Privacy Policy
Last updated: 17 July 2026
1. Scope
This policy covers information handled when you visit Govarna's website, submit a free tool or marketing form, create or use a Govarna account, purchase a subscription, or contact us. Govarna is designed for business use.
2. Information we handle
- Account and organization data: email address, profile and authentication data, organization name, membership, role, and account settings.
- Customer content: AI system inventory fields, vendor details, policies, controls, questionnaire text and source files, draft or approved answers, evidence files, and audit records created through product workflows.
- Billing data: Stripe customer, subscription, invoice, and payment-status metadata. Payment credentials entered in Stripe-hosted flows are handled by Stripe rather than stored as card numbers by Govarna.
- Website and free-tool data: information you submit such as email, organization name, assessment answers or results, questionnaire match counts, and attribution fields. Public tool endpoints also process a hashed network address and a limited user-agent value for abuse prevention and operations.
- Usage and device data: pages, feature or click events, referral and campaign parameters, browser or device information, and diagnostic events generated through configured analytics and observability services.
- Communications: support, sales, privacy, security, and other messages you send to Govarna.
3. How we use information
We use information to authenticate users; provide tenant-scoped product workflows; store and retrieve customer content; generate requested drafts; operate billing; send service communications and communications requested through marketing forms; answer requests; measure website and feature use; prevent abuse; investigate errors; maintain security; and meet obligations that apply to Govarna.
4. Providers and disclosures
Current code paths and deployment configuration reference the following provider categories. A provider receives information only when the relevant feature is used or integration is enabled.
- Vercel: website and application hosting.
- Supabase: authentication, Postgres database, and private file storage.
- Anthropic: AI-assisted questionnaire extraction fallback and response drafting.
- Stripe: checkout, subscriptions, invoices, and billing portal.
- Resend and Loops: transactional email and marketing-contact workflows.
- Google Analytics and PostHog: website and product analytics.
- Sentry, Axiom, and Upstash: configured error monitoring, logging, and rate limiting.
We may also disclose information when directed by an authorized customer, when needed to investigate misuse or protect the service, or when required by a valid legal process. Specific contractual restrictions, transfer mechanisms, and subprocessor terms must be confirmed in the applicable signed agreement.
5. AI-assisted processing
Govarna's core EU AI Act risk-tier classification is rules-based. Anthropic is used for fallback extraction of unstructured questionnaire text and for drafting questionnaire responses from selected tenant context. Read the AI Usage Statement for the current model path and data flow.
6. Tenant isolation and security
Customer records use organization-scoped Postgres Row Level Security policies. Evidence and source-questionnaire files use private storage buckets with organization-scoped paths and role-based policies. Privileged service credentials remain in server-side deployment configuration. No online service can promise absolute security; current controls are described on the Security & Trust page.
7. Cookies and analytics
Necessary technologies support authentication, security, and saved privacy choices. With your permission, analytics technologies from Google Analytics and, when configured, PostHog process page, referral, campaign, and event information. Advertising measurement can store a first-touch attribution cookie and allow Google to measure whether an advertisement led to a trial or purchase. Govarna does not enable ad personalization in its consent configuration.
You can choose necessary-only, analytics, and advertising-measurement settings separately through the cookie controls displayed on the website, and reopen those controls at any time. Rejecting optional categories does not prevent use of the service, but it limits analytics and campaign attribution.
8. Retention and deletion
Govarna retains information while it is needed to operate the service, maintain security and auditability, resolve requests, and meet applicable obligations. Retention varies by data category and context; this page does not publish fixed periods. Any customer-specific deletion or retention commitment must be stated in the applicable signed agreement.
9. Requests and choices
Depending on your location and relationship with Govarna, you may have rights concerning access, correction, deletion, restriction, objection, portability, or withdrawal of consent. Send requests to privacy@govarna.com. We may need to verify identity, authority, organization, and the law that applies before acting.
10. Customer and Govarna roles
The allocation of controller, processor, business, or service-provider roles depends on the data and relationship involved. Customers generally determine what customer content they submit and how they use it. The applicable DPA or order form, if signed, should define the parties' roles for that customer.
11. Changes
We may update this page as product practices or requirements change. The date above shows the latest published revision. This page does not promise a particular advance-notice period.
12. Contact
- Privacy: privacy@govarna.com
- Security reports: security@govarna.com
- Product support: support@govarna.com