Privacy Policy
How Volyia handles your data.
Last updated: May 28, 2026 · Effective: May 28, 2026
TL;DR
- Volyia is on-device first. Your onboarding answers, mood entries, alarm settings, and bedtime ritual data stay on your phone unless you sign in.
- If you sign in, that data syncs to our Supabase backend so it survives reinstalls and follows you to a new device.
- We never sell your data, and we never share it for advertising.
- You can delete your account and all server-side data from inside the app (You → Account → Delete account) at any time.
- We use Sentry for crash reports. Personal data is stripped before it leaves your device.
This Privacy Policy explains what data Volyia collects, why, and what
choices you have. We've tried to write it like a human, not a lawyer.
Volyia is operated by Goshen Consulting LLC ("we", "us").
Contact: privacy@goshenconsultingllc.com
1. What data we collect
1.1 Data you give us during onboarding
The 7 onboarding screens ask about your sleep/wake bands, meal regularity,
hydration, movement, mood baseline, goals, constraints, and pace. This data
stays on your device until you sign in.
1.2 Data you create while using Volyia
- Mood entries — the mood you tap on the Today screen or after the Bedtime ritual, plus optional reasons. On-device; synced to our backend if signed in.
- Smart Wake settings — wake time, alarm sound choice, alarm mode (Tap-to-Wake / Space Maze / Rooster Run / Gentle Wake), tap-target. On-device only.
- Notification preferences — per-channel toggles (Wake, Morning, Bed, Nutrition, Movement). On-device only.
1.3 Data we collect when you sign in
When you sign in via email magic-link or Google:
- Your email address — used to identify your account and to send the magic-link code.
- A Supabase auth token — stored in your device's local storage, used to keep you signed in.
- Your mood entries and onboarding profile — synced to your account so they follow you across devices.
We do not receive your Google password or any other Google profile field beyond email + a stable user identifier.
1.4 Data Volyia does not collect
- We do not collect contacts, photos, files, microphone audio, or precise location.
- We do not collect activity data from HealthKit, Google Fit, or any other health-tracking service in v1.0.
- We do not use advertising identifiers (IDFA, GAID).
- We do not track you across other apps or websites.
1.5 Permissions Volyia requests
- Notifications — to send Smart Wake alarms and daily nudges you opted into.
- Exact alarm / full-screen intent (Android) — required for Smart Wake to fire at the precise time you set, like a real alarm clock.
- Motion / Activity Recognition — optional. Used in step-based wake modes. Never sent off-device.
- Wake lock / foreground service (Android) — keeps Smart Wake reliable when the phone is dozing.
2. How we use your data
We use your data only to:
- Run Volyia for you — show your patterns, fire your alarms, sync your moods across devices, personalize Today/Insights copy based on your own history.
- Keep Volyia working — diagnose crashes via Sentry (with personal data scrubbed first).
- Communicate with you — only the magic-link sign-in code, sent via Resend on our behalf. We do not send marketing email from your account record.
We never use your data to: sell to data brokers, advertisers, or insurers; train external AI models (heuristic insights run on your device); or build a profile to target ads.
3. Who we share data with
3.1 Service providers we use
| Provider | What they receive | Why |
| Supabase (Postgres + Auth) |
Your email, mood entries, profile data, auth tokens |
Stores your account so it syncs across devices |
| Resend |
Your email + magic-link code |
Delivers the sign-in code |
| Sentry |
Crash reports + device metadata (OS, app version) |
Diagnoses bugs. Personal data is scrubbed before sending |
| Google Sign-In |
A short-lived ID token only when you choose Google |
Verifies your Google identity |
| Expo / EAS |
App update channel only |
Delivers app updates |
We have written agreements with these providers and they act only on our instructions.
3.2 We do not share with anyone else
We do not sell, rent, or trade your data. We do not share it for advertising. We do not allow third parties to build behavioral profiles of you using Volyia data.
3.3 Legal disclosures
If we receive a legally binding request from law enforcement (subpoena, court order), we may disclose the minimum data required by that request. We will notify you first unless legally prohibited.
4. Where data is stored
- On your device — by default. Your unsynced data lives in your device's local storage.
- Supabase — if you sign in, in our project hosted in us-west-1 (United States).
- Sentry — crash reports in Sentry's US region.
If you're in the EU/UK, your sign-in implies you consent to data transfer to the United States for the purposes described above.
5. How long we keep data
- On-device data — kept until you delete the app or reset onboarding.
- Account data on Supabase — kept while your account is active. The moment you tap Delete account (You → Account), all server-side rows associated with your user ID are deleted, and your auth user is removed. This is irreversible.
- Sentry crash reports — retained per Sentry's default retention (90 days), then deleted.
6. Your rights and choices
Wherever you live, you can:
- Access the data you've created — visible directly in the app (Today, Day, Insights, You).
- Export your data — email us at privacy@goshenconsultingllc.com and we'll send you a JSON copy within 30 days.
- Delete your account and all server-side data — You → Account → Delete account.
- Disable notifications — Settings → Apps → Volyia → Notifications (Android) or Settings → Notifications → Volyia (iOS).
- Revoke Google Sign-In at any time via your Google account's Security → Third-party access page.
Residents of the EU, UK, California, and similar jurisdictions
You additionally have the right to rectify inaccurate data, restrict processing, withdraw consent, object to processing, and lodge a complaint with your local data protection authority. Email privacy@goshenconsultingllc.com and we'll honor these rights within 30 days.
7. Children
Volyia is not directed to children under 13 (or under 16 where local law requires). We do not knowingly collect data from children. If you believe a child has provided data to us, email privacy@goshenconsultingllc.com and we will delete it.
8. Security
- Auth tokens are stored in your device's secure storage.
- All network traffic to Supabase, Sentry, and Resend uses TLS.
- Supabase Row-Level Security ensures each user can only read/write their own rows.
- Sentry receives crash reports with a
beforeSend scrubber that removes email, mood values, mood reasons, and any field whose key contains "token" or "password".
No system is perfectly secure. We follow industry-standard practices but cannot guarantee absolute security.
9. Changes to this policy
We'll update this page when we change how we handle data. Material changes will be announced via an in-app notice the first time you open the app after the change. The "Last updated" date at the top reflects the most recent revision.
10. Contact
Questions, requests, or complaints: