Skip to content
Security & Trust

Privacy Policy

Last updated May 30, 2026

This policy explains what data Var Conduit, Inc. (“VAR Conduit”, “we”) collects, why, and how we protect it. It reflects how the product actually works today.

Who this covers

This policy applies to varconduit.comand the VAR Conduit application. For data you import about your channel (your resellers' people and accounts), you are the data controller and VAR Conduit is your processor — see our Data Processing Addendum.

What we collect

  • Account identity — your name and email address, handled by our authentication provider (Clerk). We never store your password.
  • Channel data you import — the reseller org trees, people (names, titles, work emails, regions), and accounts you upload. This is your business data; we hold it to provide the service.
  • Usage & audit logs — security-relevant events (sign-ins, data changes) tied to your workspace.
  • Technical data — IP address and basic request metadata, used for security, rate limiting, and reliability.

How we use it

Solely to provide and secure the service: to run your workspace, enforce access controls and plan limits, keep an audit trail, and support you. We do not sell your data, and we do not use your imported channel data to train models or build cross-customer datasets.

Website visitor analytics

Separately from the application, when you browse our public marketing website (varconduit.com) we record coarse technical data about the visit: your IP address, an approximate location (country, region, and city inferred from that IP), the pages you view, and the site that referred you. We use this for security, basic site analytics, and business development — understanding which organizations are interested in VAR Conduit — and we may use third-party IP-intelligence services to associate an IP with a likely company. This visitor data is separate from the channel data our customers import, is visible only to VAR Conduit, and is retained for up to 90 days. To opt out or request deletion, email privacy@varconduit.com.

Subprocessors

We rely on these vendors to operate the service:

  • Clerk — authentication & identity
  • Supabase (US) — primary database
  • Vercel — application hosting & CDN
  • Upstash — caching & rate limiting
  • Sentry — error monitoring
  • Resend — transactional email delivery
  • Anthropic(US) — AI summaries & drafting, used only when you enable the optional AI features, sent only the minimal, workspace-scoped facts each feature needs, and never used to train models

Data retention

Your imported channel data is kept until you delete it (per-record, or a full-workspace wipe). Audit-log retention is configurable per workspace and defaults to 365 days. Deleting your workspace removes its data.

Security

Data is encrypted in transit (TLS) and at rest, and every record is scoped to your workspace so it never crosses tenants. Details are on our Security & Trust page.

Your rights

From Settings → Privacyin the app, an admin can export a single person's record or your whole workspace's data as structured JSON (for an access or portability request), delete an individual (right to be forgotten), or wipe the workspace entirely — and export the audit log as CSV. You can also email us for any request. Depending on your location, you may have additional rights under the GDPR or CCPA/CPRA; we honour verified requests.

California privacy rights (CCPA / CPRA)

This section concerns the personal information VAR Conduit itself controls about you — your account identity and the marketing-website visitor data described above. (For the channel data your organization imports, that organization is the controller and handles its own people's requests using the in-app tools above.) If you are a California resident, you have the right to know what personal information we collect and how we use it; to access, correct, or delete it; to data portability; and to limit the use of any sensitive personal information. VAR Conduit does not sell your personal information and does not share it for cross-context behavioural advertising. We do not discriminate against you for exercising any of these rights — we will not deny you service, charge a different price, or provide a different level of service because you exercised them. To make a request, email privacy@varconduit.com; we respond to verified requests within the timeframes the CCPA requires.

International transfers

Our infrastructure is US-hosted. Where data is transferred from other regions, we rely on appropriate safeguards (e.g. Standard Contractual Clauses) via our subprocessors.

Contact

Questions or requests: privacy@varconduit.com, or our contact page.