Privacy Policy

Vavan, LLC (“Vavan,” “we,” “us”) is a California limited liability company headquartered in Sacramento, California. This Privacy Policy explains how we collect, use, disclose, and protect personal information in connection with the vavan.ai website (the “Site”) and the Vavan platform (the “Platform”).

Controller vs. processor. For information collected through the Site and our own marketing and business operations, Vavan acts as a “controller” (or “business”). For the business data a customer connects to or configures within the Platform, Vavan acts as a “processor” (or “service provider”) that processes that data only on the customer’s documented instructions under the applicable Customer Agreement and Data Processing Addendum. For that customer data, the customer is the controller; if you are an employee or contact of a Vavan customer, please direct privacy requests to that customer.

Information you provide. When you contact us, request a demo, or correspond with us, we collect details such as your name, company, email address, phone number, and the contents of your message.

Information collected automatically. When you visit the Site, we and our analytics providers may collect standard technical data such as IP address, approximate location, device and browser type, pages viewed, referring pages, and timestamps, using cookies and similar technologies.

Account information. For Platform users, we collect account and authentication details (such as name, work email, role, and organization) needed to provision and secure access.

Customer business data. Customers may connect or configure business data within the Platform (for example, accounts, contacts, orders, and operational records). We process this data on the customer’s behalf as a processor; it is governed by the Customer Agreement, not by our own marketing uses.

We do not intentionally collect sensitive personal information through the Site, and we ask that you not submit it.

We use personal information to:

• respond to inquiries and provide requested information or demonstrations;
• provide, operate, secure, maintain, and improve the Site and Platform;
• communicate with you about your account, support, and service-related matters;
• understand and analyze usage to improve performance and content;
• detect, prevent, and address fraud, abuse, and security incidents; and
• comply with legal obligations and enforce our terms and agreements.

We do not sell personal information, and we do not “share” it for cross-context behavioral advertising as those terms are defined under California law.

Where the GDPR or UK GDPR applies, we process personal information on the following legal bases: performance of a contract (or steps to enter into one); our legitimate interests in operating, securing, and improving our business (balanced against your rights); compliance with legal obligations; and consent where required (for example, certain cookies). You may withdraw consent at any time without affecting prior processing.

A customer’s private business data — including accounts, contracts, pricing, and deal history — is isolated to that customer’s own organization. It is never added to any shared market layer and is never exposed to another customer. Any shared market or reference data is built only from public or properly licensed sources, never from one customer’s private data.

As a processor, we process customer data only to provide the Platform and on the customer’s documented instructions, and we do not use customer business data for our own marketing or to train models for the benefit of other customers.

We share personal information only as described here:

• Service providers / sub-processors. With vendors that host and operate the Site and Platform (such as cloud infrastructure, database hosting, email delivery, and analytics), under contracts that require appropriate confidentiality and security and limit their use of the data to providing services to us.
• Legal and safety. Where required by law, legal process, or governmental request, or to protect the rights, property, or safety of Vavan, our customers, or others.
• Business transfers. In connection with a merger, acquisition, financing, or sale of assets, subject to this Policy.
• With your direction or consent. When you ask us to share information or otherwise consent.

We do not share customer business data with third parties for their own marketing purposes.

We use essential cookies needed to operate the Site and privacy-respecting analytics to understand usage. You can control cookies through your browser settings; disabling some cookies may affect Site functionality. Where required, we honor recognized opt-out preference signals such as Global Privacy Control (GPC).

We retain personal information for as long as needed to fulfill the purposes described in this Policy, including to provide the Site and Platform, comply with legal obligations, resolve disputes, and enforce agreements. Customer business data is retained and deleted in accordance with the Customer Agreement. When information is no longer needed, we delete or de-identify it.

We apply administrative, technical, and organizational safeguards designed to protect personal information, including organization isolation, row-level access controls, least-privilege access, and encryption in transit and at rest. No method of transmission or storage is completely secure, but we work to protect information and to respond appropriately to incidents. See our Security page for more detail.

We are based in the United States and may process information in the U.S. and other countries. Where we transfer personal information from the EEA, UK, or Switzerland, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses (and the UK Addendum) or another lawful transfer mechanism.

Depending on where you live, you may have some or all of the following rights regarding your personal information:

• to know or access the personal information we hold about you;
• to request correction of inaccurate information;
• to request deletion of your information;
• to data portability (receive a copy in a portable format);
• to opt out of the “sale” or “sharing” of personal information (note: we do not sell or share personal information);
• to restrict or object to certain processing, and to withdraw consent; and
• to non-discrimination for exercising your rights.

California residents may exercise rights under the CCPA/CPRA, and EEA/UK residents under the GDPR/UK GDPR. To make a request, email info@vavan.co; we will verify and respond as required by applicable law. You may use an authorized agent where permitted. EEA/UK residents also have the right to lodge a complaint with their supervisory authority.

If your information is held within a customer’s organization on the Platform, the customer is the controller; we will refer your request to that customer or assist them in responding, as appropriate.

The Site and Platform are intended for businesses and are not directed to children. We do not knowingly collect personal information from children under 16. If you believe a child has provided us personal information, contact us and we will take appropriate steps to delete it.

The Site may link to third-party websites or services that we do not operate. This Policy does not apply to those third parties, and we encourage you to review their privacy practices.

We may update this Policy from time to time. The “Effective” date below reflects the current version, and material changes will be indicated by updating that date. Your continued use of the Site after changes take effect constitutes acceptance of the updated Policy.

For questions or requests regarding this Policy or your personal information, contact Vavan, LLC at info@vavan.co, Sacramento, California.