Privacy Policy
Last updated: 2026-04-21
1. Introduction
Vamio ("we", "our", "us") operates the Vamio mobile application. This Privacy Policy explains how we collect, use, and protect your information when you use our app.
2. Lawful Basis for Processing
We process your personal data under the following lawful bases under GDPR Article 6:
| Processing purpose | Lawful basis |
|---|---|
| Account creation / identity | Contract performance (Art. 6(1)(b)) |
| Location sharing in drive | Consent (Art. 6(1)(a)) — revocable at any time |
| Background location | Consent (Art. 6(1)(a)) — revocable at any time |
| Chat messages | Contract performance (Art. 6(1)(b)) |
| Crash + performance data | Legitimate interests (Art. 6(1)(f)) — app quality and stability |
| Product analytics (PostHog) | Legitimate interests (Art. 6(1)(f)) — anonymous usage analytics |
You may withdraw consent for location sharing at any time by revoking location permissions on your device or leaving a drive. You may request deletion of your account at any time (see §9).
3. Information We Collect
We collect the following information to provide our service:
- Account Information: Your name, email address, and profile photo provided through Apple Sign-In or Google Sign-In.
- Location Data: Your precise (GPS-level) location is collected when you join a drive to share it with other participants in your group. Background location is collected to maintain location sharing while the app is not in the foreground. Your account identifier is associated with location data to attribute it to the correct participant.
- Messages: Text messages and photos you send in drive group chats are stored to provide the chat feature.
- Device Information: Crash logs, device model, OS version, and app state may be collected to diagnose errors and improve app stability.
4. How We Use Your Information
- Location sharing: To show your real-time location to other participants in your drive group.
- Account management: To identify you within the app and display your profile to other drive participants.
- Chat: To deliver messages between participants in a drive.
- App improvement: Crash reports and diagnostics help us fix bugs and improve performance.
- Notifications: To send you drive invitations, updates, and alerts.
5. Data Sharing
We do not sell your personal information. Your data is shared only in these circumstances:
- With drive participants: Your name, profile photo, and location are visible to other members of drives you join.
- Service providers: We use Firebase (Google) for authentication, database, cloud functions, and push notifications; Google Maps for map display; Sentry for crash and error reporting. These providers process data on our behalf under their respective privacy policies.
- PostHog — Product analytics provider. Collects anonymous product interaction events and an anonymous device identifier to help us understand feature usage and improve the app. Data is not linked to your account identity. We do not sell or share your personal information for cross-context behavioral advertising; PostHog data is used solely for first-party product analytics. Provider: PostHog Inc., based in the United States. Privacy policy.
- Legal requirements: We may disclose information if required by law or to protect the safety of our users.
6. Content Moderation and Safety
To maintain a safe environment, Vamio provides the following tools:
- Report messages: You can report objectionable messages in drive chats. Reports are reviewed by our team and may result in action against the offending user.
- Block users: You can block other users to hide their messages from your view. Blocked users are not notified. You can unblock users at any time from your profile settings.
We reserve the right to remove content or suspend accounts that violate community standards or applicable laws.
7. Data Storage, Security, and International Transfers
Your data is stored on Firebase (Google Cloud) servers, which may be located outside your country of residence (including in the United States). We transfer data to servers operated by Google Cloud in the United States. These transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission, which impose contractual safeguards on the data importer. Google Cloud also maintains supplementary technical measures (encryption in transit and at rest).
We use industry-standard security measures including encrypted connections (TLS), Firebase Authentication, Firebase App Check, and role-based access controls to protect your data.
8. Data Retention
Location data from completed drives is retained as part of the drive summary for as long as the drive record exists. When you leave a drive, your real-time location is no longer broadcast, but location data already recorded in the drive summary remains as part of that drive's history.
Messages you sent in a drive chat remain visible to other participants after you leave, unless you delete them individually before leaving.
Upon deletion request, your personal data is removed from our production systems within minutes and unlinked from your profile. Encrypted backups retained by Google Cloud are overwritten within 90 days through normal backup rotation. During that backup window, data is not accessible for any purpose except disaster-recovery procedures, which are audited and logged.
9. Your Rights
You can:
- Access and update your profile information within the app.
- Stop location sharing at any time by pausing or leaving a drive.
- Revoke location permissions at any time in your device settings.
- Delete your messages in drive chats.
- Report objectionable content and block other users.
- Delete your account directly from the app (Profile → Delete Account). Your personal data is removed from production systems within minutes. See our account deletion page for the full process, including a web-based deletion option if you no longer have access to the app.
- Contact us at support@vamio.app for any data-related requests, including erasure or export requests.
GDPR rights (EU/EEA users): If you are located in the European Union or European Economic Area, you have the following rights under the General Data Protection Regulation:
- Right of access (Art. 15) — request a copy of the personal data we hold about you.
- Right to rectification (Art. 16) — request correction of inaccurate personal data.
- Right to erasure / "right to be forgotten" (Art. 17) — request deletion of your personal data.
- Right to restrict processing (Art. 18) — request that we limit how we use your data.
- Right to data portability (Art. 20) — You may request a copy of personal data you provided to us in a structured, commonly-used, machine-readable format. Email support@vamio.app with the subject line "Data Export Request." We will respond within 30 days and provide an export where technically feasible.
- Right to object to processing (Art. 21) — object to processing based on legitimate interests.
- Right to lodge a complaint with a supervisory authority (Art. 77) — if you believe we have violated your rights, you have the right to lodge a complaint with your local Data Protection Authority. A list of EU/EEA supervisory authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en.
India DPDP Act rights (Indian users): Vamio is operated from Bangalore, Karnataka, India. Indian users have the following rights under the Digital Personal Data Protection Act 2023:
- Right of access — request a summary of personal data we hold and how it has been processed.
- Right to correction and erasure — request correction of inaccurate data or erasure of data no longer necessary for the purpose for which it was collected.
- Right to grievance redressal — raise a grievance with us directly; we will respond within 30 days. Contact: support@vamio.app.
- Right to complain to the Data Protection Board — if we fail to redress your grievance, you may file a complaint with the Data Protection Board of India established under the DPDP Act 2023.
10. Children's Privacy
Vamio is not intended for children under 13. We do not knowingly collect information from children under 13. If you believe a child has provided us with personal information, please contact us.
11. Third-Party Services
Our app uses the following third-party services that may collect or process data:
- Firebase (Google) — Authentication, Firestore database, Realtime Database, Cloud Functions, Cloud Messaging. Processes account data, location data, messages, and push notification tokens.
- Sentry — Error and crash reporting. Receives crash logs, device info, and app state. Does not receive location data or message content.
- PostHog — Product analytics provider. Collects anonymous product interaction events and an anonymous device identifier to help us understand feature usage and improve the app. Data is not linked to your account identity. Provider: PostHog Inc., based in the United States. Privacy policy.
- Google Maps — Map display and geocoding. Receives location coordinates to render the map. Subject to Google's Privacy Policy.
- Apple Sign-In / Google Sign-In — Authentication only. Provides your name, email, and profile photo to create your account.
12. Data Breach Notification
In the event of a data breach that affects your personal information, we will notify affected users via email and/or in-app notification within 72 hours of becoming aware of the breach, in accordance with applicable laws. We will describe the nature of the breach, what data was affected, and what steps we are taking to address it.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of any significant changes through the app or by updating the "Last updated" date above.
14. Contact Us
If you have questions about this Privacy Policy or your data, contact us at: