Privacy Policy

Information We Collect

Account & Identity Data

When you create a VCloud account, we collect the following information to set up and manage your account:

• Full name and display name
• Email address used for login and communications
• Company name and billing address
• Payment information (processed via our payment provider; we do not store raw card numbers)
• Country and tax identifier where required for invoicing

Usage & Technical Data

We automatically collect technical information when you interact with our platform:

• IP address and approximate geolocation (country/region level)
• Browser type, version, and operating system
• Pages and features visited, including timestamps and session duration
• Referral source (e.g. the URL that brought you to VCloud)
• Performance metrics such as page load times and API response times
• Error logs and crash reports to diagnose and fix issues

Infrastructure & Application Data

Data generated by your use of VCloud's cloud infrastructure services:

• Resource usage metrics — CPU, RAM, disk I/O, network throughput
• Deployment configurations — environment variables (encrypted), regions selected, instance types
• Logs produced by your applications — stored only as long as your retention settings specify
• Backup and snapshot data — retained according to your chosen backup policy

How We Use Your Information

Service Delivery

Your data is primarily used to operate VCloud:

• Provisioning, scaling, and maintaining your cloud resources
• Processing payments and generating invoices
• Authenticating your identity and enforcing access controls
• Sending critical service notifications (downtime alerts, certificate expiry warnings, etc.)

Communications

We communicate with you in the following ways:

• Transactional emails — invoices, password resets, security alerts (cannot be opted out of while your account is active)
• Service announcements — planned maintenance, new features, policy updates
• Marketing emails — product news and promotional content, sent only with your explicit consent; you may unsubscribe at any time

Improvement & Analytics

Aggregated and anonymised usage data helps us improve VCloud:

• Identifying underused or confusing features to improve UX
• Capacity planning to ensure infrastructure reliability
• A/B testing new features with a subset of users (opt-out available in settings)
• Training internal models to improve anomaly detection and cost recommendations — never using your application data

Data Sharing & Disclosure

We Do Not Sell Your Data

VCloud does not sell, rent, trade, or otherwise monetise your personal information. We do not share your data with third parties for their own marketing purposes.

Sub-processors & Infrastructure Partners

We rely on a limited set of trusted third parties to operate VCloud:

A complete and up-to-date list of sub-processors is available on request at privacy@varisymo.com.

Legal Requirements

We may disclose your information when:

• Required by a valid court order, subpoena, or applicable law
• Necessary to protect the safety of our users or the public
• Required to enforce our Terms of Service or investigate fraud
• Involved in a merger, acquisition, or sale of assets — in which case you will be notified in advance

Data Security

Encryption

All data in transit and at rest is protected by industry-standard encryption:

• In transit — TLS 1.3 for all connections between your browser/CLI and our API
• At rest — AES-256 encryption for all stored data including backups
• Secrets & environment variables — encrypted with a separate key management service (KMS); not accessible to VCloud staff
• Backups — encrypted and stored across geographically redundant locations

Access Controls

Access to production systems is tightly restricted:

• Only authorised engineers can access production infrastructure, protected by hardware MFA
• All access is logged and audited; anomalous access triggers automated alerts
• Customer data is never accessed by staff without a support ticket and your explicit consent, except where required to resolve a critical incident
• Role-based access control (RBAC) limits what what each team member can see

Incident Response

We maintain a formal security incident response programme:

• All potential incidents are investigated within 4 hours of detection
• In the event of a confirmed data breach affecting your personal data, you will be notified within 72 hours as required by applicable law (GDPR Art. 33 / equivalent)
• A post-incident report is published on our status page for significant incidents

Your Rights

Access & Portability

You have the right to know what data we hold about you:

• Request a full data export at any time via Settings → Privacy → Export My Data
• Data is provided in a portable, machine-readable format (JSON / CSV) within 30 days
• Includes account data, usage history, billing records, and infrastructure configuration

Correction

You may update inaccurate or incomplete personal data:

• Most data can be updated directly in your Account Settings
• For data that cannot be self-corrected, contact privacy@varisymo.com and we will update it within 10 business days

Deletion

You may request deletion of your account and associated data:

• Initiate account deletion via Settings → Account → Delete Account
• Personal data is deleted within 30 days of your request
• Some data may be retained for legal, compliance, or billing purposes (e.g. invoices must be kept for 7 years in certain jurisdictions)
• Anonymised aggregated analytics data derived from your usage may be retained

Opt-Out of Marketing

• Unsubscribe from any marketing email using the unsubscribe link in the footer
• Or contact privacy@varisymo.com to be removed from all marketing lists
• Opting out does not affect transactional or security communications

Right to Object / Restrict Processing

If you believe we are processing your data unlawfully or wish to restrict certain processing activities, contact privacy@varisymo.com. We will respond within 10 business days.

Cookies & Tracking

Strictly Necessary Cookies

These cookies are required for the platform to function and cannot be disabled:

• Session cookie — keeps you logged in during your session
• CSRF token — protects against cross-site request forgery attacks
• Load balancer cookie — ensures your requests are routed to the correct server

Analytics Cookies

We use first-party analytics to understand how the platform is used. These cookies:

• Collect anonymised, aggregated data only
• Do not track you across other websites
• Can be disabled in your browser settings or via our cookie preference centre

No Advertising Cookies

VCloud does not use any third-party advertising or tracking cookies. We do not participate in cross-site tracking networks.

Data Retention

We retain your data only for as long as necessary:

• Account data — retained while your account is active, deleted within 30 days of account deletion
• Application logs — retained according to your configured retention policy (default: 30 days)
• Billing records — retained for 7 years for legal and tax compliance
• Security logs — retained for 12 months for incident investigation
• Anonymised analytics — retained indefinitely (not linked to your identity)

Changes to This Policy

We may update this Privacy Policy from time to time. When we make significant changes:

• Registered users will be notified by email at least 14 days before the change takes effect
• The "Last updated" date at the top of this page will be updated
• A summary of changes will be included in the notification email
• Continued use of VCloud after the effective date constitutes acceptance of the updated policy

For minor changes (e.g. clarifications that do not affect your rights), we may update the policy without prior notice.

Contact & Questions

Data Controller

Kamasi, Inc. is the data controller for all personal data processed through VCloud.

• Incorporated in Delaware, USA
• EU Representative: available on request for GDPR purposes

Reach Us

For urgent security concerns, please use security@varisymo.com.