VCloud Logo
Home Pricing App Store Careers Partners Contact About Us
Book a Demo Sign In
Privacy Center

Privacy

  • Overview
  • Privacy Policy
  • Cookies Policy

Legal

  • Terms of Service
Legal

Personal Data Protection Policy

Last updated: June 09, 2026

Table of Contents#

  • Purpose, Scope and Responsibility
  • Terminology, Acronyms and Abbreviations
  • Data Controller Identity and Processing Roles
  • Categories of Personal Data
  • Legal Basis for Processing
  • How We Use Personal Data
  • Data Sharing and Disclosure
  • Data Security
  • Shared Responsibility Model
  • Data Retention
  • Data Residency
  • International Data Transfers
  • Your Rights as a Data Subject
  • Cookies and Tracking Technologies
  • Children's Data
  • Policy Updates
  • Supervisory Authorities
  • Contact Information
  • Referenced Legal and Regulatory Articles

Purpose, Scope and Responsibility#

Purpose#

VCloud ("VCloud," "we," "us," or "our") is a cloud infrastructure services provider committed to the responsible, lawful, and transparent processing of personal data. This Personal Data Protection Policy (the "Policy") establishes the principles, obligations, and controls governing how VCloud collects, uses, stores, discloses, and protects personal data across all its operations.

This Policy is designed to ensure compliance with applicable data protection legislation, including but not limited to the General Data Protection Regulation (GDPR) (EU) 2016/679, the UK GDPR as retained under the Data Protection Act 2018, and the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA). It applies to all personal data processed in the context of VCloud's services, regardless of where that data originates.

This document serves as the primary reference for VCloud's data protection practices and is intended for customers, data subjects, regulatory authorities, and internal stakeholders.

Scope#

This Policy applies to:

  • All personal data collected, processed, stored, or transmitted by VCloud in connection with the provision of its cloud infrastructure services.
  • All employees, contractors, agents, and third-party processors acting on behalf of VCloud.
  • All customers and users accessing VCloud's platform, website, or services.
  • All personal data processed in any format, whether digital or physical.

In the United States, this Policy additionally incorporates the requirements of the Children's Online Privacy Protection Act (COPPA), 15 U.S.C. §§ 6501–6506, and its implementing regulations at 16 C.F.R. Part 312, enforced by the Federal Trade Commission (FTC). Where COPPA applies, its requirements operate alongside and, where stricter, take precedence over the general provisions of this Policy.

This Policy does not apply to anonymised data that cannot reasonably be used to re-identify a natural person, nor to data processed by customers within their own environments, for which the customer acts as the data controller and assumes full responsibility.


Terminology, Acronyms and Abbreviations#

Term / Acronym Definition
AES-256 Advanced Encryption Standard with a 256-bit key length. The symmetric encryption algorithm used by VCloud for data at rest.
CCPA / CPRA California Consumer Privacy Act (Cal. Civ. Code § 1798.100 et seq.), as amended by the California Privacy Rights Act (effective 1 January 2023).
Controller The natural or legal person, public authority, agency, or other body which determines the purposes and means of the processing of personal data (GDPR Art. 4(7)).
COPPA Children's Online Privacy Protection Act, 15 U.S.C. §§ 6501–6506, and implementing FTC regulations at 16 C.F.R. Part 312.
Data Subject An identified or identifiable natural person whose personal data is processed.
DPA Data Processing Agreement - a contract between a controller and a processor governing the terms of personal data processing, as required by GDPR Art. 28.
DPO Data Protection Officer - a designated individual responsible for overseeing data protection strategy and compliance, as required under GDPR Art. 37.
EEA European Economic Area - comprising the EU member states, Iceland, Liechtenstein, and Norway.
FTC Federal Trade Commission - the primary US federal consumer protection and COPPA enforcement authority.
GDPR General Data Protection Regulation (EU) 2016/679, in force since 25 May 2018.
IDTA International Data Transfer Agreement - the UK mechanism for lawful transfers of personal data to third countries.
KMS Key Management Service - a dedicated system for generating, storing, and managing cryptographic keys.
LIA Legitimate Interest Assessment - a documented balancing test required when relying on legitimate interests (GDPR Art. 6(1)(f)) as a legal basis for processing.
MFA Multi-Factor Authentication - an access control mechanism requiring two or more independent credentials for authentication.
Personal Data Any information relating to an identified or identifiable natural person (GDPR Art. 4(1)).
Processor A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller (GDPR Art. 4(8)).
Pseudonymisation Processing personal data such that it can no longer be attributed to a specific data subject without additional information kept separately (GDPR Art. 4(5)).
RBAC Role-Based Access Control - a method of restricting system access based on the roles of individual users within an organisation.
SCCs Standard Contractual Clauses - model clauses approved by the European Commission for lawful transfer of personal data to third countries (GDPR Art. 46(2)(c)).
Sub-processor A third-party data processor engaged by the primary data processor to assist in processing personal data on behalf of the controller.
TIA Transfer Impact Assessment - a documented analysis required by the CJEU Schrems II judgment (C-311/18) to assess the legal framework of a destination country before transferring personal data.
TLS 1.3 Transport Layer Security version 1.3 - the current standard protocol for encrypting data in transit.
UK GDPR The GDPR as retained in UK law following Brexit, under the Data Protection Act 2018 and the European Union (Withdrawal) Act 2018.
VPC Verifiable Parental Consent - a COPPA-required mechanism to obtain a parent's or guardian's consent before collecting personal information from a child under 13 (16 C.F.R. § 312.5).

Data Controller Identity and Processing Roles#

Data Controller Identity#

Kamasi, Inc. is the data controller for all personal data processed through the VCloud platform. As data controller, Kamasi, Inc. determines the purposes and means of processing and bears primary legal responsibility for compliance.

  • Legal Entity: Kamasi, Inc.
  • Incorporation: Delaware, United States of America
  • EU Representative: Available on request (required under GDPR Art. 27)
  • Data Protection Officer (DPO): dpo@varisymo.com
  • General Privacy Contact: privacy@varisymo.com

Processing Roles#

VCloud operates in different legal roles depending on the processing context, as defined under GDPR Art. 4(7) and Art. 4(8):

Role Context Obligations
Data Controller Account management, billing, support, internal analytics, marketing Determines purposes and means; bears full GDPR compliance responsibility
Data Processor Customer application data and workloads hosted on VCloud infrastructure Processes only on documented customer instructions; maintains Art. 28 DPA
Joint Controller (limited) Platform-wide fraud detection and security analytics involving both parties' data inputs Responsibilities allocated by written arrangement per GDPR Art. 26

Where VCloud acts as a Joint Controller, a summary of the arrangement and each party's responsibilities is available on request at privacy@varisymo.com. Customers retain responsibility for providing adequate notice to their end users and for establishing a lawful basis for their own data collection activities.


Categories of Personal Data#

VCloud processes several categories of personal data in connection with the delivery of its services. Each category is defined below, together with representative examples, the purpose for which the data is processed, and the applicable legal basis under GDPR Art. 6. Where a legal obligation or contractual necessity applies under CCPA, this is noted.

VCloud does not intentionally collect or process special category data as defined under GDPR Art. 9 (e.g., health, biometric, racial or ethnic origin, religious belief, or political opinion). If such data is inadvertently received, it will be deleted without delay.

For the purposes of COPPA compliance (16 C.F.R. § 312.2), "personal information" in the context of children under 13 includes, in addition to the categories listed below: persistent identifiers used to recognise a user over time or across services (including cookies and device identifiers); geolocation data precise enough to identify a street name and city; photographs, video files, and audio files containing a child's image or voice; and any information collected in combination that would permit the physical or online contacting of a specific child. VCloud's platform is not directed at children, and none of the data categories below are intentionally collected from individuals under 13.

Category Definition Examples Purpose of Processing Legal Basis (GDPR)
Account & Identity Data Personal data collected at account registration and maintained throughout the customer relationship to identify and authenticate the account holder. Full legal name, display name, email address, company name, country of residence, tax identifier (VAT / EIN) Account creation, user authentication, service access control, communication, billing, and legal compliance. Art. 6(1)(b): Performance of contract; Art. 6(1)(c): Legal obligation (tax/invoicing)
Billing & Financial Data Financial information necessary to process payments, generate invoices, and comply with accounting and tax obligations. Raw payment card numbers are never stored by VCloud. Billing address, payment method metadata (last 4 digits, expiry), transaction records and amounts, invoice history, tax identifiers Payment processing, invoice generation, financial reconciliation, and statutory record-keeping. Art. 6(1)(b): Contract; Art. 6(1)(c): Legal obligation (7-year accounting retention)
Usage & Technical Data Automatically collected technical data generated when a user interacts with the VCloud platform, including browsing behaviour and system diagnostics. IP address (country/region level), browser type and version, operating system, pages visited with timestamps, session duration, referral URL, API response times, error logs and crash reports Platform security, abuse prevention, performance monitoring, service improvement, and capacity planning. Art. 6(1)(f): Legitimate interests (security, reliability); Art. 6(1)(b): Contract
Infrastructure & Application Data Data generated by customer use of VCloud's cloud infrastructure services. VCloud processes this data solely as a data processor under customer instruction and does not use it for its own purposes. Resource usage metrics (CPU, RAM, disk I/O, network), deployment configurations, encrypted environment variables, application logs, backup and snapshot data Service delivery, resource allocation, customer support, and backup/recovery. Never used for VCloud's internal analytics or model training. Art. 6(1)(b): Contract (processor role); CCPA: Service provider exception
Communications Data Data generated through correspondence between VCloud and its customers or users, including support tickets, emails, and in-product messages. Support ticket content, email correspondence, chat logs, feedback submissions, survey responses Customer support, incident resolution, service improvement, and record-keeping. Art. 6(1)(b): Contract; Art. 6(1)(f): Legitimate interests (service quality)
Analytics & Aggregated Data Pseudonymised or anonymised data derived from usage patterns, used to improve VCloud's services. Pseudonymised data remains personal data under GDPR; fully anonymised data does not. Aggregated feature usage statistics, performance benchmarks, A/B test participation flags, infrastructure capacity metrics Product improvement, UX optimisation, infrastructure capacity planning, and cost recommendation modelling. VCloud never uses customer application data for model training. Art. 6(1)(f): Legitimate interests (product improvement); Anonymised data falls outside GDPR scope
Security & Audit Log Data Records generated by VCloud's security systems for the purpose of detecting, investigating, and responding to security incidents and policy violations. Login timestamps and locations, failed authentication attempts, admin access logs, system configuration change logs, incident records Security monitoring, threat detection, incident investigation, forensic analysis, and regulatory compliance. Art. 6(1)(f): Legitimate interests (security); Art. 6(1)(c): Legal obligation (incident reporting)
Marketing & Consent Data Data relating to a user's marketing preferences and the consent records supporting any marketing communications sent by VCloud. Marketing opt-in records with timestamp and mechanism, email subscription status, communication preferences, consent withdrawal records Sending marketing communications solely to consented users; maintaining an auditable consent trail in compliance with GDPR and ePrivacy requirements. Art. 6(1)(a): Consent; CCPA § 1798.120 - Right to opt out

Legal Basis for Processing#

All processing of personal data by VCloud is conducted on an established legal basis as required by GDPR Art. 6. The applicable legal bases are set out in the table below. For processing based on legitimate interests, VCloud conducts and maintains Legitimate Interest Assessments (LIAs), which are available on request.

Processing Activity Legal Basis GDPR Reference
Account registration and service provisioning Performance of a contract Art. 6(1)(b)
User authentication and access control Performance of a contract Art. 6(1)(b)
Payment processing and invoice generation Performance of a contract + Legal obligation Art. 6(1)(b) / (c)
Statutory financial record-keeping (7 years) Legal obligation Art. 6(1)(c)
Security monitoring and fraud detection Legitimate interests Art. 6(1)(f)
Platform analytics and product improvement Legitimate interests Art. 6(1)(f)
Audit logging and incident investigation Legitimate interests + Legal obligation Art. 6(1)(c) / (f)
Marketing communications Consent Art. 6(1)(a)
Compliance with law enforcement requests Legal obligation Art. 6(1)(c)
Customer support and communications Performance of a contract Art. 6(1)(b)
Suspension of account upon detection of under-13 user Legal obligation + Legitimate interests COPPA 15 U.S.C. § 6502(a)(1); GDPR Art. 6(1)(c)
Parental notification upon discovery of child data Legal obligation COPPA 16 C.F.R. § 312.5; GDPR Art. 6(1)(c)

How We Use Personal Data#

Service Delivery#

Personal data is primarily used to operate, maintain, and improve the VCloud platform. This includes:

  • Provisioning, scaling, and maintaining cloud resources in accordance with customer configurations and instructions.
  • Authenticating user identity, enforcing access controls, and managing user sessions.
  • Processing subscription payments and generating tax-compliant invoices.
  • Sending critical service notifications including downtime alerts, certificate expiry warnings, and security advisories. These communications are necessary for the performance of the contract and cannot be opted out of while an account is active.

Communications#

VCloud communicates with users through three distinct channels, each with a separate legal basis:

Communication Type Description and Legal Basis
Transactional Invoices, password resets, security alerts. Basis: performance of contract (Art. 6(1)(b)). Cannot be opted out of while account is active.
Service Announcements Planned maintenance, new features, policy updates. Basis: legitimate interests (Art. 6(1)(f)). Opt-out available.
Marketing Product news, promotions, case studies. Basis: explicit consent (Art. 6(1)(a)). Consent may be withdrawn at any time with immediate effect.

Analytics and Product Improvement#

Aggregated and pseudonymised usage data is analysed to identify usability issues, plan infrastructure capacity, and guide product development. Where A/B testing is conducted on a subset of users, participation is disclosed and an opt-out is available under Settings → Privacy → Feature Testing.

Internal Model Training (Explicit Limitation)#

VCloud may use anonymised, aggregated platform-level telemetry data to improve internal anomaly detection and infrastructure cost recommendation models. VCloud does not, under any circumstances, use customer application data, content, or workloads to train any internal or third-party machine learning models. This restriction is enforced at the infrastructure level, documented in our sub-processor agreements, and subject to regular independent audit.

This commitment reflects the purpose limitation principle under GDPR Art. 5(1)(b), which prohibits processing data for purposes incompatible with the original lawful basis.


Data Sharing and Disclosure#

No Sale of Personal Data#

VCloud does not sell personal data to any third party for monetary or other valuable consideration. VCloud does not share personal data with third parties for the purposes of cross-context behavioural advertising. These represent two distinct and separate commitments under the CPRA (Cal. Civ. Code § 1798.120 and § 1798.121). California residents are notified that neither practice is engaged in and no opt-out mechanism is required. This statement will be updated immediately and prior notice given should our practices change.

Sub-Processors and Infrastructure Partners#

VCloud relies on a limited set of trusted and vetted third-party sub-processors to operate its platform. All sub-processors are contractually bound by Data Processing Agreements (DPAs) meeting GDPR Art. 28 requirements, are subject to Standard Contractual Clauses (SCCs) or equivalent transfer safeguards, and undergo security due diligence assessments.

Sub-Processor Purpose Location Transfer Safeguard
Amazon Web Services Primary cloud infrastructure hosting EU / US SCCs + TIA
Microsoft Azure Secondary cloud infrastructure (select workloads) EU / US SCCs + TIA
Stripe Payment processing and billing US SCCs
Postmark Transactional email delivery US SCCs
Datadog Infrastructure monitoring and observability US SCCs

A complete and current list of sub-processors is available on request at privacy@varisymo.com. Customers will be notified at least 30 days in advance of any material changes to the sub-processor list.

Legal Disclosures#

VCloud may disclose personal data to law enforcement or regulatory authorities where required by a valid and legally binding court order, subpoena, warrant, or applicable law. In all such cases, VCloud will:

  • Review the legal validity and proportionality of each request before complying.
  • Challenge requests that are overly broad, lacking legal basis, or otherwise in breach of applicable law.
  • Notify affected users prior to disclosure wherever legally permitted to do so.
  • Log all disclosures and maintain records for audit purposes.

Business Transfers#

In the event of a merger, acquisition, restructuring, or sale of all or substantially all of VCloud's assets, personal data may be transferred to the successor entity. Affected users will be notified at least 30 days in advance of any such transfer. Their rights under this Policy will be maintained by the successor entity, and users will be provided with the opportunity to exercise their data rights prior to the transfer.


Data Security#

VCloud implements technical and organisational security measures proportionate to the risks of processing, consistent with the requirements of GDPR Art. 32 and the "reasonable security" standard under CCPA § 1798.150.

Encryption#

Context Standard Applied
Data in transit TLS 1.3 for all connections between user browser/CLI and the VCloud API
Data at rest AES-256 encryption for all stored data, including database records and backups
Secrets and environment variables Encrypted using a dedicated Key Management Service (KMS) with separate encryption keys; not accessible to VCloud staff under any operational circumstance
Backup data Encrypted with AES-256 and stored across geographically redundant locations

Access Controls#

Access to production systems and customer data is governed by strict controls aligned with GDPR Art. 32(1)(b) and the principle of integrity and confidentiality under Art. 5(1)(f):

  • Production infrastructure access is restricted to authorised engineers, protected by hardware-based multi-factor authentication (MFA).
  • All administrative access is logged in tamper-evident audit logs; anomalous access patterns trigger automated real-time alerts.
  • Customer data is never accessed by VCloud staff without an open, customer-initiated support ticket and the customer's explicit consent, except where strictly required to resolve a critical service-affecting incident. All such accesses are logged and customers are notified following resolution.
  • Role-Based Access Control (RBAC) enforces the principle of least privilege across all internal teams. Access rights are reviewed quarterly and revoked upon role change or departure.

Incident Response#

VCloud maintains a formal, documented security incident response programme:

Milestone Commitment
Internal triage All potential security incidents are investigated within 4 hours of detection
Regulatory notification In the event of a confirmed personal data breach, the relevant supervisory authority is notified within 72 hours (GDPR Art. 33)
Customer notification Affected customers are notified without undue delay following breach confirmation (GDPR Art. 34)
Post-incident report A final incident report is provided to affected customers within 30 days
Public disclosure A post-incident summary is published on the VCloud status page for all significant incidents

Shared Responsibility Model#

The security of data processed through VCloud's infrastructure is a shared responsibility between VCloud and its customers. The boundaries of responsibility are defined as follows:

Responsibility Area VCloud Customer
Physical infrastructure security Full responsibility Not applicable
Network perimeter security Full responsibility Customer-managed network components
Platform encryption (at rest, in transit) Full responsibility Application-level encryption (customer choice)
Identity and access management Platform-level RBAC and MFA User credentials, API keys, and IAM policies within their environment
Application security Not applicable Full customer responsibility
Patch management Platform and infrastructure components Customer-managed operating systems and applications
Security monitoring Platform-level threat detection Application-level monitoring and alerting
Data classification and handling Platform data governance Customer data governance within their environment

VCloud is not liable for security failures, data breaches, or compliance deficiencies arising from customer misconfiguration, insecure application development, or failure to apply available security controls within the customer's area of responsibility. This allocation is formally documented in the Data Processing Agreement (DPA) governing each customer relationship.


Data Retention#

VCloud retains personal data only for as long as is necessary for the purposes for which it was collected, consistent with the storage limitation principle under GDPR Art. 5(1)(e) and CCPA § 1798.100(d). The following retention schedules apply:

Data Category Retention Period Basis for Retention
Account and identity data Active account period + 30 days following deletion request Contractual necessity; Art. 6(1)(b)
Application logs Per customer-configured retention policy (default: 30 days) Customer instruction; Art. 28(3)
Billing and financial records 7 years from transaction date Legal obligation: accounting and tax law
Security and audit logs 12 months from creation Legitimate interests: incident investigation
Pseudonymised analytics 24 months from collection Legitimate interests: storage limitation applies
Anonymised analytics Indefinite (not personal data under GDPR Art. 4(1)) Outside GDPR scope: no identifiable natural person
Encrypted backup data Up to 35 days Contractual necessity: business continuity
Marketing consent records Duration of consent + 3 years (audit trail) Legal obligation: demonstrating consent under Art. 7(1)
Personal data collected from a child under 13 (if discovered) Deleted within 10 business days of discovery (no further retention) COPPA 16 C.F.R. § 312.10: retain only as long as reasonably necessary; FTC guidance mandates prompt deletion upon discovery

Important distinction: Pseudonymised data, where re-identification remains possible using a key held by VCloud, constitutes personal data under GDPR Art. 4(1) and is subject to retention limits. Truly anonymised data, where re-identification is not reasonably possible by any party, falls outside the GDPR's scope and may be retained indefinitely for statistical or research purposes.

Upon expiry of the applicable retention period, personal data is securely deleted or irreversibly anonymised using industry-standard methods. Backup copies containing personal data will be purged within the applicable backup retention window.

COPPA Retention Standard: Where personal information has been collected from a child under 13, whether knowingly or inadvertently, VCloud applies the COPPA retention standard under 16 C.F.R. § 312.10: such data is retained only for as long as is reasonably necessary to fulfil the purpose for which it was collected, and in the case of inadvertent collection, that purpose is exclusively the identification and deletion of the data. No secondary use, aggregation, or archiving of such data is permitted under any circumstance.


Data Residency#

VCloud provides customers with the ability to select their preferred deployment region (e.g., EU-West, US-East, AP-Southeast). VCloud commits to the following:

  • Customer data is stored and processed exclusively within the region selected by the customer.
  • Cross-region data access is limited to tightly controlled scenarios, namely: responding to a customer-initiated support request, or addressing a critical platform security incident. All such cross-region access is logged, time-limited, and subject to the controls described in the Data Security section.
  • Data residency commitments are enforceable through the customer's Data Processing Agreement (DPA).

Customers with specific data sovereignty requirements (e.g., under national law or sector-specific regulation) are advised to review available regions and confirm their configuration with their VCloud account manager.


International Data Transfers#

Where personal data is transferred outside the European Economic Area (EEA) or the United Kingdom, VCloud relies on the following approved transfer mechanisms as required by GDPR Chapter V and the UK GDPR:

Transfer Mechanism Applicability and Details
EU Standard Contractual Clauses (SCCs) Implemented pursuant to the 2021 European Commission implementing decision. Applied to all transfers from the EEA to third countries without an adequacy decision.
UK International Data Transfer Agreement (IDTA) Applied to all transfers of UK personal data to third countries, in accordance with the Information Commissioner's guidance.
Adequacy Decisions Where the European Commission or UK Secretary of State has recognised a third country as providing an adequate level of protection, transfers may rely on that adequacy finding.
Transfer Impact Assessments (TIAs) Conducted for all transfers to third countries in response to the CJEU Schrems II judgment (C-311/18). Supplementary technical measures, including end-to-end encryption, are applied where the legal framework of the destination country may not provide equivalent protection.

All sub-processors engaged in international transfers are subject to the same transfer safeguards, as documented in their respective DPAs. A copy of the applicable SCCs or transfer mechanism documentation is available on request at privacy@varisymo.com.


Your Rights as a Data Subject#

Depending on your location and the applicable law, you hold the following rights in relation to your personal data. VCloud is committed to facilitating these rights promptly and without undue obstacle. We will not discriminate against you for exercising any right available to you (CCPA § 1798.125).

Right Description How to Exercise
Right of Access (Art. 15 GDPR; CCPA § 1798.100) The right to obtain confirmation of whether we process your personal data and, if so, to receive a copy of that data together with information about how it is processed. Email privacy@varisymo.com. Fulfilled within 30 days.
Right to Data Portability (Art. 20 GDPR) The right to receive your personal data in a structured, commonly used, machine-readable format (JSON / CSV) and to transmit it to another controller. Email privacy@varisymo.com. Fulfilled within 30 days.
Right to Rectification (Art. 16 GDPR; CCPA § 1798.106) The right to have inaccurate or incomplete personal data corrected without undue delay. Contact privacy@varisymo.com. Actioned within 10 business days.
Right to Erasure (Art. 17 GDPR; CCPA § 1798.105) The right to request deletion of your personal data where it is no longer necessary for the purpose for which it was collected, or where you withdraw consent. Email privacy@varisymo.com. Data deleted within 30 days subject to legal retention obligations.
Right to Restriction of Processing (Art. 18 GDPR) The right to request that processing of your data be restricted where accuracy is contested, processing is unlawful, or an objection has been lodged. Email privacy@varisymo.com. Actioned within 10 business days.
Right to Object (Art. 21 GDPR) The right to object to processing based on legitimate interests. VCloud will cease processing unless it can demonstrate compelling legitimate grounds that override your interests. Email privacy@varisymo.com. Written response with justification provided within 30 days.
Right to Withdraw Consent (Art. 7(3) GDPR) Where processing is based on consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing prior to withdrawal. Marketing: unsubscribe link in any email (≤48h effect). Cookies: cookie preference centre (immediate). Other: privacy@varisymo.com (≤10 business days).
Right to Complain (Art. 77 GDPR) The right to lodge a complaint with a competent supervisory authority without prejudice to any other remedy. See the Supervisory Authorities section. We encourage you to contact us first.
CCPA Right to Know and Delete (§ 1798.100, § 1798.105) California residents may request disclosure of specific personal information collected, or request its deletion. Email privacy@varisymo.com. Verified within 45 days (extendable by 45 days with notice).

Identity Verification#

To protect the security of personal data, VCloud may require verification of your identity before processing a rights request. We will request only the minimum information necessary to confirm your identity and will not require disproportionate effort. Verification requests will be communicated promptly and will not be used to delay or obstruct the exercise of your rights.

Grounds for Override of Objection Requests#

VCloud may decline to action an objection to processing only where one or more of the following conditions is documented:

  • Processing is required to comply with a specific legal obligation binding on VCloud.
  • Processing is strictly and demonstrably necessary to prevent fraud or protect the integrity and security of the platform.
  • An overriding legitimate interest has been identified in a current and reviewed Legitimate Interest Assessment (LIA), which itself was balanced against the data subject's rights and interests at the time of drafting.

VCloud will provide written justification within 30 days in all cases where it declines to action an objection.


Cookies and Tracking Technologies#

VCloud uses cookies and similar tracking technologies in accordance with the ePrivacy Directive (2002/58/EC), GDPR, and CCPA § 1798.135. A detailed Cookie Policy is available on the VCloud website. A summary of the cookie categories used is provided below.

Cookie Category Purpose Opt-Out Available?
Strictly Necessary Session management (keeps you logged in), CSRF protection, load balancer routing. These are essential for platform operation. No - required for service functionality
First-Party Analytics Anonymised, aggregated analysis of platform usage to improve UX and identify performance issues. Does not track across third-party websites. Yes - Settings → Privacy → Cookie Preferences or browser settings
Advertising / Third-Party Tracking Not used. VCloud does not deploy advertising cookies, pixels, or third-party tracking SDKs of any kind. Not applicable - not used

Children's Data#

General Age Threshold: GDPR (Under 16) [GDPR Art. 8 | UK GDPR Art. 8]#

VCloud's services are not directed at, and are not intended for use by, individuals under the age of 16. In jurisdictions governed by GDPR or UK GDPR, the minimum age for consent to digital services processing is 16 years. VCloud does not knowingly collect personal data from individuals under this threshold.

Where VCloud becomes aware that personal data has been collected from a person under the age of 16 without verifiable parental or guardian consent:

  • The data will be deleted within 10 business days of discovery.
  • The associated account will be suspended pending identity verification.
  • A notification will be issued to the registered contact email and, where available, to a parent or guardian.

If you believe that VCloud has inadvertently collected data from a child under 16, please contact privacy@varisymo.com immediately.

COPPA Compliance: United States (Under 13) [COPPA 15 U.S.C. §§ 6501–6506 | 16 C.F.R. Part 312]#

For users located in the United States, VCloud additionally complies with the Children's Online Privacy Protection Act (COPPA) and its implementing FTC regulations. COPPA imposes specific and non-negotiable obligations on operators with respect to children under the age of 13.

Applicability and Age Threshold#

VCloud's platform is a B2B cloud infrastructure service directed exclusively at business entities and adult professionals. It is not directed at children under 13. VCloud does not knowingly collect, use, or disclose personal information from children under 13.

Notwithstanding this, COPPA obligations are triggered upon actual knowledge that a user is under 13, regardless of intent. VCloud therefore maintains the procedures described below.

COPPA Definition of Personal Information [16 C.F.R. § 312.2]#

For COPPA purposes, "personal information" of a child under 13 includes each of the following, whether collected individually or in combination:

  • Full name
  • Home or physical address, including street name and city
  • Email address or other online contact information
  • Telephone number
  • Social Security number or government-issued identifier
  • Persistent identifiers (including cookies, IP addresses, device identifiers, and customer numbers) where used to recognise a user across sessions or services over time
  • Geolocation data sufficiently precise to identify a street name and city or town
  • Photographs, video files, or audio files containing a child's image or voice
  • Any information about a child collected in combination with any of the above identifiers

VCloud acknowledges that certain data it collects in the ordinary course of service delivery - including IP addresses and session cookies - may constitute COPPA-covered personal information if associated with a known child under 13. Upon discovery of any such association, the procedures in the Actual Knowledge section apply immediately.

Verifiable Parental Consent [16 C.F.R. § 312.5]#

COPPA requires operators to obtain verifiable parental consent (VPC) before collecting, using, or disclosing personal information from children under 13. VCloud does not have a mechanism to accept registrations from individuals under 13 and does not present any consent flow designed for children. Accordingly:

  • Account registration requires affirmative confirmation that the registrant is 18 years of age or older.
  • No service feature is designed to collect personal information from a child user.
  • VCloud does not offer any child-directed feature, mode, or interface.

In the event that VCloud acquires actual knowledge that a child under 13 is using the platform, no further personal information will be collected from that user until the account is suspended and the procedures below are followed.

Actual Knowledge: Internal Handling Procedure [15 U.S.C. § 6502(a)(1)]#

COPPA liability may arise from actual knowledge, not merely intent. VCloud maintains the following internal procedure for all scenarios in which actual knowledge of an under-13 user is obtained (whether through self-disclosure in a support interaction, a parental complaint, automated detection, or any other means):

Upon suspicion (before confirmation):

  • The user account is immediately flagged and placed in a restricted state.
  • No additional personal information is collected from the account during the review period.
  • The compliance team is notified within 4 hours.

Upon confirmation:

  • The account is suspended without delay.
  • All personal information associated with the account is queued for deletion within 10 business days.
  • The parent or guardian identified through available contact information is notified in writing, by email, within 48 hours of confirmation.
  • The notification includes: (a) the categories of information collected; (b) how the information was used; (c) confirmation that deletion has been initiated; and (d) contact details for the VCloud privacy team.
  • A record of the incident, including discovery date, data categories involved, and deletion confirmation, is retained for internal audit purposes only and for no longer than 12 months.

Parental Rights Under COPPA [16 C.F.R. § 312.6]#

Parents and legal guardians of children under 13 whose personal information has been collected by VCloud hold the following rights, which are distinct from and additional to the general data subject rights above:

  • Right to review - the right to request access to the personal information collected from their child, prior to VCloud's deletion of that data.
  • Right to deletion - the right to request that VCloud delete personal information collected from their child. VCloud will action such requests within 10 business days.
  • Right to refuse further collection - the right to direct VCloud to cease any further collection or use of the child's personal information.
  • Right to selective consent - the right to consent to VCloud's collection and internal use of the child's information while refusing consent to its disclosure to third parties, to the extent any such disclosure would otherwise occur.

To exercise any of the above rights, parents or guardians should contact privacy@varisymo.com. VCloud will verify the identity of the requesting parent or guardian before providing access to or confirming deletion of a child's data.

No Conditioning of Participation [16 C.F.R. § 312.7]#

VCloud does not condition access to any service, feature, or functionality on a user - including a child - disclosing more personal information than is reasonably necessary for participation in that activity. No element of VCloud's registration, onboarding, or service delivery process requires excessive or disproportionate data disclosure.

COPPA-Specific Data Retention [16 C.F.R. § 312.10]#

Personal information collected from a child under 13, whether knowingly or inadvertently, is retained by VCloud only for as long as is reasonably necessary to fulfil the purpose for which it was collected. In all cases of inadvertent collection, that purpose is exclusively identification and deletion. No secondary use, analysis, aggregation, archiving, or transfer of such data is permitted. Secure deletion is performed using industry-standard irreversible methods within 10 business days of the confirmed discovery date.

FTC Safe Harbor [16 C.F.R. § 312.11]#

VCloud does not currently participate in an FTC-approved COPPA safe harbor programme. Should VCloud seek to expand services into consumer or education markets where child users may be present, participation in an approved safe harbor will be evaluated and this Policy updated accordingly with advance notice to customers.

Conflict Resolution [COPPA and GDPR Art. 8]#

Where a user is located in the EU or EEA, GDPR Art. 8 applies and the minimum age threshold is 16. Where a user is located in the United States, COPPA applies and the minimum threshold for its specific parental consent obligations is 13. Where both frameworks are potentially applicable (for instance, where a US-resident child is under 16 but over 13), VCloud applies the following rule:

  • The under-16 restriction on account creation (GDPR Art. 8) applies globally as the baseline.
  • COPPA's parental consent and notification obligations apply specifically and additionally to any US-resident child under 13.
  • Where both regimes impose obligations, the stricter standard on each specific point governs.

Policy Updates#

VCloud may update this Policy from time to time to reflect changes in law, regulatory guidance, or our processing practices. We distinguish between two types of changes and apply different notification procedures accordingly:

Change Type Notification Procedure
Material changes (affecting your rights, our data sharing practices, our legal bases, or the identity of our data processors) Registered users notified by email at least 15 days before the effective date. In-product dashboard notification. A clear summary of changes included in the notification. Continued use after the effective date constitutes acceptance. Users who do not accept a material change may delete their account prior to the effective date.
Minor changes (clarifications, typographical corrections, or factual updates that do not alter your rights or our practices) Policy updated without prior notice. 'Last Updated' date revised. Change log entry added to the policy revision history.

Supervisory Authorities#

You have the right to lodge a complaint with a competent supervisory authority at any time, without prejudice to any other administrative or judicial remedy (GDPR Art. 77). VCloud encourages data subjects to contact us directly at privacy@varisymo.com in the first instance so that we may endeavour to resolve any concern promptly.

Jurisdiction Authority Contact
European Union (Ireland: lead authority) Irish Data Protection Commission (DPC) www.dataprotection.ie
United Kingdom Information Commissioner's Office (ICO) www.ico.org.uk
California, United States California Privacy Protection Agency (CPPA) cppa.ca.gov
Other EU member states Your local national data protection authority https://edpb.europa.eu/about-edpb/about-edpb/members_en
United States: COPPA Enforcement Federal Trade Commission (FTC) www.ftc.gov/coppa - complaints via reportfraud.ftc.gov

The FTC holds primary enforcement authority for COPPA violations under 15 U.S.C. § 6505. Civil penalties for knowing COPPA violations can reach $51,744 per violation per day (adjusted periodically for inflation under the Federal Civil Penalties Inflation Adjustment Act). VCloud's COPPA compliance procedures are designed to eliminate the conditions for such violations. Complaints regarding VCloud's treatment of children's data may be submitted to the FTC at reportfraud.ftc.gov.


Contact Information#

For any enquiries, rights requests, or concerns relating to this Policy or to VCloud's data protection practices, please use the appropriate channel below:

Channel Details
General Privacy Enquiries privacy@varisymo.com - Response within 5 business days
Data Protection Officer (DPO) dpo@varisymo.com - For GDPR-specific enquiries, rights requests, and escalations
DPIA Assistance (GDPR Art. 35) dpa@varisymo.com - For customers requiring Data Protection Impact Assessment support
Urgent Security Concerns security@varisymo.com - For reporting potential vulnerabilities or active security incidents
Postal Address Kamasi, Inc., Privacy Team, [Address on file], Delaware, USA

Referenced Legal and Regulatory Articles#

The following legal provisions are referenced throughout this Policy. Each reference is identified by number, with the title of the provision, a summary of its relevance to this document, and a link to the authoritative official source.

No. Article / Provision Description of Relevance Official Source
1 GDPR Art. 4: Definitions Defines key terms including 'personal data', 'processing', 'controller', 'processor', 'pseudonymisation', and 'data subject'. Foundational to interpreting the scope of this Policy. Official GDPR Text
2 GDPR Art. 5: Principles relating to processing of personal data Establishes the seven data protection principles: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability. All VCloud processing must comply with these principles. Official GDPR Text
3 GDPR Art. 6: Lawfulness of processing Specifies the six lawful bases for processing personal data: consent, contract, legal obligation, vital interests, public task, and legitimate interests. Each VCloud processing activity is mapped to one of these bases in the Legal Basis section. Official GDPR Text
4 GDPR Art. 7: Conditions for consent Sets out requirements for valid consent: freely given, specific, informed, and unambiguous. Requires that consent be as easy to withdraw as to give. Governs VCloud's marketing communications and cookie consent practices. Official GDPR Text
5 GDPR Art. 8: Conditions applicable to children's consent Sets the age threshold for digital services consent at 16 years (or lower by member state law). Underpins VCloud's children's data policy. Official GDPR Text
6 GDPR Art. 9: Processing of special categories of personal data Prohibits processing of sensitive categories (health, biometric, racial origin, etc.) without explicit consent or another specified exception. VCloud does not intentionally collect such data. Official GDPR Text
7 GDPR Art. 13: Information to be provided on collection Requires controllers to provide transparent information to data subjects at the point of data collection, including the identity of the controller, purposes, legal bases, retention periods, and data subject rights. Official GDPR Text
8 GDPR Art. 15: Right of access by the data subject Grants individuals the right to obtain confirmation of processing and receive a copy of their personal data, together with supplementary information. Official GDPR Text
9 GDPR Art. 16: Right to rectification Entitles individuals to have inaccurate personal data corrected. Official GDPR Text
10 GDPR Art. 17: Right to erasure ('right to be forgotten') Allows individuals to request deletion of their personal data in specified circumstances. Official GDPR Text
11 GDPR Art. 18: Right to restriction of processing Permits data subjects to request that processing be restricted where accuracy is contested, processing is unlawful, or an objection has been lodged. Official GDPR Text
12 GDPR Art. 20: Right to data portability Grants the right to receive personal data in a structured, machine-readable format and to transmit it to another controller. VCloud provides JSON and CSV exports. Official GDPR Text
13 GDPR Art. 21: Right to object Allows data subjects to object to processing based on legitimate interests. Official GDPR Text
14 GDPR Art. 26: Joint controllers Requires joint controllers to determine their respective responsibilities by arrangement and make the arrangement available to data subjects. Official GDPR Text
15 GDPR Art. 27: Representatives of controllers not established in the Union Requires non-EU data controllers targeting EU residents to designate a representative within the EU. VCloud's EU representative is available on request. Official GDPR Text
16 GDPR Art. 28: Processor Sets out requirements for data processing agreements (DPAs) between controllers and processors, including obligations on sub-processors. Official GDPR Text
17 GDPR Art. 30: Records of processing activities Requires controllers and processors to maintain written records of their processing activities. VCloud maintains an internal Record of Processing Activities (RoPA). Official GDPR Text
18 GDPR Art. 32: Security of processing Requires appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including encryption and access control. Official GDPR Text
19 GDPR Art. 33: Notification of breach to supervisory authority Requires notification of a personal data breach to the competent supervisory authority within 72 hours of becoming aware. Official GDPR Text
20 GDPR Art. 34: Communication of breach to data subject Requires communication to affected individuals where a breach is likely to result in high risk. Official GDPR Text
21 GDPR Art. 35: Data Protection Impact Assessment (DPIA) Requires DPIAs for high-risk processing activities. VCloud provides assistance to customers undertaking DPIAs and conducts its own where required. Official GDPR Text
22 GDPR Art. 44–49: Transfers to third countries Establishes the legal framework for international transfers, including adequacy decisions, SCCs, and supplementary measures. Official GDPR Text
23 GDPR Art. 77: Right to lodge complaint Preserves the right of data subjects to bring complaints to a supervisory authority. Official GDPR Text
24 CCPA/CPRA § 1798.100: Right to Know Grants California consumers the right to know what personal information is collected, the sources, purposes, and third parties with whom it is shared. California Legislative Text
25 CCPA/CPRA § 1798.105: Right to Deletion Grants California consumers the right to request deletion of their personal information. California Legislative Text
26 CCPA/CPRA § 1798.120: Right to Opt-Out of Sale Grants consumers the right to opt out of the sale of their personal information. VCloud does not sell personal data. California Legislative Text
27 CPRA § 1798.121: Right to Opt-Out of Sharing Added by CPRA (effective 2023). Grants consumers the right to opt out of sharing personal data for cross-context behavioural advertising. VCloud does not engage in this practice. California Legislative Text
28 CCPA/CPRA § 1798.125: Non-Discrimination Prohibits businesses from discriminating against consumers for exercising their CCPA/CPRA rights. California Legislative Text
29 CCPA/CPRA § 1798.150: Private Right of Action Allows California consumers to bring a civil action in the event of a data breach resulting from a business's failure to implement reasonable security. California Legislative Text
30 CJEU Judgment C-311/18 (Schrems II) Invalidated the EU-US Privacy Shield and imposed additional requirements on international data transfers, including Transfer Impact Assessments. CJEU Judgment Text
31 ePrivacy Directive 2002/58/EC: Art. 5(3) Requires informed consent before storing or accessing information on a user's device (including cookies), unless strictly necessary. EUR-Lex Official Text
32 Full GDPR Regulation (EU) 2016/679 The complete text of the General Data Protection Regulation, comprising all articles and recitals. The primary legal framework governing VCloud's EU/EEA data protection obligations. Full GDPR Text (EUR-Lex)
33 COPPA 15 U.S.C. § 6501: Definitions Defines "operator," "child," "personal information," and "website or online service directed to children." Establishes the scope of COPPA applicability and the foundational definitions governing Section 15. ftc.gov/coppa
34 COPPA 15 U.S.C. § 6502: Regulation of Unfair or Deceptive Acts The core operative provision of COPPA. Prohibits operators from collecting personal information from children under 13 without verifiable parental consent. ftc.gov/coppa
35 16 C.F.R. Part 312: Children's Online Privacy Protection Rule The FTC's implementing regulation for COPPA. Covers definitions (§ 312.2), parental notice (§ 312.4), verifiable parental consent (§ 312.5), parental rights (§ 312.6), no conditioning of participation (§ 312.7), confidentiality and security (§ 312.8), retention and deletion (§ 312.10), and safe harbor (§ 312.11). ecfr.gov
36 15 U.S.C. § 6505: Enforcement Grants the FTC and state attorneys general authority to enforce COPPA. Sets out the civil penalty framework, including per-violation, per-day penalties. uscode.house.gov

On this page

  • Table of Contents
  • Purpose, Scope and Responsibility
  • Purpose
  • Scope
  • Terminology, Acronyms and Abbreviations
  • Data Controller Identity and Processing Roles
  • Data Controller Identity
  • Processing Roles
  • Categories of Personal Data
  • Legal Basis for Processing
  • How We Use Personal Data
  • Service Delivery
  • Communications
  • Analytics and Product Improvement
  • Internal Model Training (Explicit Limitation)
  • Data Sharing and Disclosure
  • No Sale of Personal Data
  • Sub-Processors and Infrastructure Partners
  • Legal Disclosures
  • Business Transfers
  • Data Security
  • Encryption
  • Access Controls
  • Incident Response
  • Shared Responsibility Model
  • Data Retention
  • Data Residency
  • International Data Transfers
  • Your Rights as a Data Subject
  • Identity Verification
  • Grounds for Override of Objection Requests
  • Cookies and Tracking Technologies
  • Children's Data
  • General Age Threshold: GDPR (Under 16) [GDPR Art. 8 | UK GDPR Art. 8]
  • COPPA Compliance: United States (Under 13) [COPPA 15 U.S.C. §§ 6501–6506 | 16 C.F.R. Part 312]
  • Applicability and Age Threshold
  • COPPA Definition of Personal Information [16 C.F.R. § 312.2]
  • Verifiable Parental Consent [16 C.F.R. § 312.5]
  • Actual Knowledge: Internal Handling Procedure [15 U.S.C. § 6502(a)(1)]
  • Parental Rights Under COPPA [16 C.F.R. § 312.6]
  • No Conditioning of Participation [16 C.F.R. § 312.7]
  • COPPA-Specific Data Retention [16 C.F.R. § 312.10]
  • FTC Safe Harbor [16 C.F.R. § 312.11]
  • Conflict Resolution [COPPA and GDPR Art. 8]
  • Policy Updates
  • Supervisory Authorities
  • Contact Information
  • Referenced Legal and Regulatory Articles
VCloud Logo

Building the future of cloud computing with scalable, secure, and reliable infrastructure.

Company

  • Partners
  • Contact
  • About Us

Products

  • All Products
  • Pricing

Resources

  • Dashboard
  • Support

Legal

  • Privacy Policy
  • Terms of Service
  • Cookie Policy
  • Legal Notice

Stay up to date

Get the latest news and updates from VCloud

© 2026 Kamasi, Inc. All rights reserved.

VCloud is a product of Kamasi, Inc., a Delaware C-Corporation.

Home About Careers Pricing Contact Privacy Policy