Voya · Appophile

middot; Voya

Privacy Policy

Last updated: 10th June 2026

This Privacy Policy explains what personal data Voya collects, why we collect it, how we use and share it, and the choices and rights you have. Voya is an AI-powered travel packing-list assistant published by Appophile.

1. Introduction & Scope

This Policy applies to the Voya mobile application (Android package com.appophile.voya) and to these web pages. By creating an account, using guest mode, or otherwise using Voya, you acknowledge the practices described here.

"Personal data" (or "personal information") means information that identifies, relates to, or can reasonably be linked to you. Where this Policy uses the words "we," "us," or "our," it refers to Appophile as the operator of Voya.

2. Who We Are (Data Controller)

The controller responsible for your personal data is:

Legal entity: Velocity Retail (operating as Appophile)
Registered address: Bengaluru, Karnataka, India
Contact email: apps.appophile@gmail.com

Voya is operated from India and is not specifically directed at users in the EU/EEA or the UK. If we begin offering the service to users in those regions in a way that requires us to appoint a representative under Article 27 of the GDPR (or the UK GDPR), we will appoint one and update this Policy with their details. In the meantime, you can reach us about any data protection matter at apps.appophile@gmail.com.

3. Data We Collect, Why, and Legal Basis

We collect only the data we need to run the app. The table below groups the data by category and, for users in the EU/EEA and UK, states our legal basis under the GDPR.

Data category	What it includes	Why we use it	GDPR legal basis
Account information	Email address and display name, collected through Firebase Authentication when you sign in with Google or with email/password.	To create and secure your account, sign you in, and contact you about your account.	Performance of a contract (providing the service).
Trip data	Destinations, travel dates, bag size, trip "vibe"/activity preferences, optional traveler gender and traveler count, generated packing lists, and which items you check off. Stored in Google Cloud Firestore.	To generate, store, and display your packing lists and let you track them across sessions and devices.	Performance of a contract.
AI inputs & usage metadata	The trip details above are sent to Google's Gemini model to generate your list. We also log non-identifying AI usage and cost metadata.	To produce packing suggestions and to monitor service cost and reliability.	Performance of a contract; legitimate interests (operating and improving the service).
Push notification token	Your Firebase Cloud Messaging (FCM) device token.	To send trip reminders and packing notifications. You can opt out by category in the app and through your device settings.	Consent (where required); otherwise legitimate interests.
Purchase data	Your subscription status and Google Play purchase receipts/tokens, validated server-side via the Google Play Developer API.	To activate and verify your premium subscription and prevent fraud.	Performance of a contract; legal obligation (record-keeping).
Premium sharing	If you share premium with a partner, that partner's email address.	To send and accept the premium-sharing invite.	Performance of a contract; consent of the inviting user.
Diagnostics	Crash logs, analytics, and performance data via Firebase Crashlytics, Analytics, and Performance Monitoring (in production builds).	To detect crashes, fix bugs, and understand how features are used so we can improve them.	Legitimate interests; consent where local law requires it for analytics.
Advertising identifiers	For non-premium users we show banner ads via Google AdMob, which may use the device Advertising ID and related identifiers.	To display ads that help fund the free tier.	Consent (for personalized ads in the EU/EEA/UK via Google's User Messaging Platform); legitimate interests for non-personalized ads.
Destination, maps & weather lookups	Destination autocomplete via Google Places; weather and geocoding via Google Maps Platform and OpenStreetMap/Nominatim, based on the destination you choose.	To suggest destinations and fetch weather to tailor your packing list.	Performance of a contract.

Data we do not collect

We do not request precise device location. Voya has no location permission. Weather and maps are based on the destination you type, not your device's GPS.
We do not sell your personal data for money.

Note on "sharing" for ads: We do not sell data. However, when personalized ads are shown, some advertising identifiers may be shared with Google AdMob for advertising purposes. Under California law this can count as "sharing" for cross-context behavioral advertising. See Section 10 for how to opt out.

4. How Our AI Processing Works

To generate a packing list, Voya sends your trip details (destination, dates, bag size, trip vibe/activities, and any optional traveler gender and count) to Google's Gemini model through Firebase AI Logic and our Cloud Functions. The model returns a suggested list, which we store in your account.

We send only the trip details needed to produce the list, not your full account profile.
We log non-identifying usage and cost metadata (for example, request counts), not the content of your trips for advertising.
AI suggestions are generated automatically and may be inaccurate or incomplete. They are suggestions only; you remain responsible for what you actually pack.

AI suggestions do not produce legal effects or similarly significant effects about you, so they are not "automated decision-making" of the kind restricted by Article 22 of the GDPR.

5. Cookies, Identifiers & Advertising

Voya is a mobile app and does not use website cookies inside the app. Instead, our service providers may use device and software identifiers, including:

Advertising ID — used by Google AdMob to show ads to non-premium users.
Analytics and app identifiers — used by Firebase Analytics, Crashlytics, and Performance Monitoring, and by Firebase App Check, to keep the app working and secure.

EU/EEA and UK ad consent

If you are in the EU/EEA or the UK, we use Google's User Messaging Platform (UMP) to ask for your consent before showing personalized ads, as required by Google's policies and EU rules. You can change your choice later in the app's privacy settings. If you do not consent, you may still see non-personalized ads.

6. Third-Party Processors & Sub-Processors

We use the following providers to operate Voya. They process data on our behalf under their own terms and security commitments:

Google / Firebase — Authentication, Cloud Firestore, Cloud Functions, Cloud Messaging, Crashlytics, Analytics, Performance Monitoring, Remote Config, and App Check.
Google Gemini — AI generation of packing lists.
Google Play Billing & Google Play Developer API — subscription purchases and server-side validation.
Google AdMob — advertising to non-premium users.
Google Maps Platform & Google Places — destination autocomplete, geocoding, and weather support.
OpenStreetMap / Nominatim — geocoding for destinations.

Each provider handles your data under its own privacy terms. We recommend reviewing Google's Privacy Policy and the OpenStreetMap Foundation's privacy information for details on their processing.

7. International Data Transfers

Our providers, principally Google, operate data centers in several countries, including the United States. This means your data may be processed outside your home country, including outside the EU/EEA, the UK, and India.

Where we transfer personal data out of the EU/EEA or the UK, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses (and the UK addendum), which our providers incorporate into their terms. You may request more information about these safeguards using the contact details below.

8. Data Retention & Deletion

We keep personal data only as long as we need it:

Account and trip data: kept while your account is active. You can delete your account in the app from the Profile screen, which removes your account and trip data.
Notification logs: auto-expire after about 7 days.
Guest-generation counters: auto-expire after about 48 hours.
Purchase records: may be retained longer where required for tax, accounting, or fraud-prevention obligations.

After deletion, some data may persist briefly in backups or provider logs before being overwritten in the normal course of operations.

9. How We Protect Your Data

Encryption in transit: data moves between the app and our providers over encrypted (HTTPS/TLS) connections.
Firebase Security Rules: restrict access so users can generally only read and write their own data.
Firebase App Check: helps ensure requests come from genuine, unmodified instances of the app.
Server-side validation: purchases are verified on the server, not trusted from the device alone.

No system is perfectly secure. We cannot guarantee absolute security, but we work to protect your data using reasonable technical and organizational measures.

10. Your Privacy Rights (GDPR, DPDP, CCPA/CPRA)

Depending on where you live, you have some or all of the following rights:

Access — get a copy of the personal data we hold about you.
Correction — fix data that is wrong or incomplete.
Deletion — ask us to delete your data (you can also self-serve via the in-app Profile screen).
Opt out of personalized ads — withdraw ad-personalization consent via the in-app privacy settings (UMP) and your device's Advertising ID controls.
Withdraw consent — where we rely on consent, you can withdraw it at any time without affecting prior processing.
Data portability and objection / restriction — available to EU/EEA and UK users under the GDPR.
Non-discrimination — California users will not be treated differently for exercising privacy rights.

How to exercise your rights

Email apps.appophile@gmail.com. We will verify your request and respond within the time limits set by the law that applies to you. You may use an authorized agent where the law allows it.

Region-specific notes

EU/EEA & UK (GDPR): you may lodge a complaint with your local data protection authority.
India (DPDP Act 2023): you may contact us at the email above to exercise your rights as a Data Principal, including grievance redressal. Contact: apps.appophile@gmail.com
California (CCPA/CPRA): you have the right to know, delete, correct, and opt out of the "sale" or "sharing" of personal information. We do not sell your data; to opt out of ad-related "sharing," use the in-app privacy settings.

11. Children's Privacy

Voya is intended for users aged 13 and over and is not directed to children under 13. We do not knowingly collect personal data from children under 13. If you believe a child under 13 has provided us data, contact us and we will delete it.

In some EU/EEA countries the minimum age for consent to data processing is higher than 13 (up to 16). Where that applies, users below the local age threshold should use Voya only with the consent of a parent or guardian.

12. Guest / Anonymous Mode

You can use Voya without an account through guest mode, backed by Firebase Anonymous Authentication. In guest mode:

We do not collect your email or display name.
Your trip data is tied to a randomly generated, device-linked identifier rather than to your identity.
Guest-generation counters auto-expire after about 48 hours.
If you later sign in, your guest data may be linked to your new account.
Guest data may be lost if you uninstall the app or clear app data, because it is not tied to a recoverable login.

13. Changes to This Policy

We may update this Policy as the app, our providers, or the law change. When we make material changes, we will update the "Last updated" date above and, where appropriate, notify you in the app. Continued use after changes take effect means you accept the updated Policy.

14. Contact Us

For any privacy question or request, contact us at apps.appophile@gmail.com.