Privacy Policy
Effective Date: February 11, 2026 · Last Updated: February 11, 2026
1. Introduction
Várdin (“we,” “us,” or “our”) operates the Várdin platform at vardin.com (the “Service”), an AI-powered tag compliance and consent management platform. This Privacy Policy describes how we collect, use, disclose, and protect your personal information when you use our Service.
This policy is provided in accordance with the EU General Data Protection Regulation (GDPR), the UK General Data Protection Regulation (UK GDPR), the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), the EU ePrivacy Directive (2002/58/EC), Brazil’s Lei Geral de Proteção de Dados (LGPD), Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), and other applicable data protection legislation.
By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Service.
2. Data Controller and Data Processor Roles
When we act as a Data Controller: Várdin is the data controller for the personal data of our customers (account holders) and website visitors. This includes account registration data, billing information, activity logs, and usage data collected through our platform.
When we act as a Data Processor: When our customers use Várdin to manage tracking tags and consent banners on their own websites, we process personal data on behalf of our customers. In this context, our customer is the data controller and Várdin acts as a data processor. The processing of end-user data is governed by our customer’s privacy policies and any Data Processing Agreement (DPA) between Várdin and the customer.
3. Information We Collect
3.1 Account Information
When you create an account, we collect:
- Email address — required for authentication and communication
- Name — used for your account profile
- Profile image — optional, displayed in the application interface
3.2 Organization and Business Profile Data
When you set up an organization, we may collect:
- Industry classification
- Business description
- Data privacy concerns and requirements
- Description of user data your organization handles
- List of advertising providers your organization uses (e.g., Google, Facebook, LinkedIn)
3.3 Billing and Subscription Data
When you subscribe to a paid plan, payment processing is handled by our third-party payment processor, Stripe. We store:
- Stripe customer and subscription identifiers
- Subscription tier, status, and billing interval
- Trial period start and end dates
We do not store your full credit card number, CVV, or bank account details on our servers. All payment card data is handled directly by Stripe in compliance with PCI DSS Level 1.
3.4 Usage and Activity Data
We maintain activity logs that record actions performed within the platform for audit and compliance purposes. These logs include:
- Action type (create, update, delete, deploy, generate)
- Resource type and identifier
- Changes made (previous and new values)
- Whether an action was AI-generated
- IP address (derived from request headers)
- User agent string
- Timestamps
3.5 API Keys (Bring Your Own Key)
If you choose to use the Bring Your Own Key (BYOK) feature to provide your own Anthropic API key, we encrypt the key at rest using AES-256-GCM encryption. The key is only decrypted in memory during API requests and is never logged or stored in plaintext.
3.6 Push Notification Data
If you opt in to push notifications, we collect:
- Push notification endpoint URL
- Encryption keys (P-256 and authentication keys)
- Device name and user agent
3.7 Cookies and Local Storage
We use the following client-side storage:
| Name | Type | Purpose | Duration |
|---|---|---|---|
ltcb_consent | Cookie & localStorage | Stores consent banner choices for visitors to websites using Várdin consent banners | 1 year |
ltcb_locale | localStorage | Stores preferred language for consent banner display | Persistent |
sidebarCollapsed | localStorage | Stores UI preference for sidebar state (functional) | Persistent |
| Session cookies | Cookie | Authentication session management | Session |
We do not use third-party advertising cookies. Our use of cookies is limited to strictly necessary functional and authentication purposes, consistent with Article 5(3) of the ePrivacy Directive.
4. How We Use Your Information
We process your personal data for the following purposes and legal bases (under GDPR Article 6):
| Purpose | Legal Basis (GDPR) |
|---|---|
| Providing and operating the Service (account management, tag management, consent banners) | Performance of a contract (Art. 6(1)(b)) |
| Processing payments and managing subscriptions | Performance of a contract (Art. 6(1)(b)) |
| Generating AI-powered compliance rules, data point inventories, translations, and reports | Performance of a contract (Art. 6(1)(b)) |
| Maintaining activity logs for audit trails and security | Legitimate interest (Art. 6(1)(f)) |
| Sending push notifications (when opted in) | Consent (Art. 6(1)(a)) |
| Generating weekly compliance reports | Performance of a contract (Art. 6(1)(b)) |
| Improving the Service, diagnosing technical issues, and ensuring security | Legitimate interest (Art. 6(1)(f)) |
| Complying with legal obligations (e.g., tax records, fraud prevention) | Legal obligation (Art. 6(1)(c)) |
5. Data Retention
We retain your personal data only for as long as necessary to fulfill the purposes described in this policy, or as required by law.
| Data Category | Retention Period |
|---|---|
| Account information | Duration of account plus 30 days after deletion request |
| Billing records | As required by applicable tax law (typically 7 years) |
| Activity logs (Free plan) | 7 days |
| Activity logs (Starter plan) | 30 days |
| Activity logs (Pro plan) | 90 days |
| Activity logs (Enterprise plan) | As agreed in your Enterprise contract |
| Push notification subscriptions | Until you unsubscribe or delete your account |
| Weekly compliance reports | Duration of active subscription |
When data is no longer needed, it is securely deleted or anonymized.
6. Third-Party Service Providers (Sub-Processors)
We share personal data with the following categories of third-party service providers, each of whom processes data on our behalf and is bound by contractual obligations to protect your data:
| Provider | Purpose | Data Shared | Location |
|---|---|---|---|
| Neon | Database hosting and user authentication | Account data, email, authentication tokens, all application data | United States |
| Stripe | Payment processing and subscription management | Name, email, payment method details, billing address | United States |
| Anthropic | AI-powered features (policy generation, translations, reports, styling) | Prompts containing business profile data, tag configurations, and policy descriptions (no direct personal data is sent unless included in user-submitted content) | United States |
| Vercel | Application hosting, CDN for consent banner scripts, edge configuration | IP addresses, request metadata; consent banner scripts served via CDN | Global (edge network) |
We do not sell your personal data to any third party. We do not share personal data with third parties for their own marketing purposes.
7. International Data Transfers
Our Service is hosted in the United States. If you are located outside the United States, your personal data will be transferred to and processed in the United States.
For transfers of personal data from the European Economic Area (EEA), the United Kingdom, or Switzerland to the United States, we rely on:
- Standard Contractual Clauses (SCCs) — as approved by the European Commission (Commission Implementing Decision (EU) 2021/914) and, for UK transfers, the UK International Data Transfer Addendum
- Adequacy decisions — where applicable, including the EU-U.S. Data Privacy Framework
Our sub-processors (Stripe, Vercel, Neon, Anthropic) each maintain their own data transfer mechanisms. We ensure all sub-processor agreements include adequate data protection safeguards.
8. Data Security
We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction, in accordance with GDPR Article 32. These measures include:
- Encryption in transit (TLS/HTTPS for all connections)
- Encryption at rest for sensitive data (AES-256-GCM for API keys)
- Role-based access controls and organization-level data isolation
- Authentication via secure session tokens
- Comprehensive audit logging of all platform actions
- Regular security reviews of our infrastructure and dependencies
No method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your personal data, we cannot guarantee its absolute security.
9. Your Rights Under the GDPR
If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have the following rights under the GDPR and UK GDPR:
- Right of access (Art. 15) — obtain a copy of the personal data we hold about you
- Right to rectification (Art. 16) — correct inaccurate or incomplete personal data
- Right to erasure (Art. 17) — request deletion of your personal data (“right to be forgotten”)
- Right to restriction of processing (Art. 18) — restrict processing of your personal data in certain circumstances
- Right to data portability (Art. 20) — receive your personal data in a structured, commonly used, machine-readable format
- Right to object (Art. 21) — object to processing based on legitimate interest
- Right to withdraw consent (Art. 7(3)) — withdraw consent at any time where processing is based on consent
- Right to lodge a complaint — file a complaint with your local supervisory authority
To exercise any of these rights, please contact us at privacy@vardin.com. We will respond to your request within 30 days, as required by law.
10. Your Rights Under the CCPA/CPRA
If you are a California resident, you have the following rights under the California Consumer Privacy Act (Cal. Civ. Code § 1798.100 et seq.), as amended by the California Privacy Rights Act:
- Right to know — request information about the categories and specific pieces of personal information we have collected about you, the sources, the business purposes, and the categories of third parties with whom we share it
- Right to delete — request deletion of your personal information, subject to certain exceptions
- Right to correct — request correction of inaccurate personal information
- Right to opt out of sale or sharing — we do not sell or share your personal information for cross-context behavioral advertising. No opt-out is necessary
- Right to limit use of sensitive personal information — we only use sensitive personal information (such as email address) for purposes authorized under the CCPA
- Right to non-discrimination — we will not discriminate against you for exercising any of your CCPA rights
Categories of personal information collected in the preceding 12 months:
- Identifiers (name, email address, IP address, account identifiers)
- Commercial information (subscription tier, billing history)
- Internet or electronic network activity (user agent, activity logs, usage data)
- Professional or employment-related information (industry, business description)
We do not sell personal information. We do not use or disclose sensitive personal information for purposes other than those permitted by Cal. Civ. Code § 1798.121.
To exercise your rights, contact us at privacy@vardin.com or submit a verifiable consumer request. We will verify your identity before fulfilling your request and respond within 45 days.
11. Rights Under Other Privacy Frameworks
We respect the data protection rights granted by applicable laws worldwide. If you are subject to any of the following frameworks, you may have additional rights:
- LGPD (Brazil) — rights under Articles 17–22 of Brazil’s General Data Protection Law, including access, correction, anonymization, portability, and deletion
- PIPEDA (Canada) — rights to access, correct, and challenge compliance with the Personal Information Protection and Electronic Documents Act
- POPIA (South Africa) — rights under the Protection of Personal Information Act, including objection to processing and requesting deletion
- PDPA (Singapore) — rights under the Personal Data Protection Act, including access, correction, and withdrawal of consent
- APPs (Australia) — rights under the Australian Privacy Principles, including access and correction
To exercise rights under any applicable framework, please contact us at privacy@vardin.com.
12. AI-Powered Features and Data Processing
Várdin uses AI technology (powered by Anthropic’s Claude) to provide the following features:
- Policy rule generation from natural language descriptions
- Data point inventory generation
- Consent banner text translation
- Consent banner style generation
- Weekly compliance report generation
When you use AI-powered features, the following data may be sent to Anthropic’s API for processing:
- Your organization’s business profile (industry, description, privacy concerns)
- Tag configurations and data point definitions
- Consent banner content for translation
We do not send your account credentials, payment information, or end-user personal data to AI providers. Data sent to Anthropic is processed in accordance with Anthropic’s Privacy Policy and their commercial terms of service. Under Anthropic’s commercial API terms, your data is not used to train their models.
Bring Your Own Key (BYOK): If you supply your own Anthropic API key, AI requests are made directly under your own Anthropic account and are subject to your agreement with Anthropic. Your API key is encrypted at rest and never logged.
No automated decisions with legal or similarly significant effects are made based solely on automated processing, in accordance with GDPR Article 22.
13. Consent Banner Data (End-User Processing)
When your website visitors interact with a consent banner powered by Várdin, the following data is processed on behalf of you (our customer, the data controller):
- Consent choices per category (e.g., analytics, marketing, preferences)
- Timestamp of when consent was given or withdrawn
- Age confirmation status (if your banner uses age gates)
This data is stored locally on the end user’s device via a cookie (ltcb_consent, 1-year duration) and localStorage. Consent data is not transmitted to Várdin servers. Our customers are responsible for their own privacy notices regarding how they use Várdin consent banners on their websites.
14. Children’s Privacy
The Service is designed for business use and is not directed at children under the age of 16 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child without appropriate parental consent, we will take steps to delete that information promptly. If you believe we may have collected information from a child, please contact us at privacy@vardin.com.
15. Do Not Track and Global Privacy Control
Várdin respects the Global Privacy Control (GPC) signal as required under the CCPA/CPRA. When we detect a GPC signal from your browser, we treat it as a valid opt-out of any sale or sharing of personal information (though, as noted, we do not sell personal information).
Our platform also enables our customers to build policy rules that respect Do Not Track (DNT) and GPC signals on their own websites through our built-in variable system.
16. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will:
- Update the “Last Updated” date at the top of this page
- Provide a prominent notice within the Service (such as a banner or notification)
- Where required by law, obtain your consent to the changes
We encourage you to review this policy periodically. Your continued use of the Service after changes are posted constitutes your acceptance of the revised policy.
17. Contact Us
If you have any questions about this Privacy Policy, wish to exercise your data protection rights, or have concerns about how we handle your personal data, please contact us:
- Email: privacy@vardin.com
- Enterprise and Sales Inquiries: sales@vardin.com
If you are in the EU/EEA and are not satisfied with our response, you have the right to lodge a complaint with your local Data Protection Authority (DPA). A list of EU DPAs is available at edpb.europa.eu.