Voluta
Get Started

Privacy Policy

Effective Date: April 5, 2026

Introduction

Voluta (“we,” “us,” or “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website, progressive web application, and related services (collectively, the “Service”). By using the Service, you consent to the data practices described in this policy.

We encourage you to read this Privacy Policy carefully. If you do not agree with the terms of this policy, please do not access or use the Service.

1. Information We Collect

Account Information

When you create an account, we collect your email address, username, and password (stored as a secure hash). If you sign in using Google OAuth, we receive your name, email address, and profile picture from Google. We do not receive or store your Google password.

Profile Information

You may optionally provide additional profile information including your full name, bio, location, website URL, avatar image, header image, and favorite genres.

Reading Data

We collect data about your reading activity, including books you track, reading status (to-be-read, currently reading, read, paused, did not finish), reading progress, start and finish dates, ratings, reviews, reading notes, and reading logs. This data is essential to the core functionality of the Service.

Social and Community Data

When you use social features, we collect data including forum posts, discussion replies, book club memberships, buddy read participation, custom lists, follow relationships, votes, and roadmap feedback.

Payment Information

Payment processing is handled entirely by Stripe. We never store, process, or have access to your full credit card number, debit card number, or bank account details. We receive and store only your Stripe customer ID, subscription ID, plan type, subscription status, and billing period dates. All payment card data is collected, processed, and stored exclusively by Stripe in compliance with PCI DSS standards.

Usage and Technical Data

We automatically collect certain technical information when you use the Service, including your IP address (used for rate limiting and security purposes), browser type, device type, pages visited, and timestamps of access. This data is used for service operation, security, and improving user experience.

Imported Data

If you import your library from another platform (such as Goodreads or StoryGraph), we process the CSV file you upload to match books and import your reading history, ratings, and dates. Uploaded CSV files are processed in your browser and are not stored on our servers.

2. How We Use Your Information

We use your information to:

  • Provide, operate, and maintain the Service
  • Create and manage your account
  • Track your reading progress and generate reading analytics (streaks, statistics, year-in-review)
  • Provide personalized book recommendations using collaborative filtering and vector embeddings
  • Enable social features including forums, book clubs, buddy reads, and following
  • Process subscription payments through Stripe
  • Send transactional notifications about your account, activity, and social interactions
  • Enforce rate limits and prevent abuse of the Service
  • Display relevant advertisements to free-tier users through third-party advertising partners
  • Improve the Service based on usage patterns and community feedback
  • Comply with legal obligations

3. Third-Party Services

We use the following third-party services to operate the platform. Each service processes data as described:

  • Supabase — Provides authentication, database hosting (PostgreSQL), and backend infrastructure. Your account data and all application data are stored in Supabase-hosted databases with row-level security policies enforced at the database level.
  • Google OAuth — If you choose to sign in with Google, we use Google's OAuth 2.0 service. Google shares your email, name, and profile picture with us. Google's privacy policy governs how Google handles your data.
  • Stripe — Processes all subscription payments. Stripe collects and stores your payment card information directly. We never have access to your full card details. Stripe's privacy policy governs their handling of your payment data.
  • Open Library / Google Books — We query these public APIs to retrieve book metadata (titles, authors, descriptions, cover images, ISBNs, page counts). No user data is shared with these services.
  • Amazon Associates — We generate affiliate links to Amazon for books. Clicking these links is subject to Amazon's privacy policy.
  • Upstash — Provides Redis-based rate limiting to protect the Service from abuse. Upstash processes anonymized user identifiers and request counts only.
  • Advertising Partners — We may display advertisements from third-party advertising networks to free-tier users. These partners may use cookies or similar technologies to serve ads based on non-personally-identifiable information such as content context or general reading interests. We do not share your personal information with advertisers. Premium subscribers are not shown advertisements.

4. Data Storage and Security

Your data is stored in Supabase-hosted PostgreSQL databases with row-level security (RLS) policies that ensure users can only access data they are authorized to view or modify. Database access is enforced at the database level, not just the application level.

We implement industry-standard security measures including encrypted connections (HTTPS/TLS), secure password hashing, session-based authentication, rate limiting on write operations, and input sanitization to protect against common vulnerabilities.

While we strive to protect your information, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.

5. Data Sharing and Disclosure

We do not sell your personal information to third parties. We may share your information in the following limited circumstances:

  • With Other Users: Certain information you provide is visible to other users as part of the Service's social features, including your username, avatar, public profile information, reading activity (based on your privacy settings), reviews, forum posts, and book club participation.
  • With Service Providers: We share data with the third-party services listed above solely to operate the Service.
  • With Advertising Partners: For free-tier users who have consented to non-essential cookies, advertising partners may collect non-personally-identifiable data (such as content context and ad interaction data) through cookies. We do not share your name, email, or reading history with advertisers.
  • For Legal Compliance: We may disclose information when required by law, regulation, legal process, or governmental request.
  • To Protect Rights: We may disclose information when we believe disclosure is necessary to protect our rights, your safety, or the safety of others, or to investigate fraud or respond to a government request.
  • In Business Transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of the transaction. We will notify you of any such change.

6. Your Rights and Choices

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access: You can access most of your personal data through your account settings and profile page at any time.
  • Correction: You can update your profile information, reading data, and preferences through the Service at any time.
  • Deletion: You can request deletion of your account and associated personal data by contacting us. Upon deletion, we will remove your personal data, though anonymized or aggregated data may be retained. Some data may also be retained as required by law.
  • Data Export: You can export your reading data at any time through your account settings.
  • Opt-Out of Communications: You can manage your notification preferences through account settings.
  • Opt-Out of Non-Essential Cookies: You can manage advertising and analytics cookie preferences through the cookie consent controls on the Service at any time. You may also upgrade to a premium plan for an entirely ad-free experience.

For California Residents (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with the following additional rights:

  • Right to Know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which your information was collected, the business purpose for collecting your information, and the categories of third parties with whom we share your information.
  • Right to Delete: You have the right to request that we delete any personal information we have collected about you, subject to certain exceptions.
  • Right to Opt-Out of Sale: We do not sell your personal information to third parties. Because we do not sell personal information, there is no need to opt out.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights. We will not deny you the Service, charge you different prices, or provide a different quality of service because you exercised your rights.

For EEA and UK Residents (GDPR)

If you are in the European Economic Area or United Kingdom, you have additional rights under the General Data Protection Regulation (GDPR), including the right to access, rectification, erasure, restriction of processing, data portability, and the right to object to processing. Our legal basis for processing your data is your consent (which you may withdraw at any time) and the performance of our contract with you to provide the Service.

To exercise any of these rights, please contact us at the email address provided below.

7. Cookies and Local Storage

We use cookies and browser local storage for the following purposes:

  • Authentication: Session cookies are used to maintain your authenticated state across requests. These are essential for the Service to function.
  • Preferences: Local storage is used to save your theme preference (light/dark mode) and other user interface settings.
  • PWA Functionality: As a Progressive Web App, we use service workers and local caching to enable offline functionality and faster loading.
  • Advertising (non-essential): If you are using the free tier, third-party advertising partners may set cookies to serve relevant ads and measure ad performance. These cookies are non-essential and require your consent. You may manage your preferences through the cookie consent controls provided on the Service. Premium subscribers are not served advertising cookies.
  • Analytics (non-essential): We use Google Analytics 4 (provided by Google LLC) to understand how visitors use the Service in aggregate. Google Analytics may set cookies (such as _ga and_ga_*) and collect information including your IP address, browser and device details, pages viewed, time spent on each page, and referring website. We use Google Consent Mode v2: analytics cookies are denied by default and only set after you accept non-essential cookies via the consent banner. Data collected via Google Analytics is processed by Google in accordance with Google’s Privacy Policy. You may opt out of Google Analytics on any site by installing the Google Analytics Opt-out Browser Add-on, in addition to using our cookie consent controls.

We do not participate in cross-site behavioral tracking. You can withdraw your consent for non-essential cookies at any time through the cookie settings available on the Service.

8. Children's Privacy

The Service is not intended for children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected personal information from a child under 13, we will take steps to delete such information promptly. If you believe we have inadvertently collected information from a child under 13, please contact us immediately.

9. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Service. If you delete your account, we will delete your personal data within 30 days, except where retention is required by law or for legitimate business purposes (such as resolving disputes or enforcing our Terms).

Anonymized reading statistics and aggregated data that cannot be used to identify you may be retained indefinitely for analytical purposes and to improve the Service.

10. International Data Transfers

Your data may be processed and stored in countries other than your country of residence, including the United States, where our service providers operate. By using the Service, you consent to the transfer of your information to these countries. We ensure appropriate safeguards are in place for international data transfers as required by applicable law.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on the Service and updating the effective date. We encourage you to review this Privacy Policy periodically for any changes. Your continued use of the Service after the posting of changes constitutes your acceptance of such changes.

12. Contact Us

If you have any questions about this Privacy Policy, wish to exercise your data rights, or have concerns about how your data is handled, please contact us at:

Email: privacy@voluta.app