varlecon.com
Varlecon
Legal

Privacy Policy

We believe privacy is a right, not a feature. This policy explains exactly what data we collect, why we collect it, and how you can control it.

Effective date: January 1, 2025

01Introduction

Varlecon Incorporation Limited ("Varlecon," "we," "us," or "our"), a company incorporated in Tanzania under the Companies Act, 2002 (Registration No. 165629825), operates an AR indoor navigation and spatial intelligence platform. This Privacy Policy explains how we collect, use, share, and protect information about our business clients ("Clients"), their end-users (venue visitors who use navigation services), and visitors to our website.

This policy applies to all Varlecon services, including our navigation SDK, BLE beacon management system, analytics dashboard, and website at varlecon.com. It is written in compliance with the Personal Data Protection Act, 2022 of the United Republic of Tanzania.

Key principle: Visitor analytics data processed through the Varlecon platform is fully anonymised before storage. We do not build individual profiles of venue visitors and we do not sell data to third parties.

If you are a venue visitor using a Varlecon-powered navigation experience, the venue operator is the data controller for your experience. Please refer to the venue's own privacy notice for information specific to your visit.

02Information We Collect

A. Information You Provide

When you register for a Varlecon account or contact us, we may collect:

  • Name, job title, and company name
  • Business email address and phone number
  • Billing and invoicing information
  • Venue floor plans, maps, and configuration data you upload
  • Communications you send to our support or sales team

B. Platform Usage Data

As you use the Varlecon dashboard and APIs, we automatically collect:

  • Log data including IP address, browser type, pages accessed, and timestamps
  • Feature usage patterns and dashboard interaction data
  • API request volumes, response times, and error rates
  • Device and operating system information

C. Venue Analytics Data (Anonymised)

When end-users navigate within your venue using the Varlecon SDK, the platform collects:

  • BLE signal strength readings for positioning (processed on-device and not stored individually)
  • Anonymised movement paths and zone dwell times
  • Aggregate footfall counts, peak hours, and heatmap data
  • Navigation success rates and route completion data
Individual visitor data is hashed and stripped of any device identifiers before being aggregated. Varlecon cannot re-identify individual visitors from analytics data.

D. BLE Beacon Data

Our BLE beacons broadcast non-personally-identifiable signals used solely to determine proximity and position within a venue. Beacons do not collect or transmit data from end-user devices.

03How We Use Your Information

We use the information we collect to:

  • Provide and operate services: Provision your account, process payments, deliver the platform, and ensure proper functionality.
  • Improve accuracy: Use aggregated positioning data to refine BLE algorithms and improve navigation precision.
  • Customer support: Respond to enquiries, troubleshoot issues, and provide technical assistance.
  • Security & integrity: Detect, investigate, and prevent fraudulent or abusive use of the platform.
  • Communications: Send you service updates, security alerts, invoices, and — with your consent — product news and feature announcements.
  • Legal compliance: Meet our obligations under applicable law and respond to lawful requests from authorities.
  • Analytics & development: Understand how the platform is used to guide feature development and performance improvements.

We will not use your data for any purpose that is incompatible with the purposes described above without obtaining your explicit consent.

04Information Sharing

We do not sell, rent, or trade your personal data. We may share information only in the following circumstances:

Service Providers

We share data with trusted third-party vendors who help us deliver our services, including cloud infrastructure providers, payment processors, and email service providers. All such providers are contractually required to protect your data and process it only as instructed by Varlecon.

Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of the transaction. We will notify you via email or a prominent notice on our website before your data becomes subject to a different privacy policy.

Legal Requirements

We may disclose your information if required by law, court order, or governmental authority, or if we believe in good faith that disclosure is necessary to protect the safety of any person or to prevent fraud.

Aggregated & Anonymised Data

We may share aggregated, anonymised analytics data — for example, industry benchmarks or platform usage statistics — where no individual or organisation can be identified.

05Cookies & Tracking

Our website and dashboard use cookies and similar tracking technologies to provide functionality and understand usage. We use:

  • Essential cookies: Required for the platform to function, including authentication session cookies and security tokens. These cannot be disabled.
  • Preference cookies: Remember your settings such as theme (dark/light mode) and language preferences.
  • Analytics cookies: Help us understand how the dashboard is used so we can improve it. Analytics data is aggregated and not shared with third-party advertisers.

You can manage or disable non-essential cookies through your browser settings or our cookie preference centre available in the dashboard. Note that disabling certain cookies may affect platform functionality.

Varlecon does not use advertising cookies, tracking pixels for ad retargeting, or share cookie data with any advertising networks.

06Data Retention

We retain your information for as long as necessary to:

  • Maintain your active account and provide contracted services.
  • Comply with our legal and regulatory obligations (typically 7 years for financial records).
  • Resolve disputes and enforce our agreements.

Specific retention periods by data type:

  • Account and billing data: Retained for the duration of your contract plus 7 years.
  • Venue analytics data: Aggregated data retained for up to 36 months; raw anonymised event data deleted within 90 days of collection.
  • Support communications: Retained for 3 years after case closure.
  • Platform logs: Retained for 12 months for security and debugging purposes.

When data is no longer required, it is securely deleted or irreversibly anonymised.

07Data Security

We implement appropriate technical and organisational security measures to protect your information against unauthorised access, loss, destruction, or alteration. These include:

  • End-to-end TLS encryption for all data in transit.
  • AES-256 encryption for data at rest.
  • Role-based access controls limiting data access to authorised personnel only.
  • Regular penetration testing and vulnerability assessments.
  • Multi-factor authentication requirements for dashboard access.
  • SOC 2-aligned security controls on our cloud infrastructure.

In the event of a data breach that is likely to affect your rights and freedoms, we will notify you and the Personal Data Protection Commission (PDPC) without undue delay, in accordance with the Personal Data Protection Act, 2022 of Tanzania.

To report a security vulnerability, please contact security@varlecon.com.

08Your Rights & Choices

Depending on your location, you may have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you.
  • Rectification: Request correction of inaccurate or incomplete data.
  • Erasure: Request deletion of your personal data, subject to our legal retention obligations.
  • Restriction: Request that we limit how we use your data in certain circumstances.
  • Portability: Request a machine-readable copy of data you have provided to us.
  • Objection: Object to our processing of your data based on legitimate interests.
  • Withdraw consent: Where we rely on consent to process your data, withdraw it at any time without affecting prior processing.
To exercise any of your rights, email privacy@varlecon.com. We will respond within 30 days. We may need to verify your identity before processing your request.

You also have the right to lodge a complaint with the Personal Data Protection Commission (PDPC) in Tanzania, or with the data protection authority in your country of residence, if you believe we are processing your data unlawfully.

09Children's Privacy

The Varlecon platform is a B2B service intended for use by businesses and their adult staff. We do not knowingly collect personal data from children under the age of 16.

If you are a venue operator deploying Varlecon's navigation to a venue where children are present (such as a museum or family attraction), you are responsible for ensuring appropriate safeguards are in place and that any data collected complies with applicable children's privacy law, including obtaining parental consent where required.

If we become aware that we have inadvertently collected personal data from a child, we will take immediate steps to delete it. Please notify us at privacy@varlecon.com if you believe this has occurred.

10International Transfers

Varlecon is headquartered in Dar es Salaam, Tanzania and operates services globally. Your data may be processed in countries other than Tanzania, including cloud infrastructure regions in the United States, Europe, and East Africa.

Where we transfer personal data outside Tanzania, we do so in accordance with Part VII of the Personal Data Protection Act, 2022, and only where adequate protection is ensured through one or more of the following:

  • A country or territory recognised as providing an adequate level of data protection.
  • Contractual clauses that require the recipient to apply equivalent data protection standards.
  • The explicit consent of the data subject where other safeguards are not available.

For more information about the safeguards we use for international transfers, contact dpa@varlecon.com.

11Third-Party Services

Our platform may integrate with or link to third-party services such as building management systems, emergency alarm platforms, or enterprise software. These third parties have their own privacy policies and we are not responsible for their data practices.

We encourage you to review the privacy policies of any third-party services you connect to the Varlecon platform. Our integration with a third-party service does not constitute our endorsement of their privacy practices.

12Changes to This Policy

We may update this Privacy Policy periodically as our services evolve or as required by law. When we make significant changes, we will:

  • Update the effective date at the top of this page.
  • Notify active clients by email at least 30 days before changes take effect.
  • Display a prominent notice in the Varlecon dashboard.

We encourage you to review this policy regularly. Your continued use of the platform after the effective date of any revised policy indicates your acceptance.

13Contact & DPO

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

We aim to respond to all privacy requests within 30 days. If your request is complex, we will notify you of any extension and the reason for the delay, as required under the Personal Data Protection Act, 2022.