Voluta
AboutPricingSign InGet Started

Privacy Policy

Effective Date: April 5, 2026

Introduction

Voluta (“we,” “us,” or “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website, progressive web application, and related services (collectively, the “Service”). By using the Service, you consent to the data practices described in this policy.

We encourage you to read this Privacy Policy carefully. If you do not agree with the terms of this policy, please do not access or use the Service.

1. Information We Collect

Account Information

When you create an account, we collect your email address, username, and password (stored as a secure hash). If you sign in using Google OAuth, we receive your name, email address, and profile picture from Google. We do not receive or store your Google password.

Profile Information

You may optionally provide additional profile information including your full name, bio, location, website URL, avatar image, header image, and favorite genres.

Reading Data

We collect data about your reading activity, including books you track, reading status (to-be-read, currently reading, read, paused, did not finish), reading progress, start and finish dates, ratings, reviews, reading notes, and reading logs. This data is essential to the core functionality of the Service.

Social and Community Data

When you use social features, we collect data including forum posts, discussion replies, book club memberships, buddy read participation, custom lists, follow relationships, votes, and roadmap feedback.

Payment Information

Payment processing is handled entirely by Stripe. We never store, process, or have access to your full credit card number, debit card number, or bank account details. We receive and store only your Stripe customer ID, subscription ID, plan type, subscription status, and billing period dates. All payment card data is collected, processed, and stored exclusively by Stripe in compliance with PCI DSS standards.

Usage and Technical Data

We automatically collect certain technical information when you use the Service, including your IP address (used for rate limiting and security purposes), browser type, device type, pages visited, and timestamps of access. This data is used for service operation, security, and improving user experience.

Imported Data

If you import your library from another platform (such as Goodreads or StoryGraph), we process the CSV file you upload to match books and import your reading history, ratings, and dates. Uploaded CSV files are processed in your browser and are not stored on our servers.

2. How We Use Your Information

We use your information to:

  • Provide, operate, and maintain the Service
  • Create and manage your account
  • Track your reading progress and generate reading analytics (streaks, statistics, year-in-review)
  • Provide personalized book recommendations using collaborative filtering and vector embeddings
  • Enable social features including forums, book clubs, buddy reads, and following
  • Process subscription payments through Stripe
  • Send transactional notifications about your account, activity, and social interactions
  • Enforce rate limits and prevent abuse of the Service
  • Improve the Service based on usage patterns and community feedback
  • Comply with legal obligations

3. Third-Party Services

We use the following third-party services to operate the platform. Each service processes data as described:

  • Supabase — Provides authentication, database hosting (PostgreSQL), and backend infrastructure. Your account data and all application data are stored in Supabase-hosted databases with row-level security policies enforced at the database level.
  • Google OAuth — If you choose to sign in with Google, we use Google's OAuth 2.0 service. Google shares your email, name, and profile picture with us. Google's privacy policy governs how Google handles your data.
  • Stripe — Processes all subscription payments. Stripe collects and stores your payment card information directly. We never have access to your full card details. Stripe's privacy policy governs their handling of your payment data.
  • Open Library / Google Books — We query these public APIs to retrieve book metadata (titles, authors, descriptions, cover images, ISBNs, page counts). No user data is shared with these services.
  • Amazon Associates — We generate affiliate links to Amazon for books. Clicking these links is subject to Amazon's privacy policy.
  • Upstash — Provides Redis-based rate limiting to protect the Service from abuse. Upstash processes anonymized user identifiers and request counts only.

4. Data Storage and Security

Your data is stored in Supabase-hosted PostgreSQL databases with row-level security (RLS) policies that ensure users can only access data they are authorized to view or modify. Database access is enforced at the database level, not just the application level.

We implement industry-standard security measures including encrypted connections (HTTPS/TLS), secure password hashing, session-based authentication, rate limiting on write operations, and input sanitization to protect against common vulnerabilities.

While we strive to protect your information, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.

5. Data Sharing and Disclosure

We do not sell your personal information to third parties. We may share your information in the following limited circumstances:

  • With Other Users: Certain information you provide is visible to other users as part of the Service's social features, including your username, avatar, public profile information, reading activity (based on your privacy settings), reviews, forum posts, and book club participation.
  • With Service Providers: We share data with the third-party services listed above solely to operate the Service.
  • For Legal Compliance: We may disclose information when required by law, regulation, legal process, or governmental request.
  • To Protect Rights: We may disclose information when we believe disclosure is necessary to protect our rights, your safety, or the safety of others, or to investigate fraud or respond to a government request.
  • In Business Transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of the transaction. We will notify you of any such change.

6. Your Rights and Choices

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access: You can access most of your personal data through your account settings and profile page at any time.
  • Correction: You can update your profile information, reading data, and preferences through the Service at any time.
  • Deletion: You can request deletion of your account and associated personal data by contacting us. Upon deletion, we will remove your personal data, though anonymized or aggregated data may be retained. Some data may also be retained as required by law.
  • Data Export: You can export your reading data at any time through your account settings.
  • Opt-Out of Communications: You can manage your notification preferences through account settings.

For users in the European Economic Area (EEA), United Kingdom, or California, additional rights may apply under GDPR or CCPA respectively. To exercise any of these rights, please contact us at the email address provided below.

7. Cookies and Local Storage

We use cookies and browser local storage for the following purposes:

  • Authentication: Session cookies are used to maintain your authenticated state across requests. These are essential for the Service to function.
  • Preferences: Local storage is used to save your theme preference (light/dark mode) and other user interface settings.
  • PWA Functionality: As a Progressive Web App, we use service workers and local caching to enable offline functionality and faster loading.

We do not use third-party tracking cookies or advertising cookies. We do not participate in cross-site tracking or behavioral advertising networks.

8. Children's Privacy

The Service is not intended for children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected personal information from a child under 13, we will take steps to delete such information promptly. If you believe we have inadvertently collected information from a child under 13, please contact us immediately.

9. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Service. If you delete your account, we will delete your personal data within 30 days, except where retention is required by law or for legitimate business purposes (such as resolving disputes or enforcing our Terms).

Anonymized reading statistics and aggregated data that cannot be used to identify you may be retained indefinitely for analytical purposes and to improve the Service.

10. International Data Transfers

Your data may be processed and stored in countries other than your country of residence, including the United States, where our service providers operate. By using the Service, you consent to the transfer of your information to these countries. We ensure appropriate safeguards are in place for international data transfers as required by applicable law.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on the Service and updating the effective date. We encourage you to review this Privacy Policy periodically for any changes. Your continued use of the Service after the posting of changes constitutes your acceptance of such changes.

12. Contact Us

If you have any questions about this Privacy Policy, wish to exercise your data rights, or have concerns about how your data is handled, please contact us at:

Email: privacy@voluta.app