We systematically gather and utilize the following categories of personal and non-personal information to deliver and improve our professional outsourcing services (including but not limited to software development, quality assurance, business analysis, and UX/UI design):
‍
Voluntarily Provided Data::
- Full name, professional email address, corporate contact details, and project specifications shared through contact forms, email correspondence, or contractual agreements.
- Payment and invoicing information (where applicable) for service engagements.
‍
Automatically Collected Data:
- Technical metadata including IP addresses, browser characteristics, device identifiers, and usage patterns through secure analytics platforms (Google Analytics 4 with IP anonymization).
- Cookie data (strictly categorized as Essential, Performance, and Functional) with explicit user consent management via cookie banner.

We utilize the information you provide strictly for purposes directly related to delivering our professional outsourcing services in software development, quality assurance, business analysis, and UX/UI design, which includes processing your inquiries, preparing customized service proposals, coordinating project workflows, and fulfilling contractual obligations, all while adhering to applicable data protection regulations such as GDPR and CCPA.
Your contact details and project specifications enable us to maintain clear communication throughout our collaboration, from initial requirements gathering to final deliverables acceptance, including sending project status updates, revising technical documentation, and addressing feedback, ensuring we meet agreed-upon objectives within established timelines. For internal optimization, we analyze anonymized website traffic patterns to improve content organization and user experience, employing tools like Google Analytics with IP anonymization enabled, while explicitly avoiding any collection of unnecessary personal data beyond what is essential for these operational purposes.
We explicitly prohibit selling, leasing, or commercially exploiting your data in any form.

We adhere to strict, purpose-driven retention periods that balance operational needs with regulatory compliance:
Active Client Data: All information associated with ongoing or completed service engagements—including but not limited to contractual agreements, project specifications, communication records, and deliverables—is retained for 36 months beyond the termination of the service period. This ensures compliance with international financial reporting standards (e.g., IRS requirements for 7-year document retention), statute of limitations for contractual disputes, and potential audit obligations under frameworks such as SOC 2 or ISO 27001.
Marketing and Business Development Inquiries: Prospective client data collected through contact forms, email correspondence, or networking events is maintained for 24 months from the last meaningful interaction (e.g., email response, meeting attendance). Inactive records are automatically purged unless explicit consent for extended retention is obtained, in alignment with GDPR’s "storage limitation" principle (Article 5(1)(e)).
System Backups and Archives: Encrypted backups of critical business data—including databases, project repositories, and financial records—are generated nightly and retained for 90 days on geographically distributed, access-controlled servers. Backup rotation follows the "3-2-1" rule (3 copies, 2 media types, 1 offsite location) to mitigate risks of data loss due to hardware failure, cyberattacks, or natural disasters.

We implement a layered security architecture designed to meet or exceed industry best practices for information confidentiality and integrity:
Encryption Standards:
- Data at Rest: All stored data, including archived project files and client documentation, is secured using AES-256 encryption, with keys managed through AWS Key Management Service (KMS) for hardware-level isolation.
- Data in Transit: End-to-end TLS 1.3 encryption secures all electronic communications, including email exchanges, file transfers via SFTP, and API integrations with third-party tools like Jira or Slack.
Access and Personnel Controls:
- Role-based access permissions (RBAC) restrict data exposure to authorized personnel only, with granular logging of all access events for forensic review.
- Mandatory NDAs and biannual security training for employees and contractors, covering phishing awareness, secure coding practices (OWASP Top 10), and incident response protocols.
Physical and Network Security:
- Data centers comply with ISO 27001 and SOC 2 Type II certifications, featuring biometric access controls, 24/7 monitoring, and redundant power supplies.
- Enterprise firewalls, intrusion detection systems (IDS), and regular penetration testing by accredited third parties (e.g., CREST-certified auditors).

As a valued user of our services, you retain full control over your personal information through the following comprehensive rights, which we uphold in strict compliance with the European Union's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), as well as other applicable data protection frameworks:
Right to Access and Data Portability
You may submit a formal request to obtain confirmation about whether we are processing your personal data, receive a copy of all personal information we maintain about you in a structured, commonly used, and machine-readable format (e.g., PDF or CSV), and gain clear insight into how this data is being utilized within our systems, including details about any third parties with whom your data may have been shared for legitimate business purposes.
Right to Rectification and Data Accuracy
Should you identify any inaccuracies, omissions, or outdated information within the personal data we have on record—such as changes to your professional contact details, company affiliation, or project specifications—you may request prompt correction or completion of such information to ensure our records remain current and reliable for ongoing communications.
Right to Erasure ("Right to Be Forgotten")
Under specific circumstances, including but not limited to cases where your personal data is no longer necessary for its original collection purposes, you may request the permanent deletion of your information from our active databases, backup systems, and archival records, with exceptions applying only where retention is legally mandated (e.g., for tax compliance or contractual obligations).
Right to Restrict or Object to Processing
You retain the authority to temporarily halt or permanently object to certain uses of your personal data, particularly concerning direct marketing communications (e.g., newsletters or service updates), automated decision-making processes, or research activities, without affecting the legality of processing conducted prior to your withdrawal of consent.
Right to Opt Out of Data Sales (CCPA-Specific)
California residents may exercise their right to direct us not to sell their personal information to third parties, as defined under the CCPA, though we affirm that our standard business practices do not involve the sale of client data to external entities under any circumstances.
Right to Non-Discrimination
We guarantee that exercising any of these rights will not result in differential treatment, service limitations, or alterations to your existing contractual terms, pricing structures, or quality of deliverables.

How to Exercise Your Rights
To initiate a request, please contact us via email at  legal@velarna.com with the subject line "Data Rights Request." For verification purposes, include:
- Your full name and professional affiliation
- A detailed description of the right(s) you wish to exercise
- Any relevant context (e.g., specific data points for correction)

We commit to responding to all valid requests within 30 calendar days (or 45 days for complex cases, with prior notification). For complaints unresolved through direct communication, you may escalate matters to the relevant supervisory authority, such as your local Data Protection Agency or the California Attorney General's Office.

Additional Safeguards
All requests undergo multi-factor authentication to prevent unauthorized access.
No fees apply unless requests are manifestly unfounded or excessive.
For CCPA requests, you may designate an authorized agent via notarized documentation.

All professional services, including software development, quality assurance, UX/UI design, and business analysis, are delivered on an "as-is" basis strictly aligned with the specifications and requirements documented in our mutually agreed Statements of Work (SOWs). These binding documents define the exact scope of each engagement, outlining deliverables, milestones, acceptance criteria, and any assumptions or constraints governing the project lifecycle. While we commit to exercising professional diligence and adhering to industry best practices, clients acknowledge that project outcomes inherently depend on the accuracy and completeness of the requirements provided during the planning phase, as well as timely feedback during execution cycles.

Project timelines and delivery schedules become effective only when formally ratified in the SOW and remain subject to adjustment if material changes to scope, dependencies, or external factors emerge, with such modifications governed by our formal Change Control Process. Our services exclude ancillary responsibilities not explicitly stipulated in the SOW, including but not limited to third-party software licensing, legacy system maintenance beyond agreed integration points, or industry-specific compliance certifications requiring specialized audits. All deliverables are considered accepted unless written notice detailing non-conformities is provided within five business days of receipt, after which they transition to standard support coverage as defined in the applicable maintenance terms.

All work products, including but not limited to source code, designs, documentation, and proprietary methodologies developed during the engagement, remain the exclusive property of Velarna Company until full and irrevocable payment of all outstanding fees has been received. During this pre-delivery phase, clients are granted a limited, non-transferable right to review work-in-progress materials solely for evaluation purposes, with explicit prohibitions against reproduction, modification, or commercial use without our prior written consent. Upon completion of payment obligations as stipulated in the Statement of Work (SOW), ownership rights transition according to the specific terms negotiated for each project: either through (a) full assignment of copyright and related intellectual property rights to the client, or (b) a perpetual, worldwide license for use, modification, and distribution, the exact scope of which (including any field-of-use restrictions or attribution requirements) shall be explicitly defined in the SOW’s licensing exhibit.

For avoidance of doubt, this framework excludes third-party components (e.g., open-source libraries or licensed software) which remain governed by their original terms, and clients assume full responsibility for ensuring such components’ compatibility with their intended use cases. All transferred materials are provided "as-is" without implied warranties of non-infringement unless specifically negotiated under separate indemnification provisions. We retain archival copies of deliverables for compliance and portfolio purposes, along with an irrevocable right to reference the work (without disclosing confidential client information) in marketing materials and case studies, unless otherwise agreed in writing prior to project commencement.

All invoices issued for services rendered become payable within 15 calendar days of the invoice date, unless alternative payment schedules are expressly defined in the governing Statement of Work (SOW) or through subsequent written agreement between both parties. The specific payment terms—including milestone triggers, acceptable currencies, and preferred transfer methods—will be meticulously outlined in each project’s SOW to accommodate unique client requirements or jurisdictional considerations, with any deviations from this standard policy requiring formal amendment via signed change order.
‍
In the event of delayed payment, clients shall be subject to compensatory fees calculated at a rate of 2% per month (or the maximum allowable under applicable law, whichever is lower) on all outstanding balances, accruing daily from the due date until full settlement is received. Such penalties are implemented not as punitive measures but to offset administrative costs and financing impacts, with waivers or reductions considered only for pre-negotiated hardship arrangements documented through our formal escalation protocol.
‍
Regarding refunds, once active development or service delivery has commenced—as evidenced by work logs, version control commits, or progress reports—all fees become non-refundable except under circumstances explicitly defined in the SOW, such as:
- Termination for Convenience clauses with predetermined exit costs
- Service-Level Agreement (SLA) breaches verified through our dispute resolution process
- Mutual agreement citing force majeure or frustration of purpose

Clients acknowledge that these financial terms are intentionally framework-level, with granular details (e.g., invoice templates, tax handling, or currency conversion benchmarks) customized per engagement and annexed to individual SOWs for unambiguous reference. All payment obligations survive project termination and are enforceable regardless of deliverable acceptance status, unless otherwise contractually superseded.

The total aggregate liability of Velarna Company for any claims arising from or related to the provision of services under this agreement—whether in contract, tort (including negligence), or other legal theory—shall under no circumstances exceed the total fees actually paid by the client for the specific project giving rise to the claim during the twelve (12) months preceding the event. This limitation reflects an equitable risk distribution commensurate with the project's scope and pricing structure, and applies universally except where prohibited by mandatory provisions of applicable law.

Notwithstanding the foregoing, in no event shall Velarna Company be liable for any consequential, incidental, indirect, special, or punitive damages—including but not limited to lost profits, business interruption, reputational harm, data loss, or opportunity costs—even if advised of their possibility. Such exclusions remain operative regardless of the failure of essential purpose of any limited remedies herein.

The parties expressly acknowledge that certain project risks fall outside our reasonable control and therefore constitute excluded liabilities, including:
- Delays attributable to incomplete, ambiguous, or untimely client-provided requirements
- Performance failures of third-party systems, platforms, or APIs not under our direct management
- Regulatory changes or force majeure events preventing timely execution

For avoidance of doubt, these limitations shall not apply to: (i) breaches of confidentiality obligations; (ii) willful misconduct; or (iii) liabilities that cannot lawfully be limited under the governing jurisdiction's consumer protection statutes. Any claims must be formally notified in writing within thirty (30) days of the event giving rise to the claim, failing which they shall be deemed irrevocably waived.