Privacy Policy

1. Introduction

VARL Inc. (“VARL,” “we,” “us,” or “our”) is committed to protecting the privacy and security of all individuals and entities that interact with our platform, website, API, services, and related products (collectively, the “Services”). This Privacy Policy describes how we collect, use, store, disclose, and protect your personal information when you access or use our Services, visit our website at varl.com, or otherwise engage with us.

By accessing or using any part of our Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with any provision of this policy, you must discontinue use of the Services immediately. This policy applies to all users, including but not limited to individual researchers, institutional partners, API consumers, investors, job applicants, and casual visitors.

This Privacy Policy is governed by and shall be construed in accordance with the laws of the State of Delaware, United States, and, where applicable, the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the California Consumer Privacy Act (“CCPA”), the Health Insurance Portability and Accountability Act (“HIPAA”), and other applicable data protection legislation in jurisdictions where we operate.

2. Information We Collect

2.1 Information You Provide Directly

When you create an account, submit a form, request API access, apply for a position, or otherwise communicate with us, you may provide us with the following categories of personal information:

• Full legal name, title, and professional affiliation
• Email address, phone number, and mailing address
• Employer or institutional name, department, and role
• Payment and billing information (processed through PCI DSS-compliant third-party processors)
• Government-issued identification numbers where required by law or regulation
• Research proposals, project descriptions, and technical specifications submitted through our partnership or API access request forms
• Correspondence, feedback, support tickets, and any other information you voluntarily transmit to us

2.2 Information Collected Automatically

When you interact with our Services, we automatically collect certain technical and usage information through cookies, server logs, and similar technologies, including but not limited to:

• IP address, browser type and version, operating system, and device identifiers
• Pages visited, time spent on each page, click patterns, and navigation paths
• Referring URL, search terms used to reach our website, and exit pages
• API call metadata, including endpoints accessed, request timestamps, response codes, and usage volume
• Geolocation data derived from IP address (city/region level, not precise)
• Session identifiers and authentication tokens (encrypted)

2.3 Information from Third Parties

We may receive personal information about you from third parties, including identity verification services, institutional partners who refer you to our platform, background check providers (for employment purposes only), and publicly available databases such as academic publication records and professional profiles.

2.4 Sensitive and Regulated Data

In the course of providing our Services, particularly through our API and digital twin platform, users may upload or transmit data that includes protected health information (“PHI”), genomic data, or other sensitive biological data. Such data is subject to additional protections as described in Section 7 of this policy and is processed exclusively in accordance with applicable regulatory frameworks, including HIPAA, GDPR Article 9, and relevant national biosecurity regulations.

3. How We Use Your Information

We process your personal information for the following purposes, each of which constitutes a legitimate interest, contractual necessity, or is performed with your explicit consent:

• Service Delivery: To provide, maintain, and improve our platform, process API requests, run simulations, deliver results, and fulfill our contractual obligations to you or your organization.
• Account Management: To create and manage your account, authenticate your identity, process access requests, and maintain records of your service usage.
• Communication: To respond to your inquiries, send service-related notices, provide technical support, and deliver updates about changes to our Services or policies.
• Security and Compliance: To detect, prevent, and investigate fraud, unauthorized access, security breaches, and other potentially illegal or prohibited activities. To comply with applicable laws, regulations, legal processes, and enforceable governmental requests.
• Research and Development: To conduct internal research, analyze usage patterns, improve our algorithms, and develop new features and services. Aggregated and de-identified data may be used for these purposes.
• Legal Obligations: To comply with tax, accounting, reporting, and audit requirements, and to establish, exercise, or defend legal claims.
• Employment: To evaluate job applications, conduct background checks (with consent), and manage the recruitment process.

4. Legal Basis for Processing (GDPR)

For individuals in the European Economic Area, the United Kingdom, and Switzerland, our legal bases for processing personal data are:

• Contractual Necessity (Article 6(1)(b)): Processing necessary to perform our contract with you or to take steps at your request before entering into a contract.
• Legitimate Interest (Article 6(1)(f)): Processing necessary for our legitimate interests, including platform security, fraud prevention, service improvement, and direct marketing, provided such interests are not overridden by your fundamental rights.
• Consent (Article 6(1)(a)): Where you have given clear, affirmative consent to the processing of your personal data for specific purposes. You may withdraw consent at any time.
• Legal Obligation (Article 6(1)(c)): Processing necessary to comply with a legal obligation to which we are subject.
• Vital Interests (Article 6(1)(d)): In rare circumstances, processing necessary to protect the vital interests of you or another natural person.

5. Information Sharing and Disclosure

VARL does not sell, rent, or trade your personal information to third parties for their marketing purposes. We may share your information only in the following limited circumstances:

• Service Providers: We engage vetted third-party service providers to perform functions on our behalf, including cloud infrastructure (data hosting and computation), payment processing, email delivery, analytics, and customer support. These providers are contractually bound to process your data only as instructed by us and to maintain appropriate security measures.
• Legal Requirements: We may disclose your information if required to do so by law, regulation, legal process, or governmental request, or if we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request.
• Business Transfers: In the event of a merger, acquisition, reorganization, bankruptcy, or other similar event, your personal information may be transferred as part of the transaction. We will notify you via prominent notice on our website of any change in ownership or uses of your personal information.
• With Your Consent: We may share your information with third parties when you have given us explicit consent to do so for a specific purpose.
• Aggregated Data: We may share aggregated, de-identified, or anonymized data that cannot reasonably be used to identify you. Such data is not subject to this Privacy Policy.

Under no circumstances will VARL share, disclose, or provide access to partner-specific proprietary data, biological datasets, simulation results, or research outputs to any third party without the express written authorization of the data owner. This includes affiliated entities, investors, and governmental bodies unless compelled by valid legal process.

6. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes for which it was collected, comply with our legal obligations, resolve disputes, and enforce our agreements. Specific retention periods are as follows:

• Account Data: Retained for the duration of your active account plus 3 years following account closure or last activity, whichever is later.
• API Usage Logs: Retained for 24 months from the date of the request, unless a longer retention period is required by law or regulation.
• Financial Records: Retained for 7 years in accordance with applicable tax and accounting regulations.
• Employment Applications: Retained for 2 years following the conclusion of the recruitment process, or longer if required by applicable employment law.
• Research and Biological Data: Retained in accordance with the terms of the applicable Data Processing Agreement (DPA) or Business Associate Agreement (BAA). In the absence of such agreement, data is retained for the duration of the research engagement plus 5 years.
• Cookie and Analytics Data: Retained for a maximum of 13 months from collection.

Upon expiration of the applicable retention period, personal information is securely deleted or irreversibly anonymized. You may request earlier deletion subject to the provisions of Section 8.

7. Security of Biological and Health Data

VARL processes certain categories of data that are subject to heightened regulatory protection, including protected health information (PHI) under HIPAA, special categories of personal data under GDPR Article 9, and genomic data subject to the Genetic Information Nondiscrimination Act (GINA) and equivalent international legislation. The following additional safeguards apply to such data:

• All biological and health data is encrypted at rest using AES-256 encryption and in transit using TLS 1.3.
• Access to sensitive data is governed by role-based access controls (RBAC) with mandatory multi-factor authentication.
• All access events are logged in immutable audit trails that are retained for a minimum of 6 years.
• Biological data is processed in isolated compute environments that are logically and, where required, physically separated from other workloads.
• De-identification and pseudonymization techniques are applied wherever possible to minimize re-identification risk.
• VARL maintains a comprehensive incident response plan specifically designed for biological data breaches, with notification timelines that meet or exceed regulatory requirements (72 hours under GDPR, 60 days under HIPAA).
• Partners processing PHI through our platform are required to execute a HIPAA-compliant Business Associate Agreement prior to data transmission.

VARL undergoes annual SOC 2 Type II audits and maintains ISO 27001 certification for its information security management system. Audit reports are available to partners and regulators upon request under NDA.

8. Your Rights

Depending on your jurisdiction, you may have the following rights with respect to your personal information:

• Right of Access: You may request a copy of the personal data we hold about you, including the purposes of processing and the categories of recipients.
• Right to Rectification: You may request correction of inaccurate or incomplete personal data.
• Right to Erasure: You may request deletion of your personal data, subject to our legal obligations and legitimate interests. Certain data cannot be deleted where retention is required by law.
• Right to Restriction: You may request that we restrict the processing of your personal data in certain circumstances.
• Right to Data Portability: You may request to receive your personal data in a structured, commonly used, and machine-readable format.
• Right to Object: You may object to processing based on legitimate interests, including profiling and direct marketing.
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of processing conducted prior to withdrawal.
• Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority in your jurisdiction.

To exercise any of these rights, please contact us at privacy@varl.com. We will respond to all legitimate requests within 30 days. We may request verification of your identity before processing your request.

9. International Data Transfers

VARL operates globally and may transfer your personal information to countries other than the one in which you reside. When we transfer personal data from the European Economic Area, United Kingdom, or Switzerland to countries that have not received an adequacy decision from the European Commission, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, supplementary measures where required, and, where applicable, binding corporate rules.

For transfers to the United States, VARL relies on the EU-U.S. Data Privacy Framework and, where that framework does not apply, SCCs with additional technical and organizational safeguards. You may request a copy of the applicable transfer mechanism by contacting privacy@varl.com.

10. Cookies and Tracking Technologies

Our website uses cookies and similar technologies to enhance your experience, analyze usage patterns, and deliver relevant content. We use the following categories of cookies:

• Strictly Necessary: Required for the website to function. These cannot be disabled. They include session management, authentication, and security cookies.
• Analytics: Help us understand how visitors interact with our website by collecting and reporting aggregated information. We use these to improve site performance and content.
• Functional: Enable enhanced functionality and personalization, such as remembering your preferences and settings.

We do not use advertising or marketing cookies. We do not participate in cross-site tracking, real-time bidding, or behavioral advertising networks. You may manage your cookie preferences through your browser settings or through the cookie preference center accessible from any page of our website. For more details, please see our Cookie Policy.

11. Children's Privacy

Our Services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child under 18 without verification of parental consent, we will take steps to delete that information immediately. If you believe we have inadvertently collected such information, please contact us at privacy@varl.com.

12. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

• The right to know what personal information we collect, use, disclose, and sell.
• The right to delete personal information we have collected from you, subject to certain exceptions.
• The right to opt out of the sale or sharing of personal information. VARL does not sell personal information.
• The right to correct inaccurate personal information.
• The right to limit the use and disclosure of sensitive personal information.
• The right to non-discrimination for exercising your privacy rights.

To exercise these rights, please contact us at privacy@varl.com or submit a request through our website. We will verify your identity before processing your request and respond within 45 days.

13. Third-Party Links

Our Services may contain links to third-party websites, services, or applications that are not operated by us. We have no control over, and assume no responsibility for, the content, privacy policies, or practices of any third-party sites or services. We strongly advise you to review the privacy policy of every site you visit. The inclusion of a link does not imply endorsement.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will notify you by posting a prominent notice on our website and updating the “Last Updated” date at the top of this page. For material changes that significantly affect your rights, we will provide additional notice via email to the address associated with your account. Your continued use of the Services after the effective date of any updated Privacy Policy constitutes your acceptance of the revised terms.

15. Limitation of Liability

To the maximum extent permitted by applicable law, VARL shall not be liable for any indirect, incidental, special, consequential, or punitive damages arising out of or related to your use of the Services, any data breach caused by circumstances beyond our reasonable control, or any unauthorized access to your data resulting from your failure to maintain the confidentiality of your account credentials. Our total liability for any claim arising under this Privacy Policy shall not exceed the amount you have paid to VARL in the twelve (12) months preceding the claim.

16. Governing Law and Dispute Resolution

This Privacy Policy shall be governed by and construed in accordance with the laws of the State of Delaware, United States, without regard to its conflict of law provisions. Any dispute arising out of or in connection with this Privacy Policy shall be submitted to binding arbitration administered by the American Arbitration Association in accordance with its Commercial Arbitration Rules. The arbitration shall take place in Wilmington, Delaware, and the language of the arbitration shall be English. The arbitrator's decision shall be final and binding, and judgment may be entered thereon in any court of competent jurisdiction.

Nothing in this section shall prevent either party from seeking injunctive or other equitable relief from a court of competent jurisdiction where necessary to protect its rights or property pending the outcome of arbitration.

17. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: