Privacy Policy

Who we are

Varox ("Varox", "we", "us") is the name of the software service. Varox is operated by an independent operator based in Bulgaria.

For the purposes of the General Data Protection Regulation (EU) 2016/679 ("GDPR"), we generally act as the data controller for personal data processed to run your Varox account, sign-in, billing metadata, support, and the product itself. If we ever act strictly as a processor on written instructions (for example under a custom enterprise agreement), that role will be defined in that contract. Self-service Varox is offered under this policy as controller-led processing.

Questions about this policy or your data: [email protected].

What this policy covers

Varox is a cloud application for demand planning, forecasting, delivery planning, and related inventory analytics. We process account data, content you import or upload, technical logs, and limited product telemetry needed to run and secure the service. This policy does not govern third-party sites you link out to from Varox; those services have their own policies.

Data we process

We collect only what we need to operate Varox, support customers, meet legal duties, and keep the platform safe. We aim to keep categories narrow and retention proportionate. The main categories are below.

Account and authentication

When you register or are invited to a workspace, we process for example:

• email address and display or workspace identifiers you provide
• organization or tenant name
• password material stored using one-way hashing (we do not store plaintext passwords)
• session and security signals tied to sign-in (for example approximate time and success or failure of login)

Authentication uses an HTTP-only session cookie described under Cookies. You are responsible for safeguarding credentials on your side.

Subscription and billing metadata

We do not store full payment card numbers on Varox infrastructure. Payments are handled by an external billing provider acting as merchant of record for the transaction. Our current payment provider is Paddle.

We receive and store limited subscription and transaction metadata from that provider (for example customer references, plan tier, subscription status, renewal dates, and IDs needed to match your purchase to your account). We use it only for billing, entitlements, support, and audit-friendly reconciliation—not for unrelated marketing.

Business datasets you upload or import

You may upload files or connect integrations so Varox can run forecasting, delivery planning, inventory analytics, reporting, and related workflows. Content may include operational fields and sometimes personal data mixed with business records (for example names in notes, buyer identifiers in rows, or contact fields in spreadsheets). You choose what to connect and remain responsible for having an appropriate lawful basis to share it with us where GDPR applies to your organization.

Uploaded and imported datasets remain your property. We process them solely to deliver the features you enable, not to resell your datasets or repurpose them for unrelated products.

Integrations and imported sources

If you connect external systems (for example databases, spreadsheets, or APIs available on your plan), Varox processes data those systems expose according to your configuration and credentials. We do not control what the third party stores; you should review their privacy notices and access scopes.

Logs, telemetry, and operational monitoring

Like most SaaS products, we generate technical records to run and protect the service. That includes server and application logs (timestamps, routes, error codes, coarse client information), infrastructure health metrics, and limited operational signals about feature and job execution (for example whether a forecast job completed).

Where we can, we work from aggregates or sampled signals for product quality work rather than unnecessary per-user tracking. We use these records to diagnose incidents, prevent abuse, plan capacity, and keep performance predictable. We do not use them to build advertising profiles, and we avoid special-category data except what you voluntarily place in the product.

Support and service communications

If you contact us by email or through in-product channels, we process the content of your message, attachments you choose to send, and metadata needed to respond (for example your address and thread identifiers). We may also send transactional email such as verification, password reset, security notices, and billing-related messages.

Why we use data and legal bases

We process personal data for purposes such as:

• providing and operating Varox, including authentication, workspaces, and plan entitlements
• running imports, forecasts, delivery planning, reporting, and exports you request
• billing, subscription lifecycle, and communicating about your account
• security, fraud prevention, abuse detection, and protecting the rights of users and third parties
• maintaining and improving reliability, performance, and product quality using aggregated or operational signals
• complying with legal obligations and responding to lawful requests

Under GDPR, we typically rely on:

• Performance of a contract – to deliver Varox and handle billing metadata linked to your subscription.
• Legitimate interests – for example securing the platform, operational monitoring, aggregated usage signals that do not override your rights, and communicating about important service changes, balanced against your expectations.
• Consent – where required for specific optional processing (for example certain cookies beyond strict necessity, if we introduce them with consent controls).

Where we process personal data on your instructions as part of your use of Varox for your own business purposes, your organization may also have independent obligations toward end individuals in your datasets.

Tenant isolation and how we use your content

Varox is built so each customer workspace is logically separated in the product. We process your uploaded and imported data only to run features for your tenant (and for platform-wide security and integrity checks), not to train unrelated public models or combine your confidential planning data with other customers' data for their benefit.

We apply data minimization in product design: we retain fields and objects needed for the workflows you enable, and we avoid copying business datasets into unrelated internal systems without a clear operational reason.

Abuse prevention and platform integrity

We may review logs, rate limits, and usage patterns to detect misuse (for example credential stuffing, attempts to bypass access controls, or behaviour that could harm other tenants). In serious cases we may suspend access while we investigate. Where feasible, we will communicate through your account email.

Optional automation and external providers

Some optional features may rely on external model or automation providers when you deliberately use a capability that needs them. In those cases, we send only what is needed for that request and return outputs to your workspace for your use. We do not use that path to market unrelated services. Optional capabilities may include in-product controls and, where the law requires it, additional terms or consent presented at the time of use.

Cookies and similar technologies

We use a single essential cookie for authentication while you are signed in to the Varox web application:

• name: varox_token
• purpose: maintaining your signed-in session
• attributes: HTTP-only; secure in production environments that support it
• duration: up to 7 days

We do not set advertising cookies by default. When you subscribe, the billing provider's checkout may set additional cookies or similar storage required to complete payment; those are governed by the provider at checkout time.

Recipients, subprocessors, and infrastructure

We do not sell personal data. We share data with a limited set of categories of providers:

• hosting and infrastructure vendors that store and run Varox
• subscription billing providers acting as merchant of record for purchases
• email delivery providers for transactional messages
• monitoring, logging, and security tooling used to operate the platform
• external automation or model providers, only when you use product features that call them

We select vendors with reasonable diligence and use written arrangements with data protection terms appropriate under GDPR where they process personal data on our behalf or in connection with our service. Enterprise customers may request a subprocessor category overview; self-service customers are covered by this high-level description.

International transfers

We host and process data primarily in the EU or EEA where we can. Some subprocessors may process data in other regions. Where personal data is transferred outside the EEA, we use appropriate safeguards such as Standard Contractual Clauses and supplementary measures where needed, unless another lawful transfer mechanism applies.

Retention and deletion

We keep information only as long as needed for the purposes described in this policy, then delete or anonymize it when no longer required. Indicative periods:

• account profile data – for the life of the account, then deleted or anonymized within a reasonable window after closure unless law requires a longer hold
• business datasets and planning artefacts – until you remove them or remove the underlying workspace resources, plus short backup and disaster-recovery overlap
• technical and security logs – typically weeks to a few months, depending on subsystem and investigation need
• billing metadata – as long as needed for tax, accounting, chargebacks, and dispute handling, consistent with our subscription billing provider's records and applicable law

Exact schedules can vary by feature or legal context. For enterprise deployments with custom retention needs, contact us to discuss what is feasible in the product and infrastructure.

Exports, backups, and your own records

Varox may offer exports of results or configurations. You are responsible for downloading and storing copies you need for audits, continuity, or regulatory reasons. We maintain infrastructure backups for disaster recovery and integrity; those are not a substitute for your own export strategy or archival policy.

Security and incidents

We implement technical and organizational measures appropriate to a SaaS product handling business planning data: access controls, encryption in transit using industry-standard TLS for browser and API traffic, separation between tenants in the application layer, monitoring for anomalies, and least-privilege access for operational staff where applicable.

For a concise overview of platform security measures, see the Security page.

No online service is perfectly secure. If we confirm an incident that is likely to result in a material risk to your personal data, we will notify affected users and supervisory authorities when GDPR (or other applicable law) requires it, describe what we know in a practical way, and take steps to contain the issue and reduce recurrence.

Your rights

Depending on your situation, GDPR may give you rights including to:

• access the personal data we hold about you
• request correction of inaccurate data
• request deletion, restriction, or objection where grounds apply
• receive a structured copy of data you provided, where technically feasible (data portability)
• withdraw consent where processing was based on consent, without affecting prior lawful processing
• lodge a complaint with a supervisory authority, in particular in the EU member state of your habitual residence, place of work, or the place of the alleged infringement

To exercise rights, email [email protected]. We may need to verify your identity before acting on a request.

Changes to this policy

We may update this Privacy Policy when our practices or the product change. We will post the new version on this page and change the "Last updated" date. If an update materially affects you, we will provide additional notice where appropriate (for example by email or in-product notice).