Privacy Policy

1. Data Controller

The data controller for varden.app ("Varden", "we", "us", "our") is:

• Techson Tecnologias Online Lda
• NIF: 515616222
• Rua do Exemplo 123, Portugal

Data Protection Officer (DPO): dpo@varden.app

2. Data Categories We Process

We process the following categories of personal data, organised by sensitivity tier:

Public

• Display name, locale, country

Personal

• Account data: email address, authentication tokens, subscription status
• Conversation data: chat messages exchanged with the AI companion
• Memory facts: preferences, goals, patterns, and facts you share with the AI across life domains

Sensitive

• Relationship data: information about personal relationships you choose to share

Intimate

• Private notes and reflections: deeply personal conversations and memories

Medical

• Health data: weight, sleep patterns, mood logs, fitness metrics, medication reminders (when you log them)

Financial

• Financial data: transactions, budgets, receipts, invoices (when you upload or enter them)
• Documents: files you upload for analysis (receipts, contracts, etc.)

3. Legal Basis for Processing

We process your data on the following legal bases under the GDPR:

• Contract performance (Art. 6(1)(b)): processing necessary to provide the AI companion service you subscribed to, including account data, conversation data, memory facts, and documents.
• Explicit consent (Art. 9(2)(a)): for special categories of data including health/medical data, intimate personal data, and financial data. You may withdraw consent at any time via Settings > Privacy without affecting the lawfulness of prior processing.
• Legitimate interest (Art. 6(1)(f)): for security logging, fraud prevention, and service improvement analytics (aggregated, non-personal).

4. AI Processing Disclosure

Your conversations and memory graph are processed by Anthropic's Claude AI (Anthropic, Inc., San Francisco, USA) to generate responses and insights. We use prompt caching for efficiency.

• Your data is never used to train AI models. Anthropic processes data as a sub-processor under our Data Processing Agreement with zero-retention API terms.
• International transfer to the USA is governed by Standard Contractual Clauses (SCCs) as approved by the European Commission (Decision 2021/914).
• We perform regular Transfer Impact Assessments (TIAs) to ensure adequate protection.

5. Data Retention

• Active accounts: all data is retained for the duration of your active subscription.
• Deletion requests: upon account deletion or erasure request, all personal data is permanently and irreversibly erased within 30 days.
• Hibernated accounts: data is encrypted at rest and archived. No processing occurs until you reactivate. You may hibernate indefinitely.
• Billing records: retained for 10 years as required by Portuguese tax law.
• Security logs: retained for 90 days, then automatically purged.

6. International Data Transfers

Your data is primarily stored and processed within the European Union. The following transfers outside the EU occur:

• Anthropic (AI processing): USA — protected by Standard Contractual Clauses (SCCs)
• Stripe (payment processing): USA — protected by Standard Contractual Clauses (SCCs) and PCI DSS compliance

All other sub-processors operate within the EU/EEA.

7. Your Rights Under GDPR

You have the following rights regarding your personal data:

• Right of access (Art. 15): view everything we know about you at /about-me and export a full copy via Settings > Privacy.
• Right to rectification (Art. 16): edit or correct any memory fact, personal detail, or uploaded data at any time.
• Right to erasure (Art. 17): delete your account and all associated data. Erasure is completed within 30 days.
• Right to data portability (Art. 20): export all your data as structured JSON at Settings > Privacy > Export.
• Right to hibernation: encrypt and archive your entire account without deletion, preserving your data for future use while stopping all processing.
• Right to restriction (Art. 18): request that we limit processing of your data to storage only.
• Right to object (Art. 21): opt out of proactive messages, analytics, or specific processing activities per domain.

To exercise any right, contact dpo@varden.app or use the in-app privacy controls. We will respond within 30 days.

8. Cookies

We use only essential cookies and consent-based analytics cookies. See our Cookie Policy for full details.

• Essential: session management, locale preference, CSRF protection
• Analytics: PostHog (EU-hosted, with explicit consent only)
• Advertising: none — we do not use advertising cookies

9. Children

Varden is not intended for use by anyone under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that a child under 16 has provided us with personal data, we will take steps to delete such data immediately. This policy is compliant with GDPR-K provisions for child data protection.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

• Notify you by email at least 30 days before the changes take effect
• Display a prominent notice within the application
• Update the "Last updated" date at the top of this page
• For changes affecting special category data, request renewed explicit consent

11. Supervisory Authority

You have the right to lodge a complaint with a supervisory authority. Our lead supervisory authority is:

• CNPD — Comissao Nacional de Proteccao de Dados
• Av. D. Carlos I, 134, 1.o, 1200-651 Lisboa, Portugal
• Website: www.cnpd.pt

12. Sub-Processors

We use the following sub-processors to deliver the service:

13. Contact

For any privacy-related questions or to exercise your rights, contact our Data Protection Officer:

• Email: dpo@varden.app
• Techson Tecnologias Online Lda, Rua do Exemplo 123, Portugal