Varsity Data
What we build Approach
Start a project

// Legal

Privacy Policy

Effective April 4, 2026 · Last updated April 4, 2026

This Privacy Policy is provided for transparency and is not legal advice. Varsity Data LLC recommends that anyone relying on it consult qualified counsel for their specific circumstances.

On this page

  1. Introduction & Scope
  2. Our Roles: Controller and Processor
  3. Information We Collect
  4. How We Use Information
  5. How We Share Information
  6. We Do Not Sell Your Personal Information
  7. AI & Automated Processing
  8. Partner Authorization & Revocation
  9. Your Privacy Rights & Choices
  10. California Privacy Rights (CCPA/CPRA)
  11. European & UK Rights (GDPR)
  12. Consumer Health Data
  13. Children's Privacy
  14. Data Retention
  15. Data Security
  16. Changes to This Policy
  17. Contact Us

Introduction & Scope

Varsity Data LLC ("Varsity Data," "we," "us," or "our") is a software studio that designs, builds, and delivers custom software for our clients — often under the client's own brand. This Privacy Policy explains how we handle personal information in two situations:

  • Our website — when you visit varsitydata.ai or contact us about a project.
  • Client software we build and operate — the personal information handled by the applications we create for our clients, which we process on their behalf.

Because these two situations are different, our responsibilities differ too — see the next section.

Our Roles: Controller and Processor

  • Where we act as a controller. For our website and for the business-contact information of people who reach out to us, we decide how and why the information is used, and this policy governs that use.
  • Where we act as a processor / service provider. When we build or operate software for a client, the personal information handled by that software belongs to the client's relationship with its own users. In that context the client is the controller, the client's own privacy policy governs its users, and we process the information only on the client's documented instructions under a written agreement (including a data processing addendum where required). If you are a user of software we built for one of our clients, please refer to that client's privacy policy, and see "Your Privacy Rights" below for how requests are handled.

Information We Collect

From website visitors and people who contact us. Our website is intentionally minimal: it sets no cookies and runs no advertising or analytics trackers. Our hosting provider may log standard technical data (such as IP address, browser type, and request time) for security and reliability. Our pages load fonts from Google Fonts, which shares your IP address with Google to deliver those fonts, under Google's own privacy policy. When you email us, we receive the information you choose to send — typically your name, email address, and the details of your project inquiry.

When we build and operate client software (processed on the client's behalf). Depending on what a client's application does, we may process categories of personal information such as:

  • Profile identifiers — such as name, email address, and account identifiers.
  • Health and biometric metrics — such as heart rate, sleep, weight, and body measurements, where an application handles them.
  • Activity and device data — such as workouts, steps, and device or sensor readings.
  • Location data — where an application includes location and the user permitted it.
  • Technical and sync data — such as IP address, timestamps, and synchronization metadata.

From our clients. We collect business-contact and account details from the companies we work with, such as names, work email addresses, and credentials needed to build, secure, and operate their software.

How We Use Information

We use personal information to:

  • Operate, secure, and maintain our website and respond to your inquiries.
  • Scope, design, build, deliver, and maintain software for our clients.
  • Process personal information within client software only as the client instructs and as our agreement permits.
  • Detect, prevent, and respond to fraud, abuse, security incidents, and technical problems.
  • Comply with legal obligations and enforce our agreements.

We do not use the personal information handled inside client software for our own advertising, and we do not build cross-context marketing profiles from it.

How We Share Information

We share personal information only in limited circumstances:

  • With the client whose software we are building or operating — that is the purpose of the engagement, governed by our agreement with them.
  • With trusted service providers (such as cloud hosting and infrastructure) that support our operations under contract and may use the information only to perform services for us.
  • For legal and safety reasons — with authorities when required by law or valid legal process, or to protect the rights, safety, and security of people, the public, Varsity Data, or others.
  • In a business transfer — in connection with a merger, acquisition, financing, or sale of assets, subject to this policy's commitments.

We Do Not Sell Your Personal Information

Varsity Data does not sell your personal information, and we do not share it for cross-context behavioral advertising. We do not disclose personal information we handle to data brokers. Information is used and shared only as described in this policy and, for client software, as directed by the client.

AI & Automated Processing

Personal information obtained from third-party data partners through their APIs — within any software we build or operate — is not shared with, processed by, or otherwise made available to any external AI provider or external data-processing service. That partner data is processed only within controlled infrastructure that we or our client operate. We do not send it to public, consumer, or third-party AI models, and we never use it to train external foundation models.

Separately, and only for information that does not come from a partner API — such as a client's own datasets or content a user submits directly — we may use enterprise AI services, with strict safeguards:

  • Enterprise endpoints under Data Processing Addendums. We use enterprise AI services (not public consumer models), bound by DPAs requiring inputs to be used solely for inference, not retained after processing, and never used to train external foundation models.
  • User-level isolation. Data is logically partitioned per user so one user's information cannot mingle with another's.
  • Redaction before processing. We strip personally identifiable information and replace it with generic placeholders (for example, a name becomes "[NAME]") before any text is sent to an external processing layer.

Partner Authorization & Revocation

Where software we build connects to a third-party data partner (for example, a wearable, fitness, or health platform), access to a user's data begins only after that user grants consent, typically through the partner's own secure authorization flow (such as an OAuth permission screen). Users can revoke access at any time — at the data partner's connected-apps settings, or by contacting the client that operates the software, or by contacting us at [email protected]. After revocation, retrieval of new data stops and the associated information is deleted or de-identified as described in "Data Retention," subject to any legal obligation to retain it.

Your Privacy Rights & Choices

You may ask to access, export, correct, or delete the personal information we hold. Email [email protected] with your request. We will confirm receipt and respond within 45 days, extending only where the law permits and we notify you, and we may verify your identity first.

Where the information is processed on a client's behalf (the client is the controller), we will promptly forward your request to that client and assist them in responding, or direct you to the client's own process. You will not be treated differently for exercising your rights.

California Privacy Rights (CCPA/CPRA)

If you are a California resident, the CCPA (as amended by the CPRA) gives you rights to know, access, correct, delete, and limit the use of your personal information, and not to be treated differently for exercising them. Where we handle personal information on a client's behalf, we act as a service provider and process it only under our contract.

Category Examples Sold / Shared?
IdentifiersName, email, account ID, IP addressNo
Health & biometric informationHeart rate, sleep, weight, body measurementsNo
Activity & device dataWorkouts, steps, sensor and device readingsNo
Geolocation dataLocation associated with an activity or recordNo
Internet / technical activitySync timestamps, request logs, technical metadataNo

We do not sell or share personal information as those terms are defined under California law. Health and precise geolocation data are treated as sensitive personal information and used only for the purposes described here. Exercise your rights (including via an authorized agent) by emailing [email protected].

European & UK Rights (GDPR)

If you are in the European Economic Area, the United Kingdom, or Switzerland, you have rights under the GDPR and UK GDPR, including access, rectification, erasure, restriction, objection, and data portability. Where we determine the purposes and means of processing (our website and contacts), we act as a controller; where we process data on a client's behalf, we act as a processor on the client's instructions.

Our legal bases include consent (for example, the authorization a user gives at a data partner, which can be withdrawn), contract, legitimate interests (securing and improving our services, where not overridden by your rights), and legal obligation. Where we transfer personal information across regions, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses. You may exercise your rights at [email protected] and may lodge a complaint with your local supervisory authority.

Consumer Health Data

Some information handled by software we build — such as heart rate, sleep, weight, and related biometrics — may constitute consumer health data under laws including Washington's My Health My Data Act and similar state laws. We give it heightened protection: it is processed only with consent and only to provide the authorized service; it is not sold and not used for advertising; it is not shared with external AI providers (see "AI & Automated Processing"); access is restricted to those who need it; and consent can be withdrawn and deletion requested at [email protected].

Children's Privacy

Our services are not directed to young children. We do not knowingly collect personal information from children under the age of 8. For individuals aged 8 to 17, we require verified parental or guardian consent before processing their personal information, consistent with our data partners' requirements and applicable law. If you believe a child's information was shared with us without the required consent, contact [email protected] and we will promptly delete it.

Data Retention

We retain personal information only as long as necessary to provide our services, fulfill the purposes in this policy, and meet legal obligations — and, for client software, for the term set by our agreement with the client. When a connection is revoked, deletion is requested, or an engagement ends, we delete or de-identify the associated information within a reasonable period, except where retention is required by law or to resolve disputes and enforce our agreements.

Data Security

We use administrative, technical, and organizational measures designed to protect personal information, including encryption in transit, access controls, and least-privilege access. No method of transmission or storage is completely secure, but we work to protect your information and to address security issues promptly.

Changes to This Policy

We may update this Privacy Policy from time to time. For material changes we will update the "Effective" date and, where appropriate, provide additional notice. Continued use of our services after an update means you accept the revised policy.

Contact Us

Questions or requests: Varsity Data LLC · Email [email protected] · Governing jurisdiction: State of Utah, United States.

See also our Terms of Use.

Varsity Data

Custom software, built as your own.

Company

What we build Your brand Approach

Legal

Privacy Legal

Get started

Start a project

© 2026 Varsity Data LLC. All rights reserved.