Privacy Policy

Last updated: 18 March 2026

This Privacy Policy explains how Varoavo ("we", "our", or "us") collects, uses, and protects your information when you use our mobile application, websites, and related services (collectively, the "Service"). By using Varoavo, you agree to the collection and use of information in accordance with this Policy.

1. Information We Collect

1.1 Information You Provide

  • Phone number — required for account creation and login via one-time password (OTP).
  • User profile details — such as first name and last name.
  • Provider (business) details — such as business name, category, address, time slots, and configuration.
  • Profile photos and business images — if you choose to upload a profile picture, logo, or storefront photo.
  • Booking details — such as whom you book for (yourself or others) and token-related notes where available.

1.2 Information Collected Automatically

  • Log and usage data — including device type, operating system, app version, and basic interaction events used to improve stability and performance.
  • Queue and token history — records of tokens you create or manage, including queue positions, status (active/completed/cancelled/no-show), and timestamps.
  • Provider analytics data — aggregated statistics (such as total visitors per day, walk-ins vs advance tokens) for providers.
  • Analytics and diagnostic data — app performance metrics, crash reports, error logs, and anonymized usage patterns collected via analytics services (such as Firebase Analytics and Firebase Crashlytics) to help us identify and fix bugs, improve stability, and understand feature usage.

1.3 Location Information

  • Approximate or precise location — when you grant permission, we may use device GPS or other signals to show nearby providers and improve recommendations.
  • Provider business coordinates — we geocode provider addresses to GPS coordinates to calculate approximate distance and perform proximity-based sorting.

You can control location access using your device settings. If you withdraw permission, some location-based features may not function.

1.4 Device Permissions and Related Data

The app may request access to certain device features. When you grant these permissions, data related to that feature may be processed as necessary to provide the Service:

  • Camera — used to scan QR codes for token generation and, where enabled, to capture profile or business photos.
  • Photos/Media/Storage — used to upload or select images for your profile or business and to save QR codes or other assets you choose to download.
  • Location — used to show nearby providers, improve search results, and support provider analytics in aggregate.
  • Notifications — used to send OTPs (where applicable), booking confirmations, queue status updates (e.g., when your turn is near), and important account or service messages.
  • Network/Internet — required to communicate with our backend servers and sync your data.
  • Microphone/Audio (Android) — requested by the underlying configuration; at present we do not use audio recording as a core feature and do not store audio by default. If we introduce explicit audio features in future, we will update this Policy accordingly.

2. How We Use Your Information

We use the information we collect for the following purposes:

  • Account creation and authentication — to register you, verify your phone number, and maintain your session.
  • Providing core features — to enable token creation, queue management, provider discovery, QR-based walk-ins, and booking history.
  • Location-based discovery — to show relevant providers near you or in your selected area.
  • Service optimization — to monitor performance, prevent abuse or fraud, and improve app reliability and UX.
  • Performance monitoring and diagnostics — to detect crashes, measure app performance, and identify technical issues requiring fixes.
  • Analytics and reporting — to generate aggregated statistics for providers (for example, total daily visitors, peak times) without exposing individual user identities beyond what is necessary for queue operations.
  • Communications — to send you notifications about your tokens, queue status, important changes to the Service, and security alerts.
  • Compliance and safety — to comply with legal obligations, enforce our Terms, and protect our rights and the rights of others.

3. Legal Bases (Where Applicable)

Depending on your jurisdiction, our legal basis for processing personal data may include the necessity to perform our contract with you (providing the Service), your consent (for example, for certain notifications or location access), compliance with legal obligations, and our legitimate interests (such as improving and securing the Service).

4. Sharing and Disclosure

4.1 With Service Providers

We use third-party service providers to operate and support the Service, for example:

  • Backend hosting, database, authentication, and real-time updates (e.g., Supabase or similar platforms).
  • Push notification delivery services.
  • Infrastructure, monitoring, and logging tools used to maintain security and performance.
  • Analytics and crash reporting services (for example, Firebase Analytics, Firebase Crashlytics) to monitor app health, identify errors, and understand usage patterns.

These providers process data on our behalf and are bound by contractual obligations to protect your information.

4.2 With Providers (Business Accounts)

When you interact with a provider through Varoavo (for example, by generating a token), certain information is shared with that provider as necessary to deliver the service, such as your name, token number, and queue position. Providers may also see historical token information related to their own business.

4.3 For Legal Reasons

We may disclose information if we reasonably believe it is necessary to:

  • Comply with applicable law, regulation, or legal process.
  • Enforce our Terms and protect the integrity of the Service.
  • Protect the rights, property, or safety of Varoavo, our users, or the public.

5. Data Retention

  • Account data — retained for as long as your account is active and for a reasonable period thereafter as required for legitimate business or legal purposes.
  • Token and queue data — retained for a limited period (for example, around 90 days) to support history views and provider analytics, after which it may be aggregated or anonymized.
  • Backups and logs — retained for limited durations consistent with operational and legal requirements (for example, rolling backup windows such as 30 days).

We may retain anonymized or aggregated data (which does not identify you) for longer to help improve the Service.

6. Data Security

We take reasonable technical and organizational measures to protect your information, including:

  • Encryption in transit — all data transmitted between your device and our servers is protected using secure HTTPS connections.
  • Encryption at rest — our database infrastructure encrypts all stored data at the disk level to protect against unauthorized physical access.
  • Row-level security policies — database-level access controls ensure users can only view and modify their own data, and providers can only access data related to their business operations.
  • Access controls — role-based permissions and authentication mechanisms restrict access to sensitive systems and data.
  • Monitoring and logging — we monitor systems for unusual activity, potential abuse, and security threats.

However, no system can be completely secure, and we cannot guarantee absolute security. You are responsible for keeping your device secure and up to date.

7. Children's Privacy

The Service is not directed to children under the age where they cannot legally consent to data processing in their jurisdiction (for example, 13 or 16). We do not knowingly collect personal data from such children without appropriate consent. If you believe a child has provided us with personal information without proper consent, please contact us so we can take appropriate action.

8. Your Rights and Choices

Depending on your jurisdiction, you may have certain rights regarding your personal data, including:

  • Accessing the personal data we hold about you.
  • Requesting correction of inaccurate or incomplete data.
  • Requesting deletion of your data, subject to legal and operational requirements.

You can exercise many of these rights directly within the app (for example, updating profile details or managing permissions) or by contacting us using the details provided below.

9. International Transfers

Our service providers and infrastructure may be located in different countries. Where data is transferred across borders, we take steps to ensure that appropriate safeguards are in place in accordance with applicable data protection laws.

10. Third-Party Links

The Service may contain links to third-party websites or services (for example, provider web pages or social media profiles). We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy policies before providing any information.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make changes, we will update the "Last updated" date at the top of this page. Significant changes may also be communicated in the app or via other appropriate channels. Your continued use of the Service after such changes become effective constitutes your acceptance of the updated Policy.

12. Contact Us

If you have any questions about this Privacy Policy, your data, or your rights, please contact us at support@varoavo.com.