Privacy Policy for Voli App

Effective Date: April 2, 2026
Last Updated: April 2, 2026

1. Introduction

Welcome to Voli ("we," "our," or "us"). We are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application (the "App").

Developer Information:

Legal Name: Kutaisi City Hall

Business Address: Rustaveli Ave N3, Kutaisi, Georgia

Email: youth@kutaisi.gov.ge

Phone: +995 431 24 26 51 / +995 595 250 309

Company Registration Number: 212721170

By using the App, you agree to the collection and use of information in accordance with this Privacy Policy.

2. Information We Collect

2.1 Information You Provide Directly

Account Registration:

First and last name

Email address

Date of birth (used to verify users are at least 13 years old)

Password (stored as an encrypted hash — we never see your plain-text password)

Phone number (optional)

Profile picture (optional)

Bio / about me text (optional)

Event Participation:

Events you register for and attend

Comments submitted during event registration

Up to 3 photos uploaded per volunteer task as proof of completion (photos are compressed to JPEG at 80% quality before upload)

Volunteer hours and activity completion details

Vouchers:

Vouchers you request and redeem

QR code scan records associated with voucher redemption

Communications:

Messages and inquiries submitted through the in-app contact form (subject and message text)

2.2 Information Collected Automatically

Device Information:

Device type and model

Operating system name and version (iOS or Android)

App version

Firebase Cloud Messaging (FCM) device token, used to deliver push notifications

Usage Information:

Events viewed, searched for, and registered for

Map interactions and event location views

Vouchers browsed and redeemed

Volunteer tasks viewed and completed

Achievement progress and badges earned

Notification interactions (opened, dismissed)

Features used within the App

Time spent in the App

Local Storage (on your device only):

Authentication tokens (access token and refresh token), stored securely using iOS Keychain or Android Keystore via expo-secure-store — these never leave your device in plain text

FCM device token, stored for notification delivery

App preferences and cached event data for faster loading

2.3 Information from Third-Party Sign-In

If you choose to sign in using Google or Facebook, we receive the information you authorize those services to share:

Google Sign-In:

Full name

Email address

Profile picture (if public)

Google account ID

Facebook Login:

Full name

Email address

Profile picture (if public)

Facebook account ID

We do not receive your Google or Facebook password. Authentication is handled entirely by those platforms via a secure OAuth flow. We only receive a token confirming your identity.

3. How We Use Your Information

Account and Core Functionality:

Create and manage your account

Authenticate you securely on login and across sessions

Display volunteer events and opportunities relevant to Kutaisi

Process event registrations and track attendance

Record volunteer participation hours and task completions

Calculate and award volunteer points and achievement badges

Enable voucher redemption with partner organizations

Display event locations on the map

Notifications:

Send push notifications about events you registered for

Notify you about new achievements and point milestones

Send important App updates and service announcements

Deliver notifications via Firebase Cloud Messaging using your device token

Communication:

Respond to inquiries and support requests submitted via the contact form

Send email notifications related to your account (email verification, password reset)

Phone Verification:

If you provide a phone number and choose to verify it, we send a one-time SMS code to confirm ownership

Safety and Security:

Verify that users are at least 13 years old at registration

Detect and prevent fraud, abuse, and fake participation records

Enforce our Terms of Service

Protect against unauthorized access to accounts

Service Improvement:

Improve App performance, stability, and user experience

Debug and fix technical issues

Develop new features based on usage patterns

Note: Firebase Analytics is currently disabled in the App. We do not use third-party analytics platforms.

Marketing: We do not send marketing emails or promotional messages. We do not use your data for advertising purposes.

4. How We Share Your Information

We do not sell your personal information. We share your data only in the following limited circumstances:

Partner Organizations (Voucher Redemption):
When you redeem a voucher at a partner location, we share with that partner only the minimum information needed to process the redemption: your name, the voucher details, and the QR code scan confirmation. Partners do not receive your email address, date of birth, phone number, or any other personal data.

Third-Party Service Providers:
We use the following services that may process some of your data as part of operating the App:

Service | Provider | Purpose | Data Received ---|---|---|--- Google Maps Platform | Google LLC | Display event locations on map | Location coordinates from events (not your GPS location) Firebase Cloud Messaging | Google LLC | Push notifications | Device FCM token, notification content Google OAuth | Google LLC | Sign-in with Google (if chosen) | Name, email, profile picture, Google ID Facebook Login | Meta Platforms | Sign-in with Facebook (if chosen) | Name, email, profile picture, Facebook ID Expo Services | Expo Inc. | App infrastructure and deployment | Basic crash and performance telemetry

Privacy policies of these providers:

Google: https://policies.google.com/privacy

Meta (Facebook): https://www.facebook.com/privacy/explanation

Expo: https://expo.dev/privacy

Cloud Infrastructure:
Your data is stored on Kutaisi City Hall servers located in Kutaisi, Georgia.

Legal Requirements:
We may disclose your information if required by Georgian law, court order, or government authority, or to protect the rights, property, or safety of our users or the public.

Business Transfers:
We will not transfer your personal data to any third party in the event of a restructuring or transfer without your explicit consent.

5. Data Retention

Data Type | Retention Period ---|--- Account data (name, email, DOB, bio) | Retained while your account is active Event participation records | Retained indefinitely for volunteer history integrity Uploaded photos | Retained while your account is active Voucher redemption records | Retained for 2 years for audit and fraud prevention Support messages | Retained for 1 year after resolution Authentication tokens | Stored on your device only; invalidated on logout or account deletion FCM device token | Deleted from our servers when you log out or delete the account Backup data | Deleted data may persist in backups for up to 30 days

If you delete your account, all personal data is permanently deleted within 30 days, except where we are required by law to retain it.

6. Your Rights and Choices

Access and Update:
You can view and update your name, phone number, date of birth, profile picture, and bio at any time via Profile → Edit Profile. You can change your password via Profile → Change Password.

Delete Your Account:
You can delete your account directly within the app by navigating to Profile → Settings → Delete Account. This will permanently delete all your data including volunteer hours, points, vouchers, and uploaded photos. Deletion is processed immediately, with backup data purged within 30 days.

Alternatively, you can request account deletion by emailing youth@kutaisi.gov.ge. We will process your request within 30 days.

Notification Preferences:
You can manage push notifications via Profile → Notifications, or disable them entirely in your device settings (iOS: Settings → Notifications → Voli / Android: Settings → Apps → Voli → Notifications). Note that some service notifications (email verification, password reset) are sent via email and are not affected by this setting.

Camera and Photo Library:
You can revoke camera and photo library access at any time in your device settings:

iOS: Settings → Privacy → Camera / Photos → Voli

Android: Settings → Apps → Voli → Permissions

Revoking these permissions disables QR code scanning and photo uploads. The rest of the App continues to work normally.

Phone Number:
Providing a phone number is optional. You can remove it by editing your profile.

Third-Party Sign-In:
If you signed in with Google or Facebook, you can revoke the App's access via your Google or Facebook account settings. This will not delete your Voli account — contact us at youth@kutaisi.gov.ge to request full deletion.

Additional Rights for EU/EEA Residents (GDPR)

If you are located in the EU or EEA, you have the following rights:

Right of access — request a copy of your personal data

Right to rectification — request correction of inaccurate data

Right to erasure — request deletion of your personal data

Right to restrict processing — request that we limit how we use your data

Right to data portability — request your data in a machine-readable format

Right to object — object to certain types of processing

Right to withdraw consent — withdraw consent at any time without affecting past processing

To exercise these rights, email youth@kutaisi.gov.ge. We will respond within 30 days.

Additional Rights for California Residents (CCPA)

If you are a California resident:

Right to know what personal information we collect and how it is used

Right to delete your personal information

Right to opt out of the sale of personal information (we do not sell data)

Right to non-discrimination for exercising your privacy rights

Additional Rights for UK Residents

You have rights under UK GDPR equivalent to those listed for EU residents above. Contact youth@kutaisi.gov.ge to exercise them.

7. Data Security

We implement the following security measures to protect your information:

Encryption in Transit:
All data transmitted between the App and our servers uses HTTPS (TLS) encryption.

Password Security:
Passwords are never stored in plain text. They are hashed using industry-standard algorithms before storage. We never have access to your plain-text password.

Token Security:
Authentication tokens are stored on your device using platform-provided secure storage — iOS Keychain and Android Keystore — via the expo-secure-store library. Tokens are never stored in unencrypted local storage.

Token Rotation:
Access tokens are short-lived and automatically refreshed using a secure refresh token. On logout, both tokens are invalidated and deleted from your device.

Access Controls:
Employee access to personal data is restricted on a strict need-to-know basis.

Infrastructure Security:
Kutaisi City Hall maintains server security including firewalls and regular security updates.

Note: No method of transmission over the internet is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

8. Children's Privacy

The App is not intended for children under 13 years of age. We require users to provide their date of birth at registration and do not permit accounts for users under 13.

If we learn that a child under 13 has created an account, we will delete the account and all associated data promptly.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us at youth@kutaisi.gov.ge and we will delete it immediately.

Users between 13 and 18 confirm that a parent or guardian has given permission for them to use the App.

9. Child Safety Standards

Voli is committed to maintaining a safe environment for all users, especially minors.

Our standards against Child Sexual Abuse and Exploitation (CSAE):

Voli has a zero-tolerance policy for any content or behavior related to child sexual abuse or exploitation (CSAE)

Any user found sharing, distributing, or engaging in CSAE-related content or behavior will be immediately banned and reported to the relevant national and regional authorities

Users can report child safety concerns directly within the app

We comply with all applicable child safety laws and cooperate fully with law enforcement agencies

We report any detected CSAE content to the National Center for Missing & Exploited Children (NCMEC) and relevant Georgian authorities as required by law

Contact for child safety concerns:
youth@kutaisi.gov.ge

To report child safety concerns in-app, use the report function available on user profiles and content.

9. International Data Transfers

Your data is stored and processed on servers located in Kutaisi, Georgia. We do not transfer personal data outside of Georgia. Third-party services (Google, Meta, Expo) may process limited technical data (device tokens, OAuth credentials) on their own infrastructure outside Georgia, in accordance with their own privacy policies and applicable data transfer frameworks.

10. Storage Technologies

The Voli App uses the following local storage mechanisms:

Storage Type | Purpose ---|--- Secure Storage (iOS Keychain / Android Keystore) | Store authentication tokens securely AsyncStorage / local cache | Store app preferences and cached event data FCM Token | Stored locally and on our servers to enable push notifications

We do not use web cookies or web tracking technologies. We do not use advertising SDKs or tracking pixels.

11. Third-Party Links

The App may contain links to partner organization websites or event pages. We are not responsible for the privacy practices of those websites. We recommend reviewing the privacy policies of any third-party sites you access through the App.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make significant changes, we will notify you via an in-app notification and update the "Last Updated" date at the top of this document. Continued use of the App after changes constitutes acceptance of the updated policy.

13. Cookie Policy

The Voli mobile app does not use cookies. We use the following device-side storage:

Secure Storage (Keychain/Keystore): authentication tokens

Local cache: app preferences and event data for faster loading

FCM Token: for push notification delivery

We do not use web tracking technologies or advertising cookies.

14. Do Not Track

The App does not respond to Do Not Track (DNT) signals. Analytics are currently disabled in the App.

15. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data:

Email: youth@kutaisi.gov.ge
Address: Rustaveli Ave N3, Kutaisi, Georgia
Phone: +995 595 250 309
Response Time: Within 10 business days

16. Governing Law

This Privacy Policy is governed by the laws of Georgia. Any disputes arising from this Privacy Policy will be resolved in the Kutaisi City Court.

For EU/EEA residents who wish to file a complaint with a supervisory authority, see: https://edpb.europa.eu/about-edpb/about-edpb/members_en

17. Language

This Privacy Policy is provided in English. A Georgian-language version is available upon request at youth@kutaisi.gov.ge. In the event of any discrepancy between versions, the English version prevails.

18. Acceptance

By registering an account or using the Voli App, you acknowledge that you have read and understood this Privacy Policy and agree to its terms.

Version: 1.1