WhatPricingSecurityLearn
Start Free Trial →

Last updated: March 2026

Privacy Policy

1. Introduction

Varsal Pty Ltd ("Varsal", "we", "us", or "our") operates the Varsal analytics platform at varsal.app. We are an Australian company based in Brisbane, Queensland.

This Privacy Policy explains what information we collect from you when you use Varsal, how we use and protect that information, and the choices you have. It applies to all users of varsal.app and any associated services.

We are committed to protecting your privacy and handling your data transparently. We collect only what we need to provide a fast, reliable analytics dashboard for your business, and we never sell your personal information.

2. Information We Collect

We collect three categories of information:

Account Information

  • Your name and email address, provided during signup.
  • A hashed version of your password (we never store passwords in plaintext).
  • Your organisation name, logo, country, and website if you provide them during setup.
  • Billing information processed through Stripe (we do not store your full card number).

Usage Data

  • Pages you visit and features you use within the dashboard.
  • Device type, browser type, operating system, and screen resolution.
  • IP address and approximate geographic location derived from it.
  • Timestamps of your activity (login times, session duration).

Integration Data

  • API credentials you provide to connect third-party services (e.g. RevenueCat, Stripe, Firebase, Apple App Store Connect, Google Play Console).
  • Data returned by those services when we query them on your behalf, such as revenue figures, subscriber counts, download numbers, and usage metrics.
  • Configuration details for each integration (e.g. package names, project IDs).

3. How We Use Your Information

We use the information we collect for the following purposes:

  • Providing the service: Fetching data from your connected integrations, generating charts, metrics, and dashboards, and saving your layout preferences.
  • Account management: Authenticating your identity, managing your subscription and billing through Stripe, and enforcing trial periods.
  • Transactional emails: Sending you essential communications such as signup confirmations, password resets, billing receipts, and subscription status changes. We do not send marketing emails without your consent.
  • Product improvement: Understanding which features are used most to prioritise development, identifying and fixing bugs, and improving performance.
  • Support: Responding to your questions and help requests.
  • Security: Detecting and preventing fraud, abuse, and unauthorised access to accounts.

4. How We Share Your Information

We do not sell, rent, or trade your personal information to third parties.

We may share limited information with the following categories of service providers, solely to operate and deliver Varsal:

  • Supabase — Database hosting and authentication. Your account data and encrypted integration credentials are stored in Supabase's PostgreSQL infrastructure.
  • Vercel — Application hosting and edge delivery. Vercel processes your HTTP requests and serves the Varsal application.
  • Stripe — Payment processing. Stripe receives your billing details to process subscription payments. We do not have access to your full card number.

We may also disclose your information if required to do so by law, regulation, legal process, or governmental request, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

In the event of a merger, acquisition, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you via email or a prominent notice on our website before your information becomes subject to a different privacy policy.

5. Connected Integrations Data

This section is particularly important because Varsal connects to your third-party business tools. Here is exactly how we handle that data:

  • Encryption: All integration credentials (API keys, secret keys, access tokens) are encrypted at rest using AES-256-GCM encryption before being stored in our database. Encryption keys are managed separately from the database and are never stored alongside your credentials.
  • Read-only access: Varsal only requests read-only permissions from your connected services. We never create, modify, or delete data in your third-party accounts.
  • Data processing: When we fetch data from your integrations, we process the API responses to extract the metrics displayed on your dashboard. Raw API responses are not permanently stored — we process them in memory and display the results.
  • Disconnect at any time: You can disconnect any integration from your Settings page at any time. When you disconnect an integration, we delete the stored credentials immediately.
  • No third-party sharing: We never share your integration data with other companies, advertisers, or any third party. Your business metrics stay between you and Varsal.
  • Server-side only: Your integration credentials are decrypted server-side only to make API requests on your behalf. They are never sent to or accessible from the browser.

6. Cookies and Tracking

Varsal uses a minimal set of cookies, strictly for functional purposes:

  • Session cookies: We use cookies set by Supabase Auth to maintain your login session. These are essential for the application to function and cannot be disabled while using Varsal.
  • No third-party tracking: We do not use Google Analytics, Facebook Pixel, or any third-party tracking scripts on the dashboard.
  • No advertising cookies: We do not serve ads and do not set any cookies for advertising or retargeting purposes.
  • No cross-site tracking: We do not track your activity across other websites.

7. Data Security

We take the security of your data seriously and implement multiple layers of protection:

  • Encryption at rest: Integration credentials are encrypted using AES-256-GCM. Database contents are encrypted at rest by our infrastructure provider.
  • Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS (HTTPS).
  • Row Level Security: Our database enforces Row Level Security (RLS) policies, ensuring that each organisation can only access its own data. Even if there were a bug in our application code, the database itself prevents cross-tenant data access.
  • Environment isolation: Secrets and environment variables are isolated per deployment environment and are never committed to source control.
  • Regular audits: We conduct regular dependency audits and security reviews of our codebase and infrastructure.

While no system can guarantee absolute security, we are committed to following industry best practices and promptly addressing any vulnerabilities that are discovered.

8. Data Retention

  • Account data: We retain your account information (name, email, organisation details) for as long as your account is active. If you delete your account, we will remove your personal information within 30 days.
  • Integration credentials: Stored only while the integration is connected. Deleted immediately when you disconnect an integration or delete your account.
  • Integration data: Data fetched from your integrations is processed for dashboard display and is not permanently retained. We do not maintain a historical archive of your raw integration data.
  • Dashboard layouts: Your custom dashboard configurations are stored while your account is active and deleted with your account.
  • Usage logs: Server logs containing usage data are retained for up to 90 days for debugging and security purposes, then automatically deleted.

9. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

  • Access: You can request a copy of the personal information we hold about you.
  • Correction: You can ask us to correct any inaccurate or incomplete personal information.
  • Deletion: You can request that we delete your personal information. You can also delete your account directly, which will remove your data within 30 days.
  • Data export: You can request an export of your personal data in a structured, machine-readable format.
  • Restrict processing: You can ask us to restrict how we process your personal information in certain circumstances.
  • Object to processing: You can object to our processing of your personal information where we rely on legitimate interests as the legal basis.

To exercise any of these rights, please email us at privacy@varsal.app. We will respond to your request within 30 days. We may ask you to verify your identity before processing your request.

If you are located in the European Union, you also have the right to lodge a complaint with your local data protection authority. If you are located in Australia, you can contact the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

10. International Transfers

Varsal is operated from Australia. However, to provide our service, your data may be processed by our service providers in other countries, including the United States and the European Union:

  • Supabase may process and store data in the United States or other regions depending on your project configuration.
  • Vercel operates a global edge network and may process requests in multiple regions.
  • Stripe processes payment data in the United States.

Where your data is transferred outside of your home jurisdiction, we ensure that appropriate safeguards are in place. Our service providers maintain industry-standard security practices and, where applicable, rely on Standard Contractual Clauses or other approved transfer mechanisms to ensure your data is protected.

11. Children's Privacy

Varsal is a business analytics tool designed for founders and professionals. Our service is not intended for use by anyone under the age of 16. We do not knowingly collect personal information from children under 16.

If we learn that we have collected personal information from a child under 16, we will take steps to delete that information promptly. If you believe we may have collected information from a child under 16, please contact us at privacy@varsal.app.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes:

  • We will update the "Last updated" date at the top of this page.
  • For material changes that significantly affect how we handle your data, we will notify you by email before the changes take effect.
  • Your continued use of Varsal after any changes to this policy constitutes your acceptance of the updated terms.

We encourage you to review this page periodically to stay informed about how we protect your information.

13. Contact Us

If you have any questions about this Privacy Policy, your personal information, or our privacy practices, please contact us:

Varsal Pty Ltd

Brisbane, Queensland, Australia

privacy@varsal.app

We aim to respond to all privacy-related enquiries within 30 days.