Privacy Policy

Last updated: July 11, 2026  ·  Version 1.1.17

Summary. Vouchlist is a private, contact-based directory for trusted local professionals, restaurants, and travel recommendations. To run the Service we collect your phone number (for sign-in), the name on your profile, a city-level or precise location you provide or permit, salted hashes of contacts you choose to sync, content you create (vouches, listings, notes), and standard device and usage data. Optional AI features run on your device: your Ask Scout questions are used only to look up matching listings from your circles and are never stored on our servers, never sent to a third-party AI provider, and never used to train any model. We do not sell your personal information at this time, and we describe below the limited circumstances in which we share data with the third-party processors that operate the Service. We may create and license aggregated, de-identified statistics that do not identify you (see Section 3.6).

This Privacy Policy explains how Alphabyte LLC, doing business as Vouchlist ("Vouchlist," "we," "us," or "our"), collects, uses, discloses, and protects information about you when you use the Vouchlist mobile application (the "App"), the marketing site at vouchlist.app, and any related services, features, content, APIs, edge functions, or push notifications we provide (collectively, the "Service"). It applies to all users of the Service in the United States.

By creating an account or otherwise using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Service.

1. Information We Collect

We collect information in three ways: (a) information you provide directly, (b) information generated when you use the Service, and (c) information we receive from third parties that help us operate the Service.

1.1 Account and Profile Information. When you sign up, we collect your mobile phone number, which we use to send a one-time SMS verification code (passwordless OTP authentication). Once verified, we also collect the name (first and last) you provide during profile setup. We record a timestamp confirming you have stated you are at least eighteen (18) years old.

1.2 Location Information. Vouchlist is a location-aware product. During onboarding you are asked to set a home city, which we store on your profile. You may set it in one of two ways:

When you add a professional, restaurant, or destination as a listing, we may store the latitude and longitude of that listing (not your device location) so other users in your circles can sort it by distance. You can change or remove your stored location at any time from in-app settings.

1.3 Contacts and Contact Matching. If you choose to use the contact-matching feature, the App requests permission to read your device address book. We use the phone numbers in your contacts only to:

We do not persist your full device address book on our servers, and we do not store plaintext phone numbers of your contacts in the "friends" table — only their salted hashes. Plaintext phone numbers transit our backend transiently to compute matches and hashes. Because the hash uses a private salt, hashed values cannot be meaningfully reversed back to phone numbers without that salt. You can revoke contacts permission in your device settings at any time; doing so will stop future syncs but does not automatically delete records already in your "friends" list (you can delete those from the App or by deleting your account).

Circle invites for contacts not yet on Vouchlist. If you are a circle admin, you can add a contact to your circle even if they are not yet a Vouchlist user. When you do, we store a pending-invite record containing the salted hash of that contact's phone number (never the plaintext number), the display name you have for them, the circle, and your account as the inviter. We do not send any message to the invited contact. If a person later creates a Vouchlist account using that phone number, the pending invite converts into a circle membership and the pending record is deleted. A circle admin can cancel a pending invite at any time, which also deletes the record, and pending invites are deleted if the circle is deleted.

1.4 User Content. When you use the Service, you create content including: professional/business listings (home services and other categories), dining and travel destination listings, vouches (your star rating, free-text notes, and selected relationship context such as "used their services" or "personal contact"), saved/bookmarked items, circle names, and messages or feedback you send us. We store this content on your behalf to operate the features you use.

1.5 Push Notification Tokens. If you enable notifications, we collect an Expo push token issued by Expo's notification service, which in turn is backed by Apple Push Notification service (APNs) on iOS and Firebase Cloud Messaging (FCM) on Android. We store this token alongside your account so we can send you notifications about activity in your circles (for example, a new vouch on a pro you added, or a friend joining the App). You can disable push notifications in your device settings or in the App's notifications screen.

1.6 Camera and Photo Library. The App does not currently access your camera or photo library.

1.7 Device and Usage Data. When you use the App we automatically collect standard mobile telemetry, including IP address, device model and operating system, app version, language, timezone, crash reports and diagnostic logs, and aggregate event data such as which screens you view, which features you interact with, the approximate length of search queries (we do not log the literal query strings as event payloads), and timestamps. This data helps us debug issues, measure feature usage, and improve the product. Crash reports are processed for us by Sentry (see Sections 3.2 and 4) and include stack traces, device and OS information, app version, and recent in-app interaction breadcrumbs; we do not attach your name, phone number, or account identity to crash reports. When an error occurs, Sentry may also capture a visual session replay of the moments leading up to it — by default this replay masks all on-screen text and images, so it captures layout and navigation, not the content you viewed or typed. We do not record session replays outside of error conditions.

1.8 Information from Service Providers. Our authentication, hosting, analytics, push, and geocoding providers (see Section 4) may relay technical metadata to us — for example, OTP delivery status, push delivery receipts, or geocoding results — in order to operate their portions of the Service.

1.9 Ask Scout (On-Device AI Assistant). Where available, the App includes an optional AI assistant called Ask Scout that answers your questions by suggesting listings already shared with you in your circles. Scout is designed to be private by architecture:

2. How We Use Information

We use the information described above for the following purposes:

3. How We Share Information

3.1 Other Users. Vouchlist is fundamentally a social/contact-graph product. Certain information is visible to other users by design:

3.2 Service Providers and Processors. We share limited data with third-party vendors that process information on our behalf, under contracts that restrict their use of that data:

Each of these providers has its own privacy practices. We encourage you to review them: Supabase (supabase.com/privacy), PostHog (posthog.com/privacy), Google (policies.google.com/privacy), LocationIQ (locationiq.com/legal/privacy), Sentry (sentry.io/privacy), Expo (expo.dev/privacy), and Apple (apple.com/legal/privacy).

3.3 Legal, Safety, and Compliance. We may disclose information if we believe in good faith that disclosure is necessary to (a) comply with applicable law, legal process, or a lawful government request, including subpoenas and court orders; (b) enforce our Terms of Service or other agreements; (c) protect the rights, property, or safety of Vouchlist, our users, or others; or (d) prevent or investigate fraud, security incidents, or violations of our policies.

3.4 Corporate Transactions. If Vouchlist is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, information about you may be transferred to a successor or affiliate as part of that transaction. We will require the recipient to honor the commitments in this Privacy Policy or provide notice of any material changes.

3.5 Sale of Personal Information; "Sharing" for Cross-Context Behavioral Advertising. We currently do not sell your personal information in exchange for monetary or other valuable consideration, and we currently do not "share" your personal information for cross-context behavioral advertising as those terms are defined under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, the "CCPA"), and similar U.S. state privacy laws. We also currently do not knowingly sell or share the personal information of any consumer under the age of sixteen (16).

These are statements about our current practices, not perpetual commitments. If our practices change — for example, if we introduce advertising features, partnerships, or business models that would constitute a "sale" or "sharing" of personal information under applicable law — we will update this Privacy Policy, post a conspicuous in-app notice, provide an opt-out mechanism where required, and, to the extent legally required, obtain your opt-in consent before any such sale or sharing takes effect.

3.6 Aggregated and De-Identified Data. We may create aggregated or de-identified data from information collected through the Service — for example, statistics and datasets about recommendations, ratings, prices paid, categories, and city-level geographic trends — by removing or transforming the elements that identify you (such as your name, phone number, contact hashes, account identifiers, and precise location) so that the resulting data cannot reasonably be linked to you, your household, or your device. We may use, license, sell, or otherwise disclose aggregated or de-identified data for any lawful business purpose, including commercial data products and market insights. Aggregated and de-identified data is not personal information under the CCPA and similar U.S. state privacy laws, and the creation, use, or licensing of such data as described in this section is not a "sale" or "sharing" of personal information under Section 3.5.

Where we maintain or disclose de-identified data, we: (a) take reasonable technical and organizational measures to ensure the data cannot be associated with you; (b) publicly commit, including in this Section 3.6, to maintain and use the data only in de-identified form and not to attempt to re-identify it, except as permitted by law solely to test whether our de-identification processes satisfy legal requirements; and (c) contractually obligate any recipient of the data to comply with these same requirements, including the prohibition on re-identification.

4. Third-Party Processors We Use

To help you evaluate our data handling, here is the current, complete list of subprocessors that materially handle user data on our behalf. We may update this list as our infrastructure evolves and will reflect changes in this section.

5. Data Retention

We retain personal information for as long as necessary to provide the Service and fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

We may retain limited information longer where necessary to comply with legal obligations, resolve disputes, prevent fraud or abuse, or enforce our agreements.

6. Your Rights and Choices

Depending on where you live, you may have the following rights with respect to your personal information. We honor these rights regardless of whether they are technically required to be extended to you.

To submit a rights request that you cannot complete in the App, email us at support@vouchlist.app. We may need to verify your identity (for example, by sending a verification code to the phone number associated with your account) before fulfilling the request.

7. California-Specific Disclosures

This section provides additional information for California residents under the CCPA. In the twelve (12) months preceding the "Last updated" date, we have collected the following categories of personal information: identifiers (phone number, account ID, device identifiers, IP address); customer records (name); commercial information (none, beyond record of features used); internet or other electronic network activity information (app usage, event analytics); geolocation data (city-level location and, with your permission, precise location); inferences (limited inferences used to sort and recommend listings); and sensitive personal information limited to precise geolocation (only when you permit it). We collected these categories from the sources, used them for the business purposes, and disclosed them to the categories of third parties described in Sections 1–4.

We have not sold or "shared" personal information, and have not used or disclosed sensitive personal information for purposes other than those permitted under the CCPA without a separate right to limit. You may, however, request that we limit our use of your precise geolocation to that which is necessary to perform the Service; you can do this by using manual location entry or revoking location permission. To exercise California rights, contact us using the methods in Section 6.

When we disclose or license aggregated or de-identified information as described in Section 3.6, we maintain and use it in de-identified form, do not attempt to re-identify it (except as permitted by the CCPA solely to test our de-identification processes), and contractually prohibit recipients from attempting re-identification, consistent with Cal. Civ. Code § 1798.140(m).

8. Children's Privacy

The Service is intended for adults. The App presents an in-app age gate requiring users to affirm they are at least eighteen (18) years old (or the age of majority in their jurisdiction, if higher) before completing onboarding. The Service is not directed to children under thirteen (13), and we do not knowingly collect personal information from children under thirteen (13). If we learn that we have collected personal information from a child under thirteen (13), we will delete it as required by the Children's Online Privacy Protection Act (COPPA). If you are a parent or guardian and believe your child has provided us with personal information, please contact us at support@vouchlist.app.

Child Safety (CSAE). Vouchlist has a zero-tolerance policy toward child sexual abuse and exploitation. Apparent child sexual abuse material (CSAM) discovered on the Service is reported to the National Center for Missing & Exploited Children (NCMEC) as required by law, and offending accounts are terminated. Users can report concerns in-app via the Report control on any profile or by emailing support@vouchlist.app with the subject line "Child Safety Report."

9. Security

We implement reasonable administrative, technical, and physical safeguards designed to protect personal information. These include encryption in transit (TLS) for traffic between the App and our backend; storage of session tokens on-device in the operating system's secure storage; salted SHA-256 hashing of contact phone numbers stored in our database; passwordless authentication via one-time SMS codes; and access controls and row-level security policies on our backend.

However, no system can be guaranteed to be 100% secure. You are responsible for safeguarding access to the phone number and device associated with your account. If you believe your account has been compromised, contact us immediately at support@vouchlist.app.

10. International Data Transfers

Vouchlist operates in the United States, and our primary infrastructure and service providers (including Supabase, PostHog, Expo, Apple, and Google) operate or may operate from the United States and other countries. By using the Service from outside the United States, you understand that your information will be transferred to, stored in, and processed in the United States and potentially other countries that may have data-protection laws different from those of your country of residence. Where required, we rely on appropriate transfer mechanisms (such as standard contractual clauses) with our processors.

11. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes — for example, new categories of data collected, new processors that materially expand who handles your data, or any change that would result in our beginning to sell or "share" personal information — we will provide reasonable advance notice through an in-app notice, email (where we have an address for you), or other appropriate means, and, where required by law, obtain your consent. Non-material changes (clarifications, typo fixes, contact-info updates) may take effect upon posting. The "Last updated" date at the top of this policy will always reflect the most recent revision.

12. Contact Us

If you have questions about this Privacy Policy, wish to exercise your privacy rights, or need to report a privacy or security concern, please contact:

We will acknowledge verifiable rights requests within the time frame required by applicable law and respond as promptly as reasonably possible.