Privacy Policy

1. Data controller

The controller responsible for personal data processed in connection with the Service is:

Joakim Refsdahl

Privacy contact: privacy@myversa.app.

2. Scope

This Policy applies to personal data we process when you visit our website, create or use an account, use tasks, lists, notes, and related features, and when we send transactional email (such as verification or password reset). It does not apply to third-party sites or services linked from the Service.

3. Categories of personal data

Depending on how you use the Service, we may process:

• Account and profile: name, email address, password (stored using secure hashing), and account preferences.
• Content you create: tasks, lists, notes, titles, text, attachments or media you choose to add (including URLs, uploads, or recordings where the product supports them).
• Technical and usage data: IP address, browser type, device identifiers, approximate location derived from IP, timestamps, session identifiers, and diagnostic or security logs.
• Communications: messages you send to us (for example support email).

4. Purposes and lawful bases (UK / EEA)

Where UK GDPR / EU GDPR applies, we rely on the following lawful bases:

• Contract (Article 6(1)(b)): to provide the Service, create and manage your account, deliver features you request, and send essential transactional messages.
• Legitimate interests (Article 6(1)(f)): to secure the Service, prevent abuse, debug and improve reliability, analyse aggregated usage, and communicate operational updates, where not overridden by your rights.
• Legal obligation (Article 6(1)(c)): to comply with applicable law or respond to lawful requests.
• Consent (Article 6(1)(a)): where we ask for consent (for example optional marketing, if offered), you may withdraw consent at any time without affecting processing that was lawful before withdrawal.

5. Cookies and similar technologies

We use cookies and similar technologies that are strictly necessary to operate the Service (for example session authentication and security). Where we introduce optional analytics or marketing cookies, we will describe them and, where required, obtain consent before use.

6. Recipients and subprocessors

We engage service providers who process personal data on our instructions. The categories below reflect typical deployments; update your own list in configuration to name the providers you use:

• Hosting and infrastructure — Servers, databases, and storage used to run the Service depend on your deployment (e.g. cloud platform, VPS, or managed host).
• Email delivery — Transactional email (such as verification or password reset) is sent using the mail transport configured for this application (e.g. SMTP, Postmark, or Amazon SES).

7. International transfers

If personal data is transferred from the UK or EEA to countries not subject to an adequacy decision, we will use appropriate safeguards such as the UK International Data Transfer Agreement / Addendum or EU Standard Contractual Clauses, supplemented as needed by a transfer impact assessment. You may request a copy of relevant safeguards by contacting us.

8. Retention

We retain personal data for as long as your account is active and for a reasonable period afterwards for backup, legal, and security purposes. Technical logs may be retained for shorter or longer periods depending on security and operational needs. When data is no longer needed, we delete or anonymise it where feasible.

9. Security

We implement appropriate technical and organisational measures designed to protect personal data against unauthorised access, loss, or alteration. No method of transmission or storage is completely secure; we encourage strong passwords and device security.

10. Your rights

Depending on your location, you may have rights to access, rectify, erase, restrict processing, object to certain processing, data portability, and to withdraw consent where processing is consent-based. You may also lodge a complaint with a supervisory authority. In the UK, the Information Commissioner’s Office (ICO) is available at ico.org.uk. In the EEA, you may contact your local data protection authority.

To exercise your rights, contact privacy@myversa.app. We may need to verify your identity before responding.

11. Children

The Service is not directed at children under the age where they may lawfully use the Service in their jurisdiction (typically under 13, or higher where local law requires). If you believe we have collected a child’s data in error, contact us and we will take appropriate steps.

12. Changes

We may update this Policy from time to time. We will post the revised version and update the “Last updated” date where shown. Material changes may be communicated by email or in-product notice where appropriate.