Privacy Policy

1. Introduction

Varanic LLC operates the Varanic platform, an institutional-grade counterparty credit monitoring and financial analysis solution designed for financial institutions, credit professionals, and institutional investors. Our platform processes sensitive financial data, including customer-uploaded financial statements and publicly available regulatory filings, to deliver credit risk assessments, portfolio analytics, and compliance reporting capabilities.

This Privacy Policy applies to all individuals and entities that access or use the Service, including account administrators, end users within organizational accounts, and visitors to our website. It covers the information we collect through the Service, our website, email communications, and any other interactions you may have with Varanic. This Policy does not apply to third-party websites, services, or applications that may be linked to or integrated with the Service, each of which is governed by its own privacy policy.

We recognize that the financial data processed through our platform is among the most sensitive categories of business information. Our commitment to privacy is foundational to the trust our customers place in us, and we have designed our platform architecture, security controls, and data handling practices to reflect the heightened duty of care that this data demands. We encourage you to read this Privacy Policy carefully to understand our practices regarding your information and how we will treat it.

By accessing or using the Service, you acknowledge that you have read, understood, and agree to the collection, use, and disclosure of your information as described in this Privacy Policy. If you do not agree with the practices described herein, you must discontinue use of the Service immediately.

2. Information We Collect

We collect information from and about you in the course of providing the Service. The categories of information we collect depend on how you interact with the platform and the features you use. Below we describe each category in detail.

2.1 Account Information

When you register for an account or are provisioned as a user within an organizational account, we collect information necessary to create and maintain your account. This includes your full name, business email address, organization name, job title or role within your organization, and a cryptographically hashed version of your password. We never store plaintext passwords. For organizational accounts, we also collect information about the account administrator and the role-based permissions assigned to each user (such as admin, user, or viewer designations).

2.2 Financial Data

The core function of the Service involves processing financial data that you upload or otherwise provide to the platform. This includes financial statements such as balance sheets, income statements, and cash flow statements; supporting schedules and notes; debt covenants and loan documentation; and any other financial documents you choose to upload for analysis. This Customer Data may contain non-public financial information about your counterparties, borrowers, or portfolio companies. We treat all customer-uploaded financial data as confidential and process it strictly in accordance with this Privacy Policy and our Terms of Service.

2.3 SEC EDGAR Data

When you use the Service to retrieve public filings from the U.S. Securities and Exchange Commission's Electronic Data Gathering, Analysis, and Retrieval system ("SEC EDGAR"), we collect and store the filings retrieved on your behalf. This includes 10-K annual reports, 10-Q quarterly reports, 8-K current reports, and other publicly available disclosure documents. We also store the Central Index Key ("CIK") numbers associated with entities you monitor, which are used to identify filers within the EDGAR system. While SEC EDGAR data is publicly available, the specific filings you choose to retrieve and the entities you choose to monitor constitute confidential information about your business activities, and we treat this information accordingly.

2.4 Usage Data

We collect information about how you interact with the Service to improve platform performance, identify and resolve technical issues, and enhance the user experience. Usage data includes the pages and features you visit or use within the platform, search queries you enter, the frequency and duration of your sessions, the time spent on specific features or pages, the sequence of actions taken within the platform, and feature adoption metrics. We collect this data through server-side logging and do not use third-party analytics trackers for this purpose.

2.5 Technical Data

When you access the Service, we automatically collect certain technical information from your device and browser. This includes your Internet Protocol ("IP") address, browser type and version, operating system, device type and screen resolution, session tokens and authentication identifiers, referring URLs, and time zone settings. This information is used for security monitoring, session management, and to ensure the proper functioning of the Service across different devices and browsers.

2.6 Communication Data

When you contact us for customer support, submit feedback, or otherwise communicate with us, we collect the content of those communications along with associated metadata such as timestamps, the channel of communication, and any attachments you provide. This includes support requests submitted through the platform, emails sent to our support and feedback channels, and any in-product feedback or feature requests you submit. We retain communication data to provide ongoing support, track issue resolution, and improve our customer service processes.

3. How We Use Information

We use the information we collect for the specific purposes described below. We do not use your information for purposes materially different from those described in this Privacy Policy without providing you with notice and, where required by applicable law, obtaining your consent.

3.1 Providing and Maintaining the Platform

We use your account information, technical data, and session information to authenticate your identity, manage your account, enforce role-based access controls, and deliver the core functionality of the Service. This includes provisioning your account, managing organizational user hierarchies, and ensuring that each user has access only to the data and features appropriate to their assigned role.

3.2 Processing and Analyzing Financial Statements

We process the financial data you upload to the platform to perform automated and assisted spreading of financial statements, standardize data into comparable formats, calculate financial ratios and metrics, and generate analytical outputs. This processing is performed solely on your behalf and in accordance with your instructions as expressed through your use of the platform's features.

3.3 Retrieving SEC EDGAR Filings

We use CIK numbers and entity identifiers you provide to retrieve public filings from SEC EDGAR on your behalf. Retrieved filings are stored within your account for analysis and monitoring purposes. We comply with the SEC's fair access policies and rate limiting requirements when accessing EDGAR data.

3.4 AI-Powered Data Extraction and Analysis

We employ machine learning and natural language processing technologies to extract structured data from unstructured financial documents, identify material disclosures, and automate the population of analytical templates. AI-powered features process your Customer Data within the secure boundaries of our platform infrastructure. We do not use your Customer Data to train general-purpose machine learning models that would be applied across other customers' data. Any model improvements derived from usage patterns are based on aggregated, anonymized interaction data that cannot be traced back to specific customer content.

3.5 Credit Scoring and Risk Assessment

We use processed financial data to generate proprietary credit scores, risk ratings, and quantitative assessments through our scoring methodologies. These calculations are performed using the data within your account and the parameters you configure within the platform. Credit scores and risk assessments are analytical outputs provided for informational purposes and do not constitute credit ratings as defined under applicable securities regulations.

3.6 Generating Reports and Visualizations

We use your data to generate credit memos, risk reports, portfolio dashboards, trend analyses, and other visual and documentary outputs that you request through the platform. These reports are generated exclusively for your use and are accessible only to authorized users within your account.

3.7 Platform Improvement and Analytics

We use aggregated, anonymized usage data to analyze platform performance, identify areas for improvement, prioritize feature development, optimize user workflows, and conduct internal research. This analysis is performed on data that has been stripped of all identifying information and cannot be used to reconstruct individual customer activity or financial data.

3.8 Security Monitoring and Fraud Prevention

We use technical data, usage patterns, and authentication logs to detect and prevent unauthorized access, identify anomalous behavior that may indicate security threats, enforce rate limits, and maintain the overall integrity and security of the platform. This includes monitoring for brute-force attacks, credential stuffing, session hijacking, and other common attack vectors.

3.9 Communicating About the Service

We use your contact information to send you transactional communications necessary for the operation of the Service, including account verification emails, password reset notifications, security alerts, system maintenance notices, changes to our Terms of Service or this Privacy Policy, and updates regarding features relevant to your subscription tier. These communications are essential to the operation of the Service and cannot be opted out of while you maintain an active account.

4. Data Storage and Security

Protecting the confidentiality, integrity, and availability of your data is fundamental to our business. We have implemented a comprehensive security program that incorporates administrative, technical, and physical safeguards designed to protect your information against unauthorized access, disclosure, alteration, and destruction.

4.1 Multi-Tenant Data Isolation

The Varanic platform employs a multi-tenant architecture with strict logical data isolation. Every row in our database is tagged with an account identifier (account_id), and all database queries are scoped to the authenticated account. This ensures that customers cannot access, view, or modify the data of another customer through normal platform operations. Data isolation is enforced at the application layer with rigorous controls and is verified through security testing.

4.2 Encryption

All Customer Data stored within our systems is encrypted at rest using the Advanced Encryption Standard with 256-bit keys (AES-256) via encrypted storage volumes in production environments. Encryption keys are managed through cloud provider key management infrastructure. All data transmitted between your browser and our servers, as well as between internal service components, is encrypted in transit using Transport Layer Security (TLS) version 1.2 or higher, with a preference for TLS 1.3 where supported by the client. We enforce strong cipher suites and regularly update our TLS configuration in accordance with current best practices.

4.3 Access Controls

The platform implements Role-Based Access Control ("RBAC") with three primary roles: administrator, user, and viewer. Each role carries a defined set of permissions that restricts access to data and functionality to only what is necessary for the user's responsibilities. Account administrators are responsible for assigning and managing roles within their organization. Internally, Varanic employees access customer systems only on a need-to-know basis, subject to approval workflows and comprehensive audit logging.

4.4 Security Assessments

We conduct security assessments, including vulnerability scanning and code reviews, to identify and remediate potential security weaknesses. Our security practices are reviewed and updated on an ongoing basis to address evolving threats and to align with industry standards and best practices. Third-party penetration testing has been scheduled.

4.5 Backup and Recovery

Customer Data is backed up daily using automated backup procedures. Backups are encrypted and stored separately from primary production systems, with cross-region replication for geographic redundancy. Backup integrity is verified through periodic restoration testing. Backup retention and rotation schedules are described in Section 7 of this Privacy Policy.

4.6 Employee Security

Varanic conducts background checks for all employees and contractors with access to customer data or production systems prior to granting access. Employees receive security awareness training and are bound by confidentiality agreements that survive the termination of their employment. Access to production systems and customer data is granted on the principle of least privilege and is subject to regular access reviews.

5. Data Sharing

We take a restrictive approach to data sharing. We do not sell, rent, lease, or trade your personal information or Customer Data to any third party. Data is shared only with essential service providers as described below.

5.1 Service Providers

We engage a limited number of third-party service providers to assist us in operating and delivering the Service. These providers may include cloud infrastructure and hosting providers, email delivery services for transactional communications, and customer support tools. All service providers are contractually bound to process your data only in accordance with our instructions and solely for the purpose of providing services to Varanic. Service providers are prohibited from using your data for their own purposes and are subject to confidentiality obligations consistent with this Privacy Policy. We conduct due diligence on our service providers' security practices before engagement and on an ongoing basis.

5.2 Legal Requirements

We may disclose your information if we are required to do so by applicable law, regulation, legal process, or governmental request, including in response to court orders, subpoenas, or regulatory inquiries. Where legally permissible, we will provide you with prompt notice of any such disclosure so that you may seek a protective order or other appropriate remedy. We will disclose only the minimum amount of information necessary to comply with the applicable legal requirement.

5.3 Business Transfers

In the event that Varanic LLC undergoes a merger, acquisition, reorganization, sale of assets, or similar business transaction, your information may be transferred as part of that transaction. In such circumstances, we will provide you with at least thirty (30) days' notice before your information is transferred and becomes subject to a different privacy policy. You will have the opportunity to export your data and terminate your account before any such transfer takes effect.

5.4 Aggregated and Anonymized Data

We may create aggregated, anonymized, and de-identified datasets derived from platform usage patterns for the purpose of improving the Service, conducting research, and generating industry benchmarks. Such datasets are stripped of all identifying information and cannot reasonably be used to identify any individual customer, user, or counterparty. Aggregated data may be shared with third parties for research or analytical purposes, but only in a form that does not permit the identification of any specific customer or their data.

Industry benchmarks are generated only when sufficient data exists to prevent re-identification (a minimum of five contributing accounts per cohort, with no single account contributing more than 25% of data points). Only historical data older than 90 days is included. You may opt out of contributing to industry benchmarks at any time through the platform settings page. Opting out does not affect your access to the Service.

5.5 No Sharing of Individual Financial Data

Under no circumstances will we share, sell, license, or otherwise make available your individual financial data, counterparty information, credit assessments, or other Customer Data to any third party for that third party's own commercial benefit. This prohibition applies regardless of whether the third party is a financial institution, data broker, analytics provider, or any other type of entity. Your financial data belongs to you and is processed solely for the purpose of delivering the Service to you.

6. Your Rights

We believe that you should have meaningful control over the information you entrust to us. Depending on your jurisdiction, you may have certain rights regarding your personal information and Customer Data as described below. We will honor these rights regardless of your location, to the extent commercially practicable and consistent with our legal obligations.

6.1 Right of Access

You have the right to request a copy of the personal information and Customer Data we hold about you. Upon request, we will provide you with a comprehensive summary of the data categories we maintain, the purposes for which each category is processed, and the third parties (if any) with whom data has been shared. Access requests will be fulfilled within thirty (30) calendar days of receipt.

6.2 Right of Correction

You have the right to request that we correct any inaccurate or incomplete personal information we hold about you. You may update most account information directly through the platform's account settings. For corrections that cannot be made through the platform, you may submit a request as described below.

6.3 Right of Deletion

You have the right to request the erasure of your personal information and Customer Data, subject to certain exceptions. We will honor deletion requests except where retention is required to comply with a legal obligation, to complete a transaction or contract, for the establishment, exercise, or defense of legal claims, or where retention is otherwise required or permitted by applicable law. When data is deleted, we will remove it from our active systems and, within a commercially reasonable timeframe, from our backup systems.

6.4 Right of Portability

You have the right to receive your Customer Data in a structured, commonly used, and machine-readable format. The platform provides built-in export functionality that allows you to export your data at any time during the term of your subscription. Exported data is provided in standard formats such as CSV, JSON, or PDF, depending on the data type and your preference.

6.5 Right of Restriction

You have the right to request that we restrict the processing of your personal information in certain circumstances, including where you contest the accuracy of the data, where processing is unlawful but you oppose deletion, where we no longer need the data but you require it for the establishment, exercise, or defense of legal claims, or where you have objected to processing pending verification of legitimate grounds.

6.6 Right of Objection

You have the right to object to the processing of your personal information where we rely on legitimate business interests as the legal basis for processing. Upon receiving an objection, we will cease processing the data for the objected purpose unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or where processing is necessary for the establishment, exercise, or defense of legal claims.

6.7 Right to Withdraw Consent

Where we process your personal information based on your consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing conducted prior to the withdrawal. You may withdraw consent by contacting us using the information provided below or through the applicable consent management tools within the platform.

6.8 Exercising Your Rights

To exercise any of the rights described above, please submit a request to [email protected]. We will acknowledge receipt of your request within five (5) business days and will respond substantively within thirty (30) calendar days. In cases where the request is particularly complex or voluminous, we may extend the response period by an additional thirty (30) days with prior notice to you. We may require you to verify your identity before processing your request to protect against unauthorized access to your data. We will not charge a fee for processing your request unless the request is manifestly unfounded or excessive, in which case we may charge a reasonable administrative fee or decline the request.

7. Data Retention

We retain your information only for as long as necessary to fulfill the purposes for which it was collected, to comply with our legal obligations, and to enforce our agreements. Our retention practices are designed to balance operational needs, regulatory requirements, and your privacy interests.

7.1 Active Accounts

For active accounts with current subscriptions, we retain all account information, Customer Data, and associated analytical outputs for the duration of the subscription. Data remains accessible and available through the platform throughout the subscription term. You may delete specific data items at any time through the platform's management interface, subject to any audit log retention requirements.

7.2 Terminated Accounts

Upon termination or expiration of your subscription, we provide a thirty (30) calendar day export window during which you may download your Customer Data using the platform's export functionality. Following the expiration of the export window, we will initiate deletion of your Customer Data from our active production systems. Deletion from active systems will be completed within ninety (90) calendar days of the export window closing. During the deletion period, your data will be inaccessible through the platform and will not be used for any purpose other than completing the deletion process.

7.3 Audit Logs

Comprehensive audit logs documenting user actions, data access, modifications, and system events are retained for a minimum of seven (7) years. This retention period is designed to satisfy regulatory examination requirements, support internal compliance programs, and facilitate the investigation of security incidents that may not be detected until long after they occur. Audit logs are stored in append-only tables with database-level triggers that prevent deletion or modification of log entries, and are encrypted at rest.

7.4 Backups

Encrypted backups are created daily and are retained on a thirty (30) day rolling schedule. Older backups are securely destroyed using industry-standard data destruction methods. Following account termination and the completion of the active deletion process, your data will be fully purged from backup systems within the next backup rotation cycle, not to exceed thirty (30) days.

7.5 Legal Holds

Notwithstanding the foregoing retention schedules, we may be required to preserve certain data beyond the standard retention periods in response to litigation holds, regulatory investigations, or other legal processes. In such cases, the affected data will be preserved for the duration of the legal hold and will be deleted in accordance with our standard retention schedule once the hold is released. We will notify you of any legal hold affecting your data to the extent we are legally permitted to do so.

8. International Data Transfers

Varanic LLC is headquartered in the United States, and the Service is primarily hosted on infrastructure located within the United States. If you access the Service from outside the United States, you acknowledge that your information will be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your jurisdiction.

For customers located in the European Economic Area ("EEA"), the United Kingdom, or Switzerland, we rely on the European Commission's Standard Contractual Clauses ("SCCs") as the legal mechanism for transferring personal data from the EEA to the United States. We execute the applicable SCCs with our customers and service providers and implement supplementary technical and organizational measures as necessary to ensure an adequate level of data protection. Customers requiring execution of SCCs may request them by contacting us at [email protected].

We monitor developments in international data transfer frameworks, including the EU-U.S. Data Privacy Framework and its successors, and will adopt additional transfer mechanisms as they become available and applicable to our operations. We will notify customers of any material changes to the location where Customer Data is stored or processed, and of any changes to the legal mechanisms relied upon for international transfers, with sufficient advance notice to allow customers to evaluate the impact and exercise their rights under this Privacy Policy.

Regardless of where your data is stored or processed, we apply the same security protections and privacy safeguards described in this Privacy Policy. Our data protection obligations under this Policy and applicable law travel with the data and are not diminished by the transfer of data to a different jurisdiction.

9. Cookies and Local Storage

The Service uses a minimal set of cookies and browser local storage mechanisms that are strictly necessary for the operation of the platform and the preservation of your preferences. We do not use cookies for advertising, behavioral tracking, or cross-site profiling. Our approach to cookies and local storage is described below.

9.1 Session Tokens

When you log into the Service, we set a session cookie containing an encrypted session token that authenticates your identity and maintains your session state as you navigate the platform. Session cookies are essential to the operation of the Service and cannot be disabled without losing access to the platform. Session tokens are set with the Secure and HttpOnly flags and expire automatically after a defined inactivity period.

9.2 Theme and UI Preferences

We use browser local storage to persist your user interface preferences, including your selected theme (light or dark mode), sidebar visibility state, table column configurations, and other display settings. These preferences are stored locally on your device and are not transmitted to our servers except where necessary for server-side rendering or layout purposes.

9.3 Performance Optimization

We may use local storage to cache certain non-sensitive data locally on your device to improve platform loading times and reduce unnecessary network requests. Cached data is limited to non-sensitive UI assets and configuration data, and is automatically invalidated and refreshed on a regular basis. Local storage used for performance optimization does not contain Customer Data, financial information, or personal information.

9.4 What We Do Not Use

The Service does not use third-party advertising cookies, cross-site tracking pixels, social media tracking scripts, fingerprinting technologies for tracking purposes, or any other mechanism designed to track your activity across websites or build a profile of your browsing behavior. We do not participate in advertising networks or data exchanges, and we do not allow third parties to set cookies or collect information through the Service for their own purposes.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our data practices, legal requirements, or business operations. We are committed to providing you with meaningful notice of material changes and the opportunity to understand how those changes affect the handling of your information.

For material changes to this Privacy Policy, including changes that affect the categories of data we collect, the purposes for which we use data, our data sharing practices, or your rights, we will provide at least thirty (30) days' advance notice before the revised policy takes effect. Notice will be provided by email to the primary contact address associated with your account and through a prominent notice within the Service interface.

Your continued use of the Service following the effective date of a revised Privacy Policy constitutes your acceptance of and agreement to the revised Policy. If you do not agree with any changes, you should discontinue use of the Service before the effective date and contact us to discuss your concerns or to request deletion of your data.

We maintain a version history of this Privacy Policy, and previous versions are available upon request. Each version is identified by its effective date, and the current version is always accessible through the Service and our website. We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information.

11. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us using the information below. We take all privacy inquiries seriously and will respond to your request within a reasonable timeframe.

For data protection matters affecting customers in the European Economic Area or the United Kingdom, you may also contact our designated data protection point of contact at [email protected]. If you are unsatisfied with our response to your privacy concern, you may have the right to lodge a complaint with your local data protection supervisory authority.

All notices to Varanic under this Privacy Policy must be sent to the email addresses specified above and shall be deemed received upon confirmation of delivery. We will endeavor to acknowledge receipt of all inquiries within five (5) business days and to provide a substantive response within thirty (30) calendar days.