Privacy Policy

Plain‑language summary (not a substitute for the full policy).

Nameh connects to your existing email accounts and brings them into one place. To do that, we store some of your data — including the contents of your messages — encrypted, and only to operate the Service for you. We do not read your email content for advertising, we do not sell it, and we do not use it to build profiles of you. We do collect usage statistics — information about how the Service is used (features clicked, performance, error rates, message counts, device and connection metadata) — to keep Nameh secure, reliable, and improving. This summary is informational only; the numbered sections below govern.

1. Scope and your acceptance

1.1 This Privacy Policy ("Policy") describes how Virentic LLC collects, uses, discloses, retains, and protects information in connection with the Service, and the rights and choices available to you.

1.2 This Policy applies to the Service and to the websites, applications, application‑programming interfaces, and support channels that link to it. It does not apply to (a) any third‑party website, application, mail server, or service that you connect to or access through the Service, or (b) the internal practices of any organization, employer, or account administrator that provisions the Service to you, each of which is governed by its own terms and privacy practices.

1.3 By accessing or using the Service, you acknowledge that you have read and understood this Policy. If you do not agree with it, you must not access or use the Service. This Policy is incorporated by reference into, and supplemented by, the Nameh Terms of Service (the "Terms"). To the extent of any conflict between this Policy and the Terms regarding the handling of personal information, this Policy controls for privacy matters; the Terms control for all other matters, including the dispute‑resolution, liability, and arbitration provisions, which are restated in this Policy in Sections 19–21 for your convenience and notice.

2. Definitions

For clarity and to keep this Policy future‑proof, the following defined terms are used throughout:

• "Personal Data" / "Personal Information" — any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, to an identified or identifiable natural person or household, as those terms are defined under Applicable Data Protection Law.
• "Content" — the substance of the messages and materials you create, send, receive, sync, store, or process through the Service, including message bodies (plain text and HTML), attachments, draft bodies, and email signatures.
• "Service Metadata" — descriptive and structural data about your Content and your use of the Service that is not the substance of a message, including message headers (sender, recipients, subject, date), message snippets (short previews), folder/label structure, thread relationships, timestamps, counts, flags, and read/unread state.
• "Usage Statistics" — telemetry and analytics describing how the Service is accessed and operated, including feature interactions, page and screen views, session and performance data, error and diagnostic data, request logs, and aggregate counts. Usage Statistics are the "stats" referenced in this Policy.
• "Account" — a Nameh user account and its associated credentials and profile.
• "Tenant" / "Organization" — the logical, isolated workspace under which an Account's data is stored and segregated (each query, cache key, storage path, and search document is keyed to a Tenant). A Tenant may belong to an individual or to an Organization customer.
• "Connected Mailbox" — a third‑party email account (e.g., an IMAP/SMTP account) that you authorize Nameh to access on your behalf.
• "Sub‑processor" — a third party engaged by Virentic to process Personal Data in order to provide the Service.
• "Applicable Data Protection Law" — all privacy, data‑protection, and data‑security laws applicable to the processing of Personal Data under this Policy, including, where applicable, the EU and UK General Data Protection Regulation ("GDPR"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), and analogous U.S. state and international laws, in each case as amended or superseded.

3. Information we collect

We collect information in three ways: (a) information you (or your Organization) provide; (b) information generated automatically when you use the Service; and (c) information we process on your behalf to operate your mailbox. The specific items below are illustrative of our current Service and may expand as the Service evolves; material changes are governed by Section 18.

3.1 Information you provide

• Account and profile data — name, display name(s), email address used to sign in, password or authentication credentials, the email addresses and display names of the identities/accounts you configure, profile and signature settings, and preferences.
• Connected Mailbox credentials and configuration — server hostnames, ports, usernames, and the passwords or tokens used to connect to your Connected Mailboxes. These are encrypted at rest (see Section 12) and used solely to sync and send mail on your behalf.
• Billing and subscription data — plan tier, subscription status, and billing identifiers. Payment‑card details are collected and processed by our payment Sub‑processor (currently Stripe) and are not stored by Virentic. We receive limited billing metadata (e.g., status, last four digits, plan).
• Support and communications — information you submit when you contact us, request support, report a problem, or respond to surveys, including the contents of those communications.

3.2 Content and Service Metadata we process on your behalf

To provide a unified email client, the Service synchronizes, stores, displays, indexes, searches, and sends:

• Content — message bodies (text and HTML), attachments, draft bodies, and signatures. Content is encrypted at rest under per‑Tenant encryption (see Section 12) and is processed only to provide the Service to you.
• Service Metadata — message headers (from/to/cc, subject, date), short message snippets, thread/conversation structure, folders, labels, categories, flags, read/unread and focus state, and synchronization timestamps. Certain Service Metadata is stored in unencrypted form because the product cannot function without it — for example, headers are required to render message lists and to compute conversation threads, and short snippets and a search index are required to deliver fast list views and search. This is a documented, intentional, and limited design choice; it does not entail any reading, mining, or monetization of your Content.

3.3 Usage Statistics, device, and connection data (the "stats")

When you use the Service, we and our infrastructure providers automatically collect Usage Statistics and technical data, which may include:

• Product interaction — features and screens used, actions taken, navigation, settings changed, and similar interaction events.
• Performance and diagnostics — latency, error and crash events, request success/failure, sync health, and resource metrics.
• Counts and aggregates — for example, number of connected accounts, message and thread counts, sync frequency, and storage consumed.
• Device and connection data — IP address, approximate (IP‑derived) location, browser and operating‑system type and version, device identifiers (including mobile push notification tokens used to deliver notifications), language, and time zone.
• Server and security logs — access logs, audit events, and security telemetry used to operate, secure, and troubleshoot the Service and to detect, prevent, and investigate fraud, abuse, and security incidents.

We collect Usage Statistics about how the Service is used, not about the substance of your messages. Where technically feasible, Usage Statistics are aggregated or pseudonymized.

3.4 Cookies and similar technologies

We and our service providers use cookies, local storage, and similar technologies that are strictly necessary to authenticate sessions, remember preferences, maintain security, and operate the Service. We may also use limited first‑party analytics. We do not use the Service to serve third‑party advertising, and the Service currently integrates no third‑party advertising, ad‑measurement, or cross‑site tracking technologies. If we introduce any non‑essential cookies or analytics in the future, we will provide notice and obtain consent where required by Applicable Data Protection Law. See Section 17 regarding Do‑Not‑Track and Global Privacy Control signals.

3.5 Information from third parties

We may receive information from: your Organization or account administrator (e.g., provisioning, role, and entitlement data); identity providers and single‑sign‑on systems you use to authenticate (e.g., SAML/OIDC assertions); your Connected Mailbox providers (the mail that flows through the Service); our payment, hosting, and infrastructure Sub‑processors; and fraud‑prevention and security sources.

4. The Content‑vs‑Statistics commitment

This Section states a core, durable commitment of the Service and is intended to survive future changes to features and infrastructure:

4.1 We process your Content only to provide the Service to you — to sync, display, organize, search, compose, send, and back up your mail and the related features you enable. We process Content as your processor/service provider acting on your instructions and configuration.

4.2 We do not, and will not, do any of the following with your Content: (a) read or have personnel review the substance of your messages except as strictly necessary to provide the Service, to maintain security and integrity, to comply with law, or where you ask us to (e.g., support); (b) sell or "share" your Content (as those terms are defined under Applicable Data Protection Law); (c) use your Content to serve advertising to you or to anyone else, or to build advertising or marketing profiles; or (d) use your Content to train generative or machine‑learning models for our own commercial purposes, except as expressly described in Section 7 and subject to the controls stated there.

4.3 We do collect Usage Statistics as described in Section 3.3, and we use them as described in Section 5. This is the meaning of "we track usage statistics, not content."

4.4 Sections 4.1–4.3 describe our commitments regarding Content and Usage Statistics; they do not limit Sections 19–21 (disclaimers, limitation of liability, and dispute resolution).

5. How we use information

We use the information described above for the following purposes, each grounded in a legal basis where the GDPR or similar law applies (see Section 6):

• To provide and operate the Service — authenticate you, connect and synchronize your mailboxes, render lists, threads, search, and compose/send mail, deliver notifications, and back up and restore your data.
• To maintain security and integrity — authenticate access, enforce Tenant isolation, detect and prevent fraud, abuse, spam, and unauthorized access, and investigate incidents.
• To support you — respond to requests, provide customer support, and communicate service and security notices.
• To improve, develop, and measure the Service — analyze Usage Statistics to debug, optimize performance, prioritize features, and develop new functionality; create aggregated or de‑identified statistics and benchmarks.
• To bill and administer accounts — manage subscriptions, process payments through our payment Sub‑processor, and prevent payment fraud.
• To comply with law and enforce our rights — meet legal, regulatory, tax, and accounting obligations; respond to lawful requests; and establish, exercise, or defend legal claims.
• For other purposes you consent to at the time of collection.

We do not use Content for the analytics, improvement, profiling, advertising, or model‑training purposes above except strictly as needed to deliver a feature you use, and as limited by Sections 4 and 7.

6. Legal bases for processing (GDPR / UK GDPR)

Where Applicable Data Protection Law requires a legal basis, we rely on one or more of the following:

• Performance of a contract (GDPR Art. 6(1)(b)) — to provide the Service you (or your Organization) requested, including processing Content and Connected Mailbox credentials.
• Legitimate interests (Art. 6(1)(f)) — to secure, maintain, debug, and improve the Service, to collect Usage Statistics, and to prevent fraud and abuse, balanced against your rights and freedoms.
• Legal obligation (Art. 6(1)(c)) — to comply with applicable law.
• Consent (Art. 6(1)(a)) — for any processing that requires it, such as non‑essential cookies/analytics or optional features; you may withdraw consent at any time without affecting prior lawful processing.
• Vital interests / public interest (Art. 6(1)(d)–(e)) — in the rare cases these apply.

Where we act as a processor for an Organization customer (see Section 14), the Organization is responsible for establishing the legal basis for the processing it instructs.

7. Automated, AI, and machine‑assisted features

7.1 The Service may offer optional, separately‑gated features that use automated processing or artificial intelligence (for example, message summarization, smart compose/reply, classification, prioritization, or AI‑assisted search). Where such a feature requires processing the substance of your Content, that processing occurs only when you invoke the feature, only for the Content reasonably necessary to perform it, and only for your Tenant.

7.2 For our current AI features, the inference endpoint is operated within our own trust boundary, the feature is gated by an account/plan entitlement and a platform‑level switch, your Content is not used to train the underlying models, and no Content is retained by the AI feature beyond what is necessary to return the result to you.

7.3 If we ever route Content to a third‑party AI or processing provider, or otherwise materially change how these features handle Content, we will update this Policy, identify the provider as a Sub‑processor (Section 9), and, where required, obtain your consent and provide opt‑in/opt‑out controls before doing so.

7.4 To the extent any feature involves solely automated decision‑making producing legal or similarly significant effects, you have the rights described in Section 13, including the right to obtain human review.

8. How we disclose information

We do not sell your Personal Information. We disclose information only as described below:

• Sub‑processors and service providers — to vendors that perform services for us (hosting and cloud infrastructure, storage, database and search, email delivery and notifications, payment processing, error monitoring, and customer support), bound by contract to process Personal Data only on our instructions, to protect it, and not to use it for their own purposes. See Section 9.
• Within your Organization — if you access the Service through an Organization, your account administrators may access, provision, restrict, export, or delete data associated with your Account within that Tenant, and may have visibility into account‑level and Usage Statistics, consistent with their internal policies. See Section 14.
• Connected services you authorize — to the mail servers and integrations you connect, in order to sync and send your mail at your direction.
• Legal, safety, and compliance — to comply with applicable law, regulation, legal process, or enforceable governmental request; to enforce our Terms and policies; to detect, prevent, or address fraud, security, or technical issues; and to protect the rights, property, or safety of Virentic, our users, or the public.
• Business transfers — in connection with a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or part of our assets, in which case Personal Data may be transferred subject to this Policy and applicable law; we will notify you of any change in ownership or use of your Personal Data, and of any choices you may have.
• Aggregated or de‑identified data — we may create and disclose aggregated or de‑identified information that cannot reasonably be used to identify you, for any lawful purpose; we will not attempt to re‑identify such data except to test de‑identification.
• With your consent — for any other disclosure you direct or authorize.

9. Sub‑processors

We engage Sub‑processors to provide the Service. The categories currently include: cloud hosting and compute infrastructure; object storage; database and search infrastructure; email and push‑notification delivery; payment processing (currently Stripe); and error/performance monitoring and logging. We maintain a current list of Sub‑processors available on request and, where required, will provide a mechanism to receive notice of, and object to, material changes to that list. We require each Sub‑processor, by written contract, to provide at least the level of data protection required by Applicable Data Protection Law and this Policy.

10. International data transfers

The Service and our Sub‑processors may store and process Personal Data in countries other than the one in which you reside, including the United States. Where we transfer Personal Data from the European Economic Area, the United Kingdom, Switzerland, or other jurisdictions with cross‑border transfer restrictions, we rely on a lawful transfer mechanism, such as the European Commission's Standard Contractual Clauses (and the UK Addendum/IDTA where applicable), supplementary measures as needed, or an applicable adequacy decision or certification. You may request information about these mechanisms using the contact details in Section 22.

11. Data retention

11.1 We retain Personal Data for as long as needed to provide the Service to you and your Tenant, and thereafter as necessary to comply with our legal obligations, resolve disputes, prevent fraud and abuse, and enforce our agreements.

11.2 Account and Content data is retained for the life of your Account and is deleted or de‑identified within a commercially reasonable period after account or Tenant deletion, subject to backup‑rotation cycles and legal‑hold requirements. Usage Statistics, logs, and security telemetry are retained for shorter, rolling periods consistent with operational and security needs.

11.3 You (or, for Organization Tenants, your administrator) may request deletion of your Account and associated data as described in Section 13. Residual copies may persist in encrypted backups for a limited period before being overwritten in the ordinary course.

12. Security

12.1 We implement administrative, technical, and organizational measures designed to protect Personal Data appropriate to its sensitivity, including:

• Encryption in transit (TLS) and encryption at rest of Content and credentials. Connected Mailbox passwords, message bodies (text and HTML), attachments, draft bodies, and signatures are encrypted at rest using authenticated encryption (AES‑256‑GCM) under a per‑Tenant data‑encryption key, itself wrapped by a platform key‑encryption key; cryptographic binding to the Tenant prevents data from being read across Tenants.
• Strict Tenant isolation — every query, cache key, storage path, and search document is keyed to a Tenant, with database‑level row isolation enforced as defense in depth.
• Access controls and least privilege, audit logging, secret management (keys and tokens are not logged), and monitoring.

12.2 As described in Section 3.2, a limited set of Service Metadata (headers, short snippets, and the search index) is stored unencrypted because the product requires it to function; this is a documented and intentional design decision.

12.3 No method of transmission or storage is perfectly secure. While we strive to protect your Personal Data, we cannot and do not guarantee absolute security, and you provide information at your own risk. If we become aware of a personal‑data breach affecting you, we will notify you and the relevant authorities as required by Applicable Data Protection Law.

13. Your privacy rights and choices

Depending on where you live and the role in which we process your data, you may have some or all of the following rights. We honor rights granted by Applicable Data Protection Law.

13.1 Rights under the GDPR / UK GDPR and similar laws

• Access to your Personal Data and information about its processing.
• Rectification of inaccurate or incomplete data.
• Erasure ("right to be forgotten") in certain circumstances.
• Restriction of, or objection to, certain processing (including processing based on legitimate interests, and direct‑marketing).
• Data portability — to receive certain data in a structured, commonly used, machine‑readable format.
• Withdrawal of consent at any time, where processing is based on consent.
• Not to be subject to solely automated decision‑making with legal or similarly significant effects, and to obtain human review (see Section 7).
• The right to lodge a complaint with your supervisory authority.

13.2 California rights (CCPA/CPRA)

California residents have the rights to know/access, delete, correct, and to opt out of the "sale" or "sharing" of Personal Information, and the right not to be subject to discrimination for exercising these rights. We do not sell or share Personal Information, and we do not use or disclose sensitive Personal Information beyond the purposes permitted under the CCPA. We honor opt‑out preference signals (e.g., Global Privacy Control) where required. You may also designate an authorized agent to act on your behalf.

13.3 Other U.S. state rights

Residents of other U.S. states with comprehensive privacy laws (e.g., Virginia, Colorado, Connecticut, Utah, and others as enacted) may have rights to access, correct, delete, obtain a portable copy, and opt out of targeted advertising, sale, and certain profiling. We honor these rights to the extent they apply.

13.4 How to exercise your rights

Submit a request using the contact details in Section 22 or any in‑Service controls we provide (including in‑application account/data deletion where offered). We will verify your identity before responding and will respond within the timeframes required by law. There is generally no fee, though we may charge a reasonable fee or decline manifestly unfounded or excessive requests as permitted by law. If you access the Service through an Organization, please direct your request to that Organization; for data we process on its behalf, we will refer your request to it and assist as its processor (see Section 14).

14. Roles for Organization (business) customers

14.1 Where an Organization, employer, or administrator provisions the Service to you, that Organization is the controller (or "business") with respect to the Account, Content, and related data within its Tenant, and Virentic acts as the processor/service provider, handling such data on the Organization's documented instructions and under the applicable customer agreement and/or Data Processing Addendum.

14.2 In that role, the Organization is responsible for the lawfulness of its instructions, for providing required notices to and obtaining consents from its users, and for responding to its users' data‑subject requests. Administrators may access, export, restrict, or delete data within their Tenant. Questions about an Organization's own privacy practices should be directed to that Organization.

14.3 Where Virentic acts as a controller in its own right (for example, for billing, security, fraud‑prevention, and Service improvement using Usage Statistics), this Policy governs.

15. Children's privacy

The Service is intended for use by adults and is not directed to children under the age of 16 (or the higher minimum age required in your jurisdiction). We do not knowingly collect Personal Data from children. If you believe a child has provided us Personal Data, please contact us and we will take appropriate steps to delete it.

16. Third‑party services and links

The Service interoperates with third‑party mail servers, identity providers, and other services you choose to connect, and may contain links to third‑party websites. We are not responsible for the privacy practices, content, or security of any third party. Your use of those services is governed by their own terms and privacy policies, and we encourage you to review them.

17. Do‑Not‑Track and preference signals

Some browsers transmit "Do‑Not‑Track" (DNT) signals. Because there is no common industry standard for DNT, the Service does not currently respond to DNT signals. Where required by Applicable Data Protection Law, we treat recognized opt‑out preference signals (such as Global Privacy Control) as a valid request to opt out of sale/sharing for the applicable browser or device.

18. Changes to this Policy

We may update this Policy from time to time to reflect changes in the Service, our practices, or the law. When we make changes, we will revise the "Last updated" date and, for material changes, provide additional notice as required (for example, by email, in‑Service notice, or a prominent notice on our website) and, where required, obtain your consent. Your continued use of the Service after an update takes effect constitutes your acceptance of the revised Policy, except where a new or expanded use of previously collected Personal Data requires your consent, in which case we will obtain it before that use.

19. Disclaimers; no responsibility for misuse; limitation of liability

19.1 "As is." To the maximum extent permitted by applicable law, the Service and all information, content, and materials provided through it are provided "AS IS" and "AS AVAILABLE," without warranties of any kind, whether express, implied, statutory, or otherwise, including any implied warranties of merchantability, fitness for a particular purpose, title, non‑infringement, accuracy, and any warranties arising from course of dealing or usage of trade. Virentic does not warrant that the Service will be uninterrupted, timely, secure, error‑free, or free of harmful components, or that data will not be lost or corrupted.

19.2 No responsibility for misuse. To the maximum extent permitted by applicable law, Virentic LLC is not responsible or liable for any misuse of the Service or of any data accessible through it, including: (a) your use of the Service in violation of the Terms, this Policy, or applicable law; (b) the acts or omissions of any user, account administrator, Organization, third‑party mail provider, identity provider, integration, or other third party; (c) unauthorized access to, or use, alteration, interception, or disclosure of, your Content, credentials, or account resulting from compromised devices, credentials, networks, or third‑party services not within Virentic's reasonable control; (d) the content of any message sent, received, stored, or synchronized through the Service; or (e) any consequence of features you choose to enable, including automated or AI‑assisted features. You are responsible for your use of the Service, for safeguarding your credentials and devices, and for your compliance with all laws applicable to the messages and data you process through the Service.

19.3 Exclusion of certain damages. To the maximum extent permitted by applicable law, in no event will Virentic LLC or its officers, members, employees, agents, suppliers, or licensors be liable for any indirect, incidental, special, consequential, exemplary, or punitive damages, or for any loss of profits, revenue, goodwill, data, or business, arising out of or relating to the Service or this Policy, whether based on warranty, contract, tort (including negligence), strict liability, statute, or any other legal theory, and whether or not Virentic has been advised of the possibility of such damages, even if a limited remedy is found to have failed of its essential purpose.

19.4 Aggregate cap. To the maximum extent permitted by applicable law, Virentic's total aggregate liability arising out of or relating to the Service or this Policy will not exceed the greater of (a) the total amounts you paid to Virentic for the Service during the twelve (12) months immediately preceding the event giving rise to the claim, or (b) one hundred U.S. dollars (US$100).

19.5 Carve‑outs. Nothing in this Section limits or excludes any liability that cannot be limited or excluded under applicable law, including, where applicable, liability for fraud, for death or personal injury caused by negligence, or any non‑waivable statutory rights you have under Applicable Data Protection Law or consumer‑protection law. The limitations in this Section apply to the fullest extent permitted by the law of your jurisdiction; if your jurisdiction does not allow certain limitations, those limitations apply to you only to the extent permitted.

20. Dispute resolution; binding arbitration; class‑action and jury‑trial waiver

PLEASE READ THIS SECTION CAREFULLY. IT AFFECTS YOUR LEGAL RIGHTS, INCLUDING YOUR RIGHT TO FILE A LAWSUIT IN COURT, TO HAVE A JURY DECIDE YOUR CLAIMS, AND TO PARTICIPATE IN A CLASS OR REPRESENTATIVE ACTION. IT REQUIRES YOU AND VIRENTIC TO RESOLVE MOST DISPUTES THROUGH FINAL AND BINDING INDIVIDUAL ARBITRATION.

20.1 Agreement to arbitrate. Except for the Excluded Claims in Section 20.7, you and Virentic LLC agree that any dispute, claim, or controversy arising out of or relating to this Policy, the Terms, or the Service — whether based in contract, tort, statute, fraud, misrepresentation, or any other legal theory, and whether arising before or after the effective date of this Policy — will be resolved exclusively by final and binding individual arbitration, and not in a court of law, except as provided below.

20.2 Waiver of court and jury trial. You and Virentic each knowingly, voluntarily, and irrevocably waive the right to sue in court and the right to a trial by jury, and agree instead to bring all covered disputes in arbitration on an individual basis, except for the Excluded Claims and as otherwise provided in this Section.

20.3 Class‑action and representative‑action waiver. You and Virentic agree that each may bring claims against the other only in your or its individual capacity, and not as a plaintiff or class member in any purported class, collective, consolidated, private‑attorney‑general, or other representative proceeding. The arbitrator may not consolidate more than one person's claims and may not preside over any form of representative or class proceeding. If this Section 20.3 is found unenforceable as to a particular claim or request for relief, then that claim or request shall be severed and brought in a court of competent jurisdiction, but the remainder of this Section 20 shall continue to apply in arbitration. This Section 20.3 is a material part of the agreement to arbitrate; if it is found wholly unenforceable, then the entire agreement to arbitrate in this Section 20 shall be null and void.

20.4 Federal Arbitration Act; rules and administrator. This Section 20 evidences a transaction involving interstate commerce, and the Federal Arbitration Act (9 U.S.C. §§ 1 et seq.) governs the interpretation and enforcement of this arbitration agreement. The arbitration will be administered by the American Arbitration Association ("AAA") under its Consumer Arbitration Rules (or, for non‑consumer disputes, its Commercial Arbitration Rules), as then in effect, except as modified by this Policy. The AAA rules are available at adr.org. If the AAA is unavailable or unwilling to administer the arbitration consistent with this Section, the parties will mutually select another established arbitration administrator.

20.5 Arbitration procedure. The arbitration will be conducted by a single neutral arbitrator. The seat and venue of the arbitration will be [COUNTY, STATE OF GOVERNING LAW], provided that, if you are a consumer, the arbitrator may permit you to participate by telephone or video, or may hold the hearing in the county of your residence, as the applicable rules allow. The arbitrator will apply the governing law identified in Section 21 and will have authority to award any individual remedy available in a court. The arbitrator's award is final and binding, and judgment on the award may be entered in any court of competent jurisdiction.

20.6 Informal resolution first; notice of dispute. Before initiating arbitration, the claiming party must first send the other a written Notice of Dispute describing the claim and the relief sought (to Virentic at the address in Section 22, and to you at your account email). You and Virentic agree to attempt in good faith to resolve the dispute informally for at least sixty (60) days after the Notice is received. If the dispute is not resolved within that period, either party may commence arbitration. This informal‑resolution requirement is a condition precedent to arbitration, and any applicable limitations period and arbitration fee deadlines are tolled during it.

20.7 Excluded claims. Notwithstanding the above, either party may: (a) bring an individual action in small‑claims court for disputes within that court's jurisdiction; (b) seek injunctive or other equitable relief in a court of competent jurisdiction to prevent the actual or threatened infringement, misappropriation, or violation of intellectual‑property or confidentiality rights; and (c) bring any claim that, by law, cannot be subject to mandatory pre‑dispute arbitration. Exercising the small‑claims or equitable‑relief options does not waive the agreement to arbitrate other claims.

20.8 Costs and fees. Payment of filing, administration, and arbitrator fees will be governed by the applicable AAA rules, except that Virentic will pay or reimburse fees to the extent required by those rules or applicable law to make this arbitration agreement enforceable. Each party otherwise bears its own attorneys' fees and costs, except where a statute or the arbitrator's award provides otherwise.

20.9 Right to opt out of arbitration. You may opt out of this Section 20 (Sections 20.1–20.8) by sending written notice within thirty (30) days of first accepting this Policy (or of this Section first applying to you), to [arbitration‑[email protected] / VIRENTIC LLC, ATTN: Legal, ADDRESS], stating your name, the email associated with your Account, and a clear statement that you wish to opt out of arbitration. Opting out of arbitration will not affect any other provision of this Policy or the Terms, and is the only way to opt out; it has no effect on any prior or separately‑agreed arbitration agreement.

20.10 Survival and severability. This Section 20 survives termination of your Account and of your use of the Service. Except as stated in Section 20.3, if any portion of this Section is found unenforceable, the remainder will continue in effect.

21. Governing law and venue

This Policy and any dispute arising out of or relating to it or the Service are governed by the laws of the State of [GOVERNING LAW STATE], United States, without regard to its conflict‑of‑laws rules, and, for arbitrable matters, by the Federal Arbitration Act. Subject to Section 20 (arbitration), and solely for Excluded Claims or where arbitration does not apply, the parties consent to the exclusive jurisdiction and venue of the state and federal courts located in [COUNTY, STATE], and waive any objection to such venue. The United Nations Convention on Contracts for the International Sale of Goods does not apply. Nothing in this Section deprives you of any protection of the mandatory consumer‑protection or data‑protection law of your place of residence that cannot be derogated from by agreement.

22. How to contact us

Virentic LLC

[VIRENTIC LLC MAILING ADDRESS]

Privacy / data‑subject requests: [email protected]

Legal / arbitration notices: [email protected]

Data Protection Officer / Privacy Contact: [name or role, if appointed]

EU/UK Representative (Art. 27 GDPR), if appointed: [name and address]

If you have an unresolved privacy concern that we have not addressed satisfactorily, you may have the right to contact your local data‑protection or consumer‑protection authority.