Vooli
Privacy policy
Last updated: May 16, 2026 · Effective: May 16, 2026
Summary in plain English at the bottom. This page is the long version.
1. Who we are
Vooli is operated by Vooli LLC, a Tennessee limited liability company. For the purposes of GDPR / UK GDPR, Vooli LLC is the data controller of the personal data described in this policy.
Contact for privacy questions: support@vooli.app. We do not have a designated Data Protection Officer (we are too small to require one under GDPR Article 37); privacy requests route to the same address and a human answers them.
2. What we collect
Vooli is a single-user productivity app. The information we collect is the minimum required to make the app work for you:
- Email address. Used for sign-in, password reset, and important service notices. Stored in Supabase’s auth tables.
- Password (hashed). Stored as a bcrypt hash via Supabase Auth. We never see your plaintext password.
- Your content. The tasks, lanes, routines, habits, milestones, automations, focus sessions, and notes you create inside the app.
- Completion timestamps. When you mark something done, the time you did so. Used to compute your own streaks and patterns.
- Device push token. An Apple-issued identifier that lets us deliver the notifications you ask the app to send. Not used for any other purpose. Removed when you uninstall the app or revoke notification permission.
- Local timezone. Your device’s IANA timezone (e.g.
America/Chicago) so daily reminders fire at the right local time. - Subscription tier flag. A single column (“free” or “pro”) reflecting your current entitlement. When in-app purchases ship, this is updated by RevenueCat receipts; today every account is free.
What we do NOT collect: We do not run third-party analytics (no Google Analytics, no Mixpanel, no Amplitude, no Segment). We do not use advertising or tracking SDKs. The app does not request App Tracking Transparency permission because we have nothing to track across other apps and websites. We do not collect device location or contacts. The app reads your accessibility preferences locally (Reduce Motion, Reduce Transparency, Increase Contrast) but never transmits these.
Camera, Photos, Microphone: Three system permissions Vooli can ask for. None of the data they touch leaves your device.
- Camera. Only when you tap Scan list. The system document scanner (Apple VisionKit) captures a page; on-device text recognition (Google ML Kit running locally) reads it; we keep only the parsed text lines. The image bytes never enter our servers and never enter Supabase. The captured page is deleted from our temporary storage as soon as OCR finishes.
- Photos. Write-only. When you scan a list, we save the captured page to your own Photos library so you can throw the paper copy away. We never read from your photo library. You can deny this permission and the scan still works; we just skip the Photos save.
- Microphone.Vooli does not request microphone access directly. The “Hey Siri, add to Vooli” voice path is Siri itself (an Apple service) processing your speech; Vooli receives only the final text string and the lane you picked. We never see audio.
Shared content (Share Sheet, Siri, widgets): When you use the Share Sheet to send a page title or URL to Vooli, or dictate a task to Siri, or tap the QuickAdd lock-screen widget, only the resultingtext lands in your Stack. URLs are stored verbatim as the task title; we do not fetch or preview the linked page on our servers.
Crash diagnostics: iOS may send Apple anonymous crash logs from any app if you opted into Share with App Developers in your device settings. We see only what Apple shares; nothing in those reports is linked to your Vooli account.
3. Why we process it (lawful basis)
Under EU and UK GDPR, every processing activity needs a named lawful basis. Ours:
- Performance of a contract (Article 6(1)(b)). Storing your tasks, sending your reminders, and showing you your patterns are core to the service you signed up for. We cannot deliver Vooli without these.
- Legitimate interests (Article 6(1)(f)). Operating reasonable security measures (rate limiting, abuse logs, the one-row hash audit on deletion) and preventing fraudulent sign-ups. We have balanced these against your rights and conclude they do not override your interests.
- Consent (Article 6(1)(a)). Push notifications fire only after you grant iOS notification permission. You can revoke this at any time in iOS Settings → Notifications → Vooli.
4. Where it's stored
Your data lives on Supabase (PostgreSQL hosted on AWS) in the US East (Ohio) region, behind row-level security so only your own account can read or write it. Auth tokens persist on your device in the iOS Keychain (not on our servers in plaintext beyond the standard Supabase auth tables).
Push notifications are delivered through Apple’s Push Notification Service (APNs). Your push token never leaves our database except to be sent to Apple at delivery time.
6. Retention
We keep your data for as long as your account is active. On account deletion, every row tied to your profile is permanently removed via database cascade the same day you request deletion. We retain a one-row hash-only audit (SHA-256 of your lowercased email plus the deletion timestamp) indefinitely for abuse prevention; that record contains no recoverable personal information. Operational logs (errors, deploys, performance) are kept for 30 days and contain no end-user content.
7. International data transfers
Our infrastructure is in the United States. If you live outside the US (in particular, in the EU, UK, or Switzerland), accessing Vooli involves transferring your data to a US-based controller. We rely on the European Commission’s Standard Contractual Clauses (Module 1, controller-to-controller, where applicable between Vooli LLC and our sub-processors) and the EU-US Data Privacy Framework (where the sub-processor is certified) as our transfer safeguard. Email us if you want a copy of the SCCs in force.
8. Your rights (GDPR, UK GDPR, CCPA, state laws)
Account deletion. Open the app → Account → Danger → Delete account. Two-step confirm. Your account and every row tied to it are permanently removed via cascade.
Data export. Email support@vooli.app and we’ll send you a JSON export of everything tied to your account within 30 days (free of charge for the first request per calendar year, as required by GDPR Article 12(5)).
EU and UK residents (GDPR / UK GDPR). You have the right to:
- Access your data (Article 15): request a copy of what we hold.
- Rectify inaccurate data (Article 16): correct anything wrong.
- Erase your data (Article 17): the “right to be forgotten.”
- Restrict processing (Article 18): ask us to pause processing while a complaint is open.
- Data portability (Article 20): receive your data in a machine-readable format (the JSON export above).
- Object to processing (Article 21): particularly processing based on legitimate interests.
- Withdraw consent (Article 7): at any time, with no effect on prior processing.
- Lodge a complaint with your supervisory authority. EU residents: see the EDPB members list. UK residents: the ICO. We hope you contact us first so we can fix it.
California residents (CCPA / CPRA). You have the right to know what we collect (see section 2), the right to delete, the right to correct, the right to limit use of sensitive personal information (we do not collect sensitive PI as defined under CPRA), and the right to non-discrimination for exercising any of the above. We do not sell or share personal information for cross-context behavioral advertising. We have not done so in the prior 12 months and have no plans to.
Other US state privacy laws (CO, CT, VA, UT, TX, OR, MT, DE, IA, NJ). You have analogous rights to access, delete, correct, and port your data, and the right to opt out of targeted advertising. Same email contact above; we treat all US state requests under the highest applicable standard.
9. Children (COPPA)
Vooli is intended for users aged 13 and older (16 and older in the European Economic Area). We do not knowingly collect personal information from children under 13 (or under 16 in the EEA). The App Store age rating is 12+.
We do not have an age-gate at sign-up because we do not market to children, do not include child-directed content, and do not collect any data category COPPA treats as sensitive. If we learn that we have collected personal information from a child under 13 (or under 16 in the EEA) without verified parental consent, we will delete that information promptly. Parents who believe their child has provided us with personal information should email support@vooli.app and we will delete the account immediately on verification of the parent-child relationship.
10. Security
We use industry-standard practices: encrypted-in-transit connections (TLS 1.2+), encrypted-at-rest database storage on Supabase (AES-256), row-level security on every user-data table, short-lived access tokens, parameterized queries to prevent SQL injection, and a security review on every release. No system is impervious; we cannot guarantee absolute security but we work hard to keep your data safe and will notify affected users within 72 hours of confirming a breach that puts their personal data at risk (GDPR Article 33 timing, applied globally).
11. Accessibility
We aim to meet WCAG 2.1 AA on both this website and the Vooli iOS app. The website supports keyboard navigation, screen readers, Reduce Motion, dark mode, and 200% zoom without horizontal scroll. The iOS app supports VoiceOver, Dynamic Type, Reduce Motion, Reduce Transparency, and Increase Contrast via system settings.
If you hit an accessibility barrier, email support@vooli.app and we will fix it as a priority. We treat accessibility defects as functional bugs, not aesthetic preferences.
12. Changes
If we make material changes to this policy we’ll update the “Last updated” date at the top, email anyone with an active account, and require re-consent at next sign-in if the change is material to processing.
13. Contact
Privacy or data-rights questions: support@vooli.app. Mailing address available on written request.
Summary in plain English
- We collect what we need to make the app work. Nothing else.
- No analytics. No ads. No tracking SDKs. Ever.
- Your data lives on Supabase in the US. Sub-processors: Supabase, Vercel, Apple, Expo.
- Delete your account in-app any time. We keep a hash of your email so you can’t sneak back as the same spammer.
- EU / UK / California / other state-law residents: full rights (access, delete, port, correct, object). Email us and we’ll honor it.
- Vooli is for users 13+ (16+ in the EU). We do not knowingly accept kids.
- We aim for WCAG 2.1 AA. Tell us if we missed.