Privacy Policy

Last updated: May 21, 2026  ·  Version 1.1.9

This Privacy Policy explains how Alphabyte LLC, doing business as Vouchlist ("Vouchlist," "we," "us," or "our"), collects, uses, discloses, and protects information about you when you use the Vouchlist mobile application (the "App"), the marketing site at vouchlist.app, and any related services, features, content, APIs, edge functions, or push notifications we provide (collectively, the "Service"). It applies to all users of the Service in the United States.

By creating an account or otherwise using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Service.

1. Information We Collect

We collect information in three ways: (a) information you provide directly, (b) information generated when you use the Service, and (c) information we receive from third parties that help us operate the Service.

1.1 Account and Profile Information. When you sign up, we collect your mobile phone number, which we use to send a one-time SMS verification code (passwordless OTP authentication). Once verified, we also collect the name (first and last) and optional profile photo you provide during profile setup. We record a timestamp confirming you have stated you are at least eighteen (18) years old.

1.2 Location Information. Vouchlist is a location-aware product. During onboarding you are asked to set a home city, which we store on your profile. You may set it in one of two ways:

• Manual entry (city, state, or zip code), in which case we store only the city-level text you typed and, where useful, approximate latitude/longitude derived from that text via our geocoding processor.
• Device GPS, with your explicit OS-level permission. We may use precise device coordinates to reverse-geocode a city label and to sort Discover results by approximate distance. We request "While Using the App" location authorization and do not run background location tracking.

When you add a professional, restaurant, or destination as a listing, we may store the latitude and longitude of that listing (not your device location) so other users in your circles can sort it by distance. You can change or remove your stored location at any time from in-app settings.

1.3 Contacts and Contact Matching. If you choose to use the contact-matching feature, the App requests permission to read your device address book. We use the phone numbers in your contacts only to:

• normalize each phone number to E.164 format on your device;
• send the normalized numbers in batches to our backend, which returns (a) matches for numbers already associated with a Vouchlist account and (b) one-way SHA-256 hashes computed server-side using a private salt;
• store, in a "friends" record on your account, the contact's display name, the salted hash of their phone number, and (if matched) the Vouchlist user ID of the contact.

We do not persist your full device address book on our servers, and we do not store plaintext phone numbers of your contacts in the "friends" table — only their salted hashes. Plaintext phone numbers transit our backend transiently to compute matches and hashes. Because the hash uses a private salt, hashed values cannot be meaningfully reversed back to phone numbers without that salt. You can revoke contacts permission in your device settings at any time; doing so will stop future syncs but does not automatically delete records already in your "friends" list (you can delete those from the App or by deleting your account).

1.4 User Content. When you use the Service, you create content including: professional/business listings (home services and other categories), dining and travel destination listings, vouches (your star rating, free-text notes, and selected relationship context such as "used their services" or "personal contact"), saved/bookmarked items, circle names, photos you upload (profile photo, listing cover images), and messages or feedback you send us. We store this content on your behalf to operate the features you use.

1.5 Push Notification Tokens. If you enable notifications, we collect an Expo push token issued by Expo's notification service, which in turn is backed by Apple Push Notification service (APNs) on iOS and Firebase Cloud Messaging (FCM) on Android. We store this token alongside your account so we can send you notifications about activity in your circles (for example, a new vouch on a pro you added, or a friend joining the App). You can disable push notifications in your device settings or in the App's notifications screen.

1.6 Camera and Photo Library. The App accesses your camera and photo library only when you affirmatively choose to upload an image (such as a profile photo or listing cover). We do not access these sources in the background.

1.7 Device and Usage Data. When you use the App we automatically collect standard mobile telemetry, including IP address, device model and operating system, app version, language, timezone, crash reports and diagnostic logs, and aggregate event data such as which screens you view, which features you interact with, the approximate length of search queries (we do not log the literal query strings as event payloads), and timestamps. This data helps us debug issues, measure feature usage, and improve the product.

1.8 Information from Service Providers. Our authentication, hosting, analytics, push, and geocoding providers (see Section 4) may relay technical metadata to us — for example, OTP delivery status, push delivery receipts, or geocoding results — in order to operate their portions of the Service.

2. How We Use Information

We use the information described above for the following purposes:

• Provide the Service. Verify your identity by SMS; create and maintain your profile; render circles, vouches, and discovery feeds; deliver push notifications; and operate the dining and travel features added in version 1.1 of the App.
• Match you with people you already know. Use salted contact hashes to identify which of your contacts are already on Vouchlist and to power circle invites.
• Sort and surface local content. Use city-level or precise location to order Discover results by approximate distance and to filter listings to your area.
• Safety, trust, and abuse prevention. Detect spam, fraud, harassment, scraping, fake listings, and other violations of our Terms; investigate reports submitted via the in-app Report flow; and enforce account-level restrictions.
• Product analytics and improvement. Understand which features are used, identify bugs, and prioritize improvements.
• Communications. Respond to your support requests, send service-related messages (e.g., security or policy notices), and — only if you opt in — send optional product update emails.
• Legal and compliance. Meet our legal obligations and exercise or defend our legal rights.

3. How We Share Information

3.1 Other Users. Vouchlist is fundamentally a social/contact-graph product. Certain information is visible to other users by design:

• Your name, profile photo, and any listings, vouches, and circle memberships you create are visible to other members of the circles you share with them.
• When you add a listing (a pro, restaurant, or destination) and publish it to one or more circles, members of those circles can see the listing, including any coordinates you attached and any notes or photos you added.
• When another user has your phone number in their contacts and syncs contacts, our backend will indicate to them (via salted-hash match) that you are on Vouchlist; this is how friend discovery works.

3.2 Service Providers and Processors. We share limited data with third-party vendors that process information on our behalf, under contracts that restrict their use of that data:

• Supabase — primary database, authentication (including SMS OTP via Supabase Auth), file storage (avatars and listing images), realtime channels, and edge functions. Hosts substantially all account, listing, vouch, and friend-record data.
• PostHog — product analytics. Receives event names, screen views, anonymized usage signals, your user ID, device type, OS, and IP address.
• LocationIQ — geocoding and reverse geocoding, accessed through our edge function. Receives the search text or coordinates needed to return a place result. We do not send your account identifiers with these requests.
• Expo Application Services (EAS) and Expo Push Notifications — builds, over-the-air updates, and push delivery. The Expo push service receives push tokens and notification payloads.
• Apple Push Notification service (APNs) and Google Firebase Cloud Messaging (FCM) — platform-level delivery of push notifications to your device.
• An SMS gateway (via Supabase Auth) — delivery of one-time login codes to your phone number.

Each of these providers has its own privacy practices. We encourage you to review them: Supabase (supabase.com/privacy), PostHog (posthog.com/privacy), LocationIQ (locationiq.com/legal/privacy), Expo (expo.dev/privacy), Apple (apple.com/legal/privacy), and Google (policies.google.com/privacy).

3.3 Legal, Safety, and Compliance. We may disclose information if we believe in good faith that disclosure is necessary to (a) comply with applicable law, legal process, or a lawful government request, including subpoenas and court orders; (b) enforce our Terms of Service or other agreements; (c) protect the rights, property, or safety of Vouchlist, our users, or others; or (d) prevent or investigate fraud, security incidents, or violations of our policies.

3.4 Corporate Transactions. If Vouchlist is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, information about you may be transferred to a successor or affiliate as part of that transaction. We will require the recipient to honor the commitments in this Privacy Policy or provide notice of any material changes.

3.5 Sale of Personal Information; "Sharing" for Cross-Context Behavioral Advertising. We currently do not sell your personal information in exchange for monetary or other valuable consideration, and we currently do not "share" your personal information for cross-context behavioral advertising as those terms are defined under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, the "CCPA"), and similar U.S. state privacy laws. We also currently do not knowingly sell or share the personal information of any consumer under the age of sixteen (16).

These are statements about our current practices, not perpetual commitments. If our practices change — for example, if we introduce advertising features, partnerships, or business models that would constitute a "sale" or "sharing" of personal information under applicable law — we will update this Privacy Policy, post a conspicuous in-app notice, provide an opt-out mechanism where required, and, to the extent legally required, obtain your opt-in consent before any such sale or sharing takes effect.

4. Third-Party Processors We Use

To help you evaluate our data handling, here is the current, complete list of subprocessors that materially handle user data on our behalf. We may update this list as our infrastructure evolves and will reflect changes in this section.

• Supabase, Inc. — auth, database, storage, realtime, edge functions (United States).
• PostHog, Inc. — product analytics (United States).
• LocationIQ (Unwired Labs) — geocoding and reverse geocoding.
• Expo / 650 Industries, Inc. — builds, OTA updates, push notification routing (United States).
• Apple Inc. — Apple Push Notification service (iOS delivery).
• Google LLC — Firebase Cloud Messaging (Android delivery).
• An SMS provider configured through Supabase Auth — delivery of one-time SMS login codes.

5. Data Retention

We retain personal information for as long as necessary to provide the Service and fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

• Account data (phone number, name, profile photo, age-confirmation timestamp, onboarding flags) is retained until you delete your account.
• Listings, vouches, photos, and saved items are retained until you delete them in the App, until the listing is removed by us or by another user with appropriate permissions, or until you delete your account.
• Salted contact-hash records are retained while the corresponding contact remains relevant to your friend graph; you can remove them by removing the friend in-app or by deleting your account.
• Push tokens are retained while they remain valid; tokens that the push services report as invalid are pruned.
• Analytics and diagnostic logs are retained for a rolling period (currently up to twenty-four (24) months) and then deleted or aggregated.
• Backups may persist deleted data for a limited additional period (typically up to thirty (30) days) until backup rotation completes.

We may retain limited information longer where necessary to comply with legal obligations, resolve disputes, prevent fraud or abuse, or enforce our agreements.

6. Your Rights and Choices

Depending on where you live, you may have the following rights with respect to your personal information. We honor these rights regardless of whether they are technically required to be extended to you.

• Access / Know. Request confirmation of whether we process information about you and a copy of that information.
• Correction. Ask us to correct inaccurate personal information. You can edit your name, photo, location, listings, and vouches directly in the App.
• Deletion. Delete your account at any time from Profile → Settings → Delete Account. Account deletion removes your profile, your authored vouches, your listings (subject to limited exceptions for content already shared into other users' circles), your saved items, your friends list, and your push tokens.
• Opt-out of marketing. You can disable push notifications in your device settings or the App. We do not currently send marketing email.
• Opt-out of "sale" or "sharing." As stated in Section 3.5, we do not currently sell or share personal information. If that changes, we will provide an in-product opt-out and honor recognized opt-out preference signals such as the Global Privacy Control (GPC) where required.
• Limit use of precise location. You can use the App with manual city entry only, or revoke location permission in your device settings.
• Portability. Where required by law, request a copy of your personal information in a portable, machine-readable format.
• Withdraw consent. Where we rely on consent (e.g., contacts permission, precise location), you may withdraw it at any time without affecting the lawfulness of prior processing.
• Non-discrimination and appeal. We will not discriminate against you for exercising your privacy rights. If we deny a request, you may appeal by replying to our response or emailing the address in Section 12.

To submit a rights request that you cannot complete in the App, email us at support@vouchlist.app. We may need to verify your identity (for example, by sending a verification code to the phone number associated with your account) before fulfilling the request.

7. California-Specific Disclosures

This section provides additional information for California residents under the CCPA. In the twelve (12) months preceding the "Last updated" date, we have collected the following categories of personal information: identifiers (phone number, account ID, device identifiers, IP address); customer records (name, profile photo); commercial information (none, beyond record of features used); internet or other electronic network activity information (app usage, event analytics); geolocation data (city-level location and, with your permission, precise location); audio/visual information (photos you upload); inferences (limited inferences used to sort and recommend listings); and sensitive personal information limited to precise geolocation (only when you permit it). We collected these categories from the sources, used them for the business purposes, and disclosed them to the categories of third parties described in Sections 1–4.

We have not sold or "shared" personal information, and have not used or disclosed sensitive personal information for purposes other than those permitted under the CCPA without a separate right to limit. You may, however, request that we limit our use of your precise geolocation to that which is necessary to perform the Service; you can do this by using manual location entry or revoking location permission. To exercise California rights, contact us using the methods in Section 6.

8. Children's Privacy

The Service is intended for adults. The App presents an in-app age gate requiring users to affirm they are at least eighteen (18) years old (or the age of majority in their jurisdiction, if higher) before completing onboarding. The Service is not directed to children under thirteen (13), and we do not knowingly collect personal information from children under thirteen (13). If we learn that we have collected personal information from a child under thirteen (13), we will delete it as required by the Children's Online Privacy Protection Act (COPPA). If you are a parent or guardian and believe your child has provided us with personal information, please contact us at support@vouchlist.app.

Child Safety (CSAE). Vouchlist has a zero-tolerance policy toward child sexual abuse and exploitation. Apparent child sexual abuse material (CSAM) discovered on the Service is reported to the National Center for Missing & Exploited Children (NCMEC) as required by law, and offending accounts are terminated. Users can report concerns in-app via the Report control on any profile or by emailing support@vouchlist.app with the subject line "Child Safety Report."

9. Security

We implement reasonable administrative, technical, and physical safeguards designed to protect personal information. These include encryption in transit (TLS) for traffic between the App and our backend; storage of session tokens on-device in the operating system's secure storage; salted SHA-256 hashing of contact phone numbers stored in our database; passwordless authentication via one-time SMS codes; and access controls and row-level security policies on our backend.

However, no system can be guaranteed to be 100% secure. You are responsible for safeguarding access to the phone number and device associated with your account. If you believe your account has been compromised, contact us immediately at support@vouchlist.app.

10. International Data Transfers

Vouchlist operates in the United States, and our primary infrastructure and service providers (including Supabase, PostHog, Expo, Apple, and Google) operate or may operate from the United States and other countries. By using the Service from outside the United States, you understand that your information will be transferred to, stored in, and processed in the United States and potentially other countries that may have data-protection laws different from those of your country of residence. Where required, we rely on appropriate transfer mechanisms (such as standard contractual clauses) with our processors.

11. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes — for example, new categories of data collected, new processors that materially expand who handles your data, or any change that would result in our beginning to sell or "share" personal information — we will provide reasonable advance notice through an in-app notice, email (where we have an address for you), or other appropriate means, and, where required by law, obtain your consent. Non-material changes (clarifications, typo fixes, contact-info updates) may take effect upon posting. The "Last updated" date at the top of this policy will always reflect the most recent revision.

12. Contact Us

If you have questions about this Privacy Policy, wish to exercise your privacy rights, or need to report a privacy or security concern, please contact:

• Email: support@vouchlist.app

We will acknowledge verifiable rights requests within the time frame required by applicable law and respond as promptly as reasonably possible.