Vari — Privacy Policy

Draft v0.4 · Drafted 2026-04-18 · Requires legal review before publication Effective date: 2026-04-18 Last updated: 2026-04-18

1. Introduction

This Privacy Policy explains what personal data Vari — operated by WebMobi (Mendios Technologies) ("Vari", "we", "us") — collects about you, how we use it, who we share it with, and what rights you have over it. It applies to:

• our website at https://getvari.app (the "Website");
• the Vari iOS app (and Android app when launched) (the "App");
• our marketing emails, transactional emails, and weekly newsletter; and
• anywhere else we point you to this Policy.

This Policy is part of, and should be read together with, our Terms of Use. If you do not agree with this Policy, please do not use Vari.

We try to write this in plain English. Where we use a term that has a specific legal meaning (for example, "personal data" under GDPR or "personal information" under CCPA), we use it in the sense the law gives it. If something is unclear, email us at support@getvari.app.

2. TL;DR

If you only read one section, read this:

• We collect what's needed to give you a hydration plan and the app features you ask for. That's mainly: email, age, weight, activity level, the drinks you log, and (if you grant permission) data from Apple Health or Google Health Connect.
• We never sell your personal data. Period.
• We never use your health data for advertising. Period.
• We share only what's necessary with service providers (listed in §10) who help us run Vari — database, email delivery, analytics, payments.
• You can see, download, correct, or delete your data at any time. Instructions in §13.
• We are based in India but design our practices to align with global privacy standards, including GDPR, CCPA, and India’s DPDP Act.
• If you're under 13, don't create a Vari account. A parent can add a profile for a child under 13 within the Vari+ Family tier — see §8.

3. Who is responsible for your data

The data controller (the entity that decides what data is collected and how it is used) is:

WebMobi (Mendios Technologies)

• US office: 10685-B Hazelhurst Dr. #42794, Houston, TX 77043, USA
• India office: Unit 101, Oxford Towers, 139, HAL Old Airport Rd, Kodihalli, Bengaluru, Karnataka 560008

Contact: support@getvari.app Grievance Officer: see §16

4. What personal data we collect

The data we collect depends on how you interact with Vari.

4.1 Visitors to the Website (not signed in)

When you browse getvari.app without an account, we collect:

• Your IP address and approximate location (country / city-level), derived from your IP;
• Device and browser details (operating system, browser version, screen size, language);
• Behavioural data (pages visited, referrer, time on page, buttons clicked) via cookies and our analytics provider;
• Calculator inputs if you use one of our calculators (weight, age, activity level, etc.) — these are held in your browser and only sent to our servers if you save the result or enter an email;
• Email address and optionally name if you subscribe to our newsletter, join the waitlist, or save a calculator result.

4.2 Registered Users

When you create a Vari Account, we collect:

• Account identity: email address, name (optional), profile photo if you upload one, Vari-assigned user ID, authentication timestamps;
• Profile data: age, biological sex, weight, height, activity level, health conditions (if you choose to enter them), wake and sleep times, caffeine habits, daily goal preferences;
• Hydration data: drink logs (type, amount, timestamp), daily goals, streaks, Flow Score inputs and outputs;
• Device and app telemetry: app version, operating system, device model, push-notification tokens, last active timestamps, crash reports;
• Usage data: screens visited, features used, A/B test assignments;
• Payment data: managed by the respective platform (App Store, Play Store, Razorpay, PayPal). We receive a subscription status and entitlement (via RevenueCat) but we do not see or store your full card number or bank details — those stay with the payment processor;
• Apple Health data (iOS only, with your explicit permission): the specific health metrics you authorise — typically water intake, body weight, active energy, heart-rate variability, sleep analysis;
• Google Health Connect data (Android, future — with your explicit permission): same categories as above, via Google's Health Connect framework;
• Saved calculator results: any result you chose to save to your account;
• Communication history: emails you open or click, support conversations.

4.3 Family Members (Vari+ Family tier)

If you are invited to a household:

• We collect the same data as for a Registered User (§4.2).
• We additionally store the household_id that links your Account to the household.
• The Household Owner can see aggregated summary information about you (e.g. "total intake today," "did they meet their goal today"). The Owner cannot see your individual drink logs or granular data unless you explicitly share them.

If you are added to a household as a no-email profile (typically a child or elderly member whose drinks are logged by the Household Owner):

• We store the profile's display name, age, role, weight, and goal.
• We store the hydration logs entered on your behalf by the Household Owner.
• We do not collect data directly from you — we only know what the Household Owner enters.
• The profile is part of the Household Owner's Account. Deleting it removes it.

5. How we use your data

We use your data for the following purposes. Where it matters for GDPR, we also state the legal basis.

Where we rely on legitimate interests as a legal basis, we do so only where such interests are not overridden by your data protection rights. We consider the nature of the data, the context in which it is collected, and your reasonable expectations when using the Services. You have the right to object to processing based on legitimate interests at any time (see §13).

6. Health data (special category)

Hydration data, body weight, heart rate, sleep, and related health metrics are "special categories of personal data" under GDPR (Article 9) and receive extra protection.

We process special category data only with your explicit consent. You give that consent:

• when you create your profile and enter health information;
• when you enable Apple Health or Google Health Connect integration and select the specific data types Vari can read;
• when you explicitly turn on a feature that uses health data.

You may withdraw consent at any time:

• Profile data — edit or delete your profile fields.
• Apple Health / Health Connect — revoke access in the Health app (iOS) or Health Connect settings (Android). Vari will stop reading new data immediately.
• Special-category data already collected — request deletion per §13.

Withdrawing consent may limit the functionality of some features.

7. Apple Health and Google Health Connect

We treat HealthKit (iOS) and Health Connect (Android) data with specific care as required by Apple and Google. Specifically:

• We only read the data types you explicitly authorise.

• We do not use HealthKit or Health Connect data for:

  • advertising or advertiser measurement;
  • marketing to you or to any third party;
  • selling or renting to any third party;
  • any purpose other than to provide you the health-and-fitness features you requested.

• We do not share HealthKit or Health Connect data with our third-party service providers except when strictly necessary to provide the feature you requested (for example, syncing your drink log with Apple Health so your own Health app shows it).

• We do not share HealthKit or Health Connect data with third parties for advertising, marketing, or data brokerage purposes. We may store such data securely with our service providers solely to provide and improve the Services.

• If you delete your Account, we delete associated HealthKit / Health Connect data from our systems within 30 days (subject to the retention exceptions in §12).

8. Children's data

8.1 Under 13: do not create a Vari Account

Vari is not intended for children under 13 as independent users. We do not knowingly collect personal data directly from children under 13. If we learn we have collected data from a child under 13 without verifiable parental consent, we will delete it promptly.

Parents who believe their child under 13 has provided us with personal data should contact support@getvari.app.

8.2 Children in the Family tier

In the Vari+ Family tier, a parent or legal guardian ("Owner") can add a child's profile to the household. Two pathways:

• No-email child profile. For child profiles created without an email address, the parent or legal guardian provides and manages the information on behalf of the child.

Such information relates to the child but is collected and controlled by the parent or guardian, who is responsible for providing consent and managing the child’s data within the Service. We process such data only to provide household hydration tracking features and do not knowingly collect data directly from children without parental involvement. .

• Child with their own email (13-17). The child accepts an invite and creates their own Account. The Owner must confirm that consent to our processing of the child's data has been given by a parent or guardian. Both sets of Terms apply.

8.3 Ages 13-17

Teen Accounts are subject to the same privacy rights as adults plus any additional protections applicable in the user's jurisdiction. We do not permit targeted advertising to users we know to be under 18.

9. Cookies, local storage, and similar technologies

9.1 What we use

• Essential cookies — required for sign-in, CSRF protection, and session continuity. Cannot be disabled without breaking the Website.
• Preference cookies — remember your language, theme, and dashboard tab selection.
• Analytics cookies — Mixpanel, via a client-side SDK, to understand aggregate usage.
• Local storage — to cache calculator inputs before you save them so you don't lose them on a refresh.

9.2 Third-party cookies

Our embedded third-party scripts (e.g. Sentry, Mixpanel) may set their own cookies for crash reporting and analytics. These providers act as our processors and are bound by the service agreements referenced in §10.

9.3 Do Not Track and global privacy signals

We honour the Global Privacy Control (GPC) signal — if your browser sends it, we treat it as an opt-out of analytics and marketing cookies. We do not respond to the legacy DNT header.

9.4 Managing cookies

Your browser lets you block or delete cookies. If you block essential cookies, sign-in will not work.

10. Who we share data with

We share personal data only with the service providers and parties listed below, and only for the purposes described.

10.1 Service providers (data processors)

Each processor has agreed, by contract, to process data only on our instructions and to maintain privacy and security protections consistent with this Policy and applicable law.

10.2 Legal disclosures

We may disclose data when legally required:

• in response to a valid subpoena, warrant, or court order;
• to comply with a regulatory inquiry;
• to protect the rights, property, or safety of Vari, our users, or the public;
• to prevent fraud, abuse, or security incidents;
• to respond to a governmental request affecting national security or law enforcement, where legally required.

Where legally permitted, we will notify you before complying with a disclosure request.

10.3 Business transfers

If Vari is involved in a merger, acquisition, investment, reorganisation, or asset sale, your data may be transferred as part of that transaction. We will notify you (by email or in-app banner) before your data becomes subject to a different Privacy Policy.

10.4 What we never do

• We never sell your personal data under any jurisdiction's definition of "sell" (including CCPA's broad definition).
• We never share your health data for third-party advertising.
• We never allow third-party advertising networks to place cookies on our site.

11. International data transfers

We and our service providers may process your data in countries outside your country of residence.

Where required by applicable law, we use appropriate safeguards for international data transfers, such as standard contractual clauses approved by relevant authorities or equivalent mechanisms.

We will update our practices as required to comply with evolving data protection laws, including India's Digital Personal Data Protection Act.

12. How long we keep your data

| Payment records | 7 years from the transaction date, for tax + audit compliance | | Crash reports (Sentry) | 90 days | | Analytics events (Mixpanel) | 5 years (aggregated), 180 days (identifiable) | | Marketing opt-in records | Until you unsubscribe + 3 years (to prove consent) | | Transactional email logs | 2 years | | Legal-hold data | For the duration of the legal hold | | Anonymised, aggregated statistics | Indefinitely |

When you delete your Account, we begin deletion within 30 days and complete it within 90 days, subject to the retention exceptions above.

13. Your rights

You have rights over your personal data. The exact rights depend on the jurisdiction that applies to you, but regardless of jurisdiction, Vari supports the following baseline:

13.1 Baseline rights (all users)

• Access — request a copy of the personal data we hold about you.
• Correction — ask us to fix inaccurate or incomplete data.
• Deletion — ask us to delete your data.
• Portability — receive a machine-readable copy of your data you can move elsewhere.
• Unsubscribe from marketing — one-click unsubscribe in every marketing email.

13.2 EEA, UK, Switzerland (GDPR)

In addition to the baseline, you have the right to:

• restrict processing of your data in specific circumstances;
• object to processing based on legitimate interests, including profiling;
• withdraw consent at any time, without affecting the lawfulness of processing before withdrawal;
• not be subject to a decision based solely on automated processing that produces legal or similarly significant effects about you;
• lodge a complaint with your local data-protection authority.

13.3 California (CCPA + CPRA)

In addition to the baseline, you have the right to:

• know what categories of personal information we have collected, sold, or shared (we do not sell, see §10.4);
• opt out of sharing for cross-context behavioural advertising (we do not engage in this);
• limit the use of "sensitive personal information" (for health-data purposes, Vari already treats this as opt-in);
• non-discrimination for exercising your rights.

13.4 India (DPDP Act 2023)

In addition to the baseline, you have the right to:

• nominate another person to exercise your rights in the event of your death or incapacity;
• grievance redressal through our Grievance Officer (§16).

13.5 How to exercise rights

Email support@getvari.app from the address on your Account and describe what you want. We will:

• acknowledge within 3 business days;
• verify your identity (usually by confirming access to the email on file);
• respond within the timeline the law requires — generally 30 days (GDPR, CCPA) or 45 days (DPDP).

If you cannot reach us by email, you can also write to us at either of our offices (US or India) listed in §3.

If we refuse a request (for example, because retaining the data is required by law), we will tell you why.

14. Security

We use commercially reasonable technical and organisational safeguards designed to protect your data from unauthorised access, use, alteration, or disclosure. These include:

• TLS 1.2+ encryption for all data in transit;
• encryption at rest for the database;
• scoped access controls — most employees cannot access personal data at all; those who can are logged;
• two-factor authentication for employee accounts;
• Row-Level Security policies in Supabase so one user cannot access another's data via the API;
• rate-limiting and honeypot checks on sign-up, OTP, and save-result endpoints;
• regular reviews of our third-party processors' security posture.

No system is perfectly secure. If we learn of a data breach that affects your personal data, we will notify you and the relevant regulator as required by law — for GDPR, within 72 hours of becoming aware of the breach.

Please help us keep your Account safe:

• use a strong, unique email password;
• don't share your OTP codes;
• sign out on shared devices;
• report suspicious activity to support@getvari.app.

15. Automated decision-making + AI

Today, Vari makes automated calculations (e.g. your daily water target based on your weight and activity). These calculations are not "automated decision-making with legal or similarly significant effects" under GDPR Article 22 — they are informational guidance you can ignore.

AI-generated outputs are advisory in nature and do not result in decisions that produce legal or similarly significant effects.

When we ship AI-powered coaching insights (via a third-party AI provider such as OpenAI), the AI's output is likewise informational. You will always be able to:

• request information about how the AI feature uses your data;
• opt out of AI features without losing core Vari functionality;
• request human review of any AI output (email support@getvari.app).

16. Grievance Officer

Under the Information Technology Act 2000, the Digital Personal Data Protection Act 2023, and related rules applicable to Indian users, our Grievance Officer is:

• Name: Sachin Anand
• Email: support@getvari.app
• Address: Unit 101, Oxford Towers, 139, HAL Old Airport Rd, Kodihalli, Bengaluru, Karnataka 560008, India
• Response time: acknowledgement within 48 hours; resolution within 15 days.

If you are unsatisfied with the resolution, you may escalate to the Data Protection Board of India under the DPDP Act.

17. Changes to this Policy

We may update this Policy from time to time. When we do:

• we update the "Last updated" date at the top;
• for material changes (new data categories, new processors, new purposes, changes to your rights), we will notify you at least 14 days before the change takes effect, by email and/or in-app banner, where required by law;
• for non-material changes (typos, reformatting, editorial), the revised version takes effect as soon as it is posted.

The prior version remains available at https://getvari.app/privacy-policy/archive/[version] for 12 months after it is superseded.

18. Contact

General privacy inquiries

support@getvari.app

Data subject rights

support@getvari.app (include your registered email address in the body of the request)

Security concerns or suspected breaches

support@getvari.app

Grievance Officer (if India-incorporated)

See §16

Postal mail

WebMobi (Mendios Technologies) US: 10685-B Hazelhurst Dr. #42794, Houston, TX 77043, USA India: Unit 101, Oxford Towers, 139, HAL Old Airport Rd, Kodihalli, Bengaluru, Karnataka 560008