privacy Request")
Mailing Address - Vara Wellness, Inc. [to be updated]

We are a small, founder-led team. We read every message and will respond to privacy requests within 30 days, or within the timeframe required by your local law.

By using Vara, you acknowledge that you have read, understood, and agreed to this Privacy Policy.