Privacy Policy
Last updated: March 24, 2026
Introduction
Vouch App Ltd ("Vouch", "we", "us", or "our") operates the Vouch mobile application (the "App") and the website at vouchapp.ca (the "Website"). This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our services.
By using the App or Website, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use our services.
Information We Collect
1. Information You Provide
| Data Type | Purpose | Required |
|---|---|---|
| Email address | Account creation, authentication, password recovery | Yes |
| Display name | Shown to other users during Vouch sessions | Yes |
| Profile photo | Personalisation of your profile | No |
| Brand submissions | Adding new brands to the platform | No |
2. Information Collected Automatically
- Device identifiers: Used for Bluetooth Low Energy (BLE) peer discovery during Vouch sessions
- Transaction records: Points earned, brands recommended, session history
- Consent records: Timestamps and types of consent you grant (regulatory compliance)
- Usage patterns: Feature interactions within the App (aggregated, non-identifying)
3. Information We Do NOT Collect
- Location data (GPS, cell tower, or Wi-Fi based)
- Contact lists or phone book data
- Browsing history outside the App
- Financial or payment card details (we do not store credit/debit card numbers, bank account details, or similar payment credentials)
- Biometric data
Note on reward redemption: When you redeem points for a Virtual Visa reward through our partner Tremendous, we share your email address and redemption amount with Tremendous solely to process your reward. Tremendous handles all financial processing; Vouch does not receive or store your payment card details. See Third-Party Services below.
How We Use Your Information
We use your personal information to:
- Provide the service: Enable peer-to-peer brand recommendations via Bluetooth
- Manage your account: Authentication, profile display, wallet/points tracking
- Process rewards: Track points earned from Vouch sessions and brand interactions
- Verify brands: Review and approve user-submitted brand recommendations
- Prevent abuse: Rate limiting, cooldown enforcement, and fraud detection
- Communicate: In-app notifications about session results, brand approvals, and account updates
- Improve the service: Aggregated analytics to improve features and user experience
How Vouch Sessions Work (Bluetooth)
Vouch uses Bluetooth Low Energy (BLE) to connect two users who are physically nearby. During a session:
- Your display name is shared with the other participant via BLE
- No location data is collected or transmitted
- Session data (brand recommended, points earned) is stored securely in our cloud infrastructure
- BLE advertising stops immediately when you leave the session screen
The proximity requirement (Bluetooth range) is a core privacy feature: recommendations only happen face-to-face between people who are physically together.
Data Storage and Security
Your data is stored using Google Firebase infrastructure, which provides:
- Encryption at rest and in transit (TLS 1.2+)
- SOC 1, SOC 2, and ISO 27001 certified data centres
- Data residency in North America
- Firestore security rules restricting access to authorised users only
- Server-side validation of all business logic (no client-side trust)
Wallet balances, transaction processing, and rate limiting are all enforced server-side via Cloud Functions. Client applications cannot directly modify protected data.
Data Sharing and Third-Party Services
We do not sell your personal information. We share data only in these limited circumstances:
- With session participants: Your display name is shared via BLE during active Vouch sessions
- Service providers: See the table below for details on third-party data processors
- Legal requirements: When required by law, court order, or to protect our legal rights
- Business transfer: In connection with a merger, acquisition, or sale of assets (with notice)
Third-Party Service Providers
| Provider | Purpose | Data Shared | Privacy Policy |
|---|---|---|---|
| Firebase / Google Cloud (Google LLC) | Database, authentication, cloud functions, file storage, crash reporting | Account data, session records, app usage | firebase.google.com/support/privacy |
| Firebase Analytics (Google LLC) | In-app usage analytics to improve features and user experience | Aggregated event data including: app_opened (session ID, device type, app version), vouch_initiated/completed/failed (session ID, role, brand ID, points, peer ID), brand_unlocked/viewed (session ID, brand ID), points_redeemed (session ID, points amount, reward type). No PII is included in analytics events. | policies.google.com/privacy |
| MailerLite (UAB MailerLite) | Waitlist and marketing email communications (with your consent) | Email address | mailerlite.com/legal/privacy-policy |
| Tremendous (Tremendous, Inc.) | Processing reward redemptions and issuing Virtual Visa cards | Email address and redemption amount (when you choose to redeem points) | tremendous.com/privacy |
Your Rights
Depending on your jurisdiction, you may have the following rights:
All Users
- Access: Request a copy of your personal data
- Deletion: Delete your account and all associated data via the App or our account deletion page
- Correction: Update your profile information within the App
- Withdraw consent: Revoke previously granted consent at any time
EU/UK Users (GDPR)
- Data portability: Receive your data in a structured, machine-readable format
- Restriction: Request restriction of processing in certain circumstances
- Objection: Object to processing based on legitimate interests
- Lodge a complaint: File a complaint with your local supervisory authority
Canadian Users (PIPEDA)
- Knowledge and consent: We obtain meaningful consent for data collection
- Limiting use: Data is used only for the purposes identified at collection
- Complaint: File a complaint with the Office of the Privacy Commissioner of Canada
California Users (CCPA/CPRA)
- Right to know: Categories and specific pieces of personal information collected
- Right to delete: Request deletion of personal information
- Non-discrimination: Equal service regardless of exercising privacy rights
- No sale: We do not sell personal information
Cookies
Our website uses a limited number of cookies and similar technologies. For full details on what cookies we use, how to manage your preferences, and your rights regarding cookies, please see our Cookie Policy.
Data Retention
| Data Type | Retention Period |
|---|---|
| Account profile | Until account deletion |
| Transaction history | Until account deletion |
| Consent records | 7 years after account deletion (legal requirement) |
| Audit logs | 2 years (fraud prevention) |
| Waitlist email | Until unsubscribe or product launch |
Account Deletion
You can delete your account at any time through:
- The App: Settings > Delete Account
- Our website: Account Deletion Page
- Email: support@vouchapp.ca
When you delete your account, we permanently remove your profile, wallet balance, transaction history, unlocked brands, vouch history, and profile photo. Consent records are retained for legal compliance as noted above.
Children's Privacy
Vouch is not intended for users under the age of 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us at support@vouchapp.ca and we will delete it promptly.
International Transfers
Your data is processed and stored in North America (Google Cloud/Firebase infrastructure). If you access Vouch from outside Canada, your information will be transferred to and processed in Canada, which may have different data protection laws than your country. By using Vouch, you consent to this transfer.
Email Communications and CASL (Canadian Anti-Spam Law)
Vouch App Ltd is a Canadian company subject to the Canada's Anti-Spam Legislation (CASL, S.C. 2010, c. 23). This section explains how we handle commercial electronic messages (CEMs) in compliance with CASL.
Consent
- Waitlist emails: By submitting your email to our waitlist, you provide express consent to receive updates about the Vouch product launch and related marketing communications.
- Transactional emails: Account registration, password reset, and session notifications are sent as transactional messages and do not require separate marketing consent.
- Marketing emails: Promotional communications are sent only to users who have provided express or implied consent in accordance with CASL.
Unsubscribe
Every commercial electronic message we send includes a clear, functional unsubscribe mechanism. You can opt out of marketing emails at any time by:
- Clicking the unsubscribe link included in every email
- Emailing us at support@vouchapp.ca with "Unsubscribe" in the subject line
We process unsubscribe requests within 10 business days as required by CASL.
Sender Identification
All email communications from Vouch App Ltd will clearly identify us as the sender and include our mailing address: 65 Scadding Ave., Unit 101, Toronto, Ontario M5A 4L1, Canada.
Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you through the App or by updating the "Last updated" date above. Continued use of the service after changes constitutes acceptance of the revised policy.
Contact Us
If you have questions about this Privacy Policy or wish to exercise your privacy rights, please contact us:
Vouch App Ltd
65 Scadding Ave., Unit 101
Toronto, Ontario M5A 4L1
Canada
Email: support@vouchapp.ca