Privacy Policy

Last updated: 17 July 2026

This public notice describes current product and website data handling at a practical level. It is not a substitute for a signed Data Processing Addendum (DPA), order form, or other negotiated agreement. If an applicable signed agreement conflicts with this page, the signed agreement governs that conflict.

1. Scope

This policy covers information handled when you visit Govarna's website, submit a free tool or marketing form, create or use a Govarna account, purchase a subscription, or contact us. Govarna is designed for business use.

2. Information we handle

  • Account and organization data: email address, profile and authentication data, organization name, membership, role, and account settings.
  • Customer content: AI system inventory fields, vendor details, policies, controls, questionnaire text and source files, draft or approved answers, evidence files, and audit records created through product workflows.
  • Billing data: Stripe customer, subscription, invoice, and payment-status metadata. Payment credentials entered in Stripe-hosted flows are handled by Stripe rather than stored as card numbers by Govarna.
  • Website and free-tool data: information you submit such as email, organization name, assessment answers or results, questionnaire match counts, and attribution fields. Public tool endpoints also process a hashed network address and a limited user-agent value for abuse prevention and operations.
  • Usage and device data: pages, feature or click events, referral and campaign parameters, browser or device information, and diagnostic events generated through configured analytics and observability services.
  • Communications: support, sales, privacy, security, and other messages you send to Govarna.

3. How we use information

We use information to authenticate users; provide tenant-scoped product workflows; store and retrieve customer content; generate requested drafts; operate billing; send service communications and communications requested through marketing forms; answer requests; measure website and feature use; prevent abuse; investigate errors; maintain security; and meet obligations that apply to Govarna.

4. Providers and disclosures

Current code paths and deployment configuration reference the following provider categories. A provider receives information only when the relevant feature is used or integration is enabled.

  • Vercel: website and application hosting.
  • Supabase: authentication, Postgres database, and private file storage.
  • Anthropic: AI-assisted questionnaire extraction fallback and response drafting.
  • Stripe: checkout, subscriptions, invoices, and billing portal.
  • Resend and Loops: transactional email and marketing-contact workflows.
  • Google Analytics and PostHog: website and product analytics.
  • Sentry, Axiom, and Upstash: configured error monitoring, logging, and rate limiting.

We may also disclose information when directed by an authorized customer, when needed to investigate misuse or protect the service, or when required by a valid legal process. Specific contractual restrictions, transfer mechanisms, and subprocessor terms must be confirmed in the applicable signed agreement.

5. AI-assisted processing

Govarna's core EU AI Act risk-tier classification is rules-based. Anthropic is used for fallback extraction of unstructured questionnaire text and for drafting questionnaire responses from selected tenant context. Read the AI Usage Statement for the current model path and data flow.

6. Tenant isolation and security

Customer records use organization-scoped Postgres Row Level Security policies. Evidence and source-questionnaire files use private storage buckets with organization-scoped paths and role-based policies. Privileged service credentials remain in server-side deployment configuration. No online service can promise absolute security; current controls are described on the Security & Trust page.

7. Cookies and analytics

Necessary technologies support authentication, security, and saved privacy choices. With your permission, analytics technologies from Google Analytics and, when configured, PostHog process page, referral, campaign, and event information. Advertising measurement can store a first-touch attribution cookie and allow Google to measure whether an advertisement led to a trial or purchase. Govarna does not enable ad personalization in its consent configuration.

You can choose necessary-only, analytics, and advertising-measurement settings separately through the cookie controls displayed on the website, and reopen those controls at any time. Rejecting optional categories does not prevent use of the service, but it limits analytics and campaign attribution.

8. Retention and deletion

Govarna retains information while it is needed to operate the service, maintain security and auditability, resolve requests, and meet applicable obligations. Retention varies by data category and context; this page does not publish fixed periods. Any customer-specific deletion or retention commitment must be stated in the applicable signed agreement.

9. Requests and choices

Depending on your location and relationship with Govarna, you may have rights concerning access, correction, deletion, restriction, objection, portability, or withdrawal of consent. Send requests to privacy@govarna.com. We may need to verify identity, authority, organization, and the law that applies before acting.

10. Customer and Govarna roles

The allocation of controller, processor, business, or service-provider roles depends on the data and relationship involved. Customers generally determine what customer content they submit and how they use it. The applicable DPA or order form, if signed, should define the parties' roles for that customer.

11. Changes

We may update this page as product practices or requirements change. The date above shows the latest published revision. This page does not promise a particular advance-notice period.

12. Contact