Privacy — Vavaro

01

Who is responsible for your data (controller)

The controller responsible for processing your personal data is:

Abdullah Deniz (operating as a sole proprietor)
Winterthurerstrasse 33a, 8370 Sirnach
Email: [email protected]
App / website: vavaro.app · Google Play

Vavaro is established in Switzerland. This Policy is governed primarily by the Swiss Federal Act on Data Protection (FADP/revDSG). Where the EU/EEA General Data Protection Regulation (GDPR) applies to you (for example, because you are in the EU/EEA), we also comply with it, and the GDPR-specific rights and legal bases described below apply to you.

EU representative (Art. 27 GDPR)
Because we are established in Switzerland and offer the App to users in the EU/EEA, we have appointed a representative in the EU/EEA as a contact point for data-protection matters for EU/EEA users and supervisory authorities. Our EU representative is: [FILL IN: EU representative — name, address, email]

If you have any question about this Policy or your data, contact us at [email protected].

02

Summary — the short version

Your inventory lives on your device first. The App stores your data locally and, on mobile, encrypts it at rest. If you use the App as a guest it never leaves your device (except where you actively trigger an AI or lookup feature — see Section 5).
When you sign in, we sync a copy to our cloud (Google Firebase) so you don’t lose it. Our cloud infrastructure and AI processing run in the EU.
We use a small number of service providers (listed in Section 7) to run accounts, storage, AI valuation, payments, maps, barcode lookups, and feedback.
We do not sell your data, show ads, run advertising/tracking SDKs, use analytics or crash-reporting SDKs, or send marketing push notifications.
You can delete everything. Deleting your account wipes your cloud copy; uninstalling the App removes the local copy from your device.

03

The data we process

a) Account and identity data

Your email address and password when you create an account (passwords are handled and stored in hashed form by our authentication provider, Firebase Authentication — we never see your plaintext password).
An optional display name you choose to be greeted by.
A user identifier (UID) assigned by Firebase. If you start as a guest, we create an anonymous account with its own UID so on-device features work; when you sign up, that same identity is upgraded to your email account.
Authentication tokens needed to keep you signed in.

b) Your inventory content (data you create)

This is the core of the App and is entirely provided by you:

Properties — name, address, property type, country, currency, floor list, notes.
Rooms — name, type, floor, photos, notes.
Items — name, brand, model, category, condition, quantity, purchase price, purchase date, barcode, warranty dates, notes, and any photos or invoices/receipts you attach.
Containers (boxes/storage units) and their contents.
Insurance policies — provider name, coverage amount, deductible, valuation basis, and links to the property/items they cover.

c) Photos and documents

Item photos, invoices/receipts, and room photos you choose to attach. As a guest these stay on your device; once you have an account they are stored in our cloud file storage (see Section 6).

d) Location data

When you enter a property address, the App sends that address text to a geocoding service (Nominatim / OpenStreetMap) to turn it into map coordinates and to detect the country (which tailors valuation results). Map tiles are also loaded from OpenStreetMap. We do not track your live GPS location.

e) Data processed for AI features

AI valuation — to estimate the replacement and resale value of an item, we send the item’s attributes (such as name, brand, model, category, condition, age, country, currency) to Google Vertex AI (Gemini), processed in the EU.
AI photo recognition — when you add an item by photo, the image is sent inline to Google Vertex AI (Gemini) vision in the EU to suggest a name, brand, model and category. The image is sent directly to the model and is not published to a public URL or to any non-EU image-search provider.
On-device AI (“AI Companion”) — some insights are generated by a language model that runs entirely on your device. The data used for those insights does not leave your device.

f) Barcode lookups

If you scan a product barcode, the App sends the barcode number to UPCitemdb (api.upcitemdb.com) to look up basic product information (such as a product name). This provider is located in the United States (see Section 8). We send only the barcode, not your personal data.

g) Subscription and payment data

If you subscribe to Vavaro Pro, the payment itself is processed by the Apple App Store or Google Play — we never receive or store your card details. We use RevenueCat to manage subscription status; RevenueCat receives your app user identifier (your Firebase UID) together with purchase and entitlement information so we can unlock Pro features and keep your subscription in sync.

h) Device and technical data

Device model and operating-system version — read on-device to decide whether your device can run the optional on-device AI model.
App version, connectivity status, language/locale, and time zone — used to run the App correctly and to schedule local reminders.
App Check attestation tokens — your device generates an attestation (Google Play Integrity on Android, Apple App Attest on iOS) so our backend can confirm requests come from a genuine, untampered App. This is an anti-abuse measure and does not identify you personally.
IP address — as with any online service, your IP address is necessarily visible to the services your device connects to (e.g. Firebase, and the third-party services above) in order to deliver responses.

i) Feedback data (optional)

If you send feedback through the in-app feedback tool (Wiredash), we receive the feedback you write, any screenshot you choose to attach, and basic app/device metadata to help us understand the report.

j) Notifications

Reminders (such as warranty or policy-renewal alerts) are local notifications generated on your device. We do not operate a push-notification server and do not collect push tokens. Your notification preferences are stored locally on your device.

k) Aggregate, non-personal statistics

We record app-wide counts (for example, total number of users, properties, rooms and items) as periodic aggregate snapshots, computed using database count operations. These are anonymous totals used to understand product growth; they are not linked to any individual user and contain no personal data.

04

What we deliberately do not do

For transparency, the App does not:

sell, rent, or trade your personal data;
show advertising or use any advertising/marketing tracking SDK;
use third-party analytics or crash-reporting SDKs (e.g. Firebase Analytics, Google Analytics, Crashlytics);
send marketing push notifications, or use Firebase Cloud Messaging;
build advertising or cross-app tracking profiles;
ask for or collect more inventory data than you choose to enter.

05

Why we process your data and the legal bases

Under the GDPR (and the equivalent justifications under the Swiss FADP), we rely on the following legal bases:

Purpose	Data involved	Legal basis (GDPR)
Provide the App, store and sync your inventory, run your account	Account data (3a), inventory content (3b), photos/documents (3c)	Contract — Art. 6(1)(b)
Geocode property addresses and show maps	Address/location data (3d)	Contract — Art. 6(1)(b)
Generate AI valuations and recognise items from photos	AI-feature data (3e)	Contract — Art. 6(1)(b)
Look up products from a scanned barcode	Barcode (3f)	Contract — Art. 6(1)(b)
Process and manage your subscription	Subscription data (3g)	Contract — Art. 6(1)(b); legal obligation for payment/tax records — Art. 6(1)(c)
Keep the service secure and prevent abuse (App Check, quota limits)	Device/technical data (3h)	Legitimate interests — Art. 6(1)(f)
Understand product growth with anonymous totals	Aggregate statistics (3k)	Legitimate interests — Art. 6(1)(f) (no personal data)
Improve the App from feedback you choose to send	Feedback data (3i)	Consent — Art. 6(1)(a)
Access your camera/photos, and send local reminders	Camera/photo permission, notification permission	Consent — Art. 6(1)(a) (granted via your device’s OS permissions)

Where we rely on consent, you can withdraw it at any time (for example, by revoking a permission in your device settings or by not using the relevant feature); withdrawal does not affect processing already carried out.

06

Where your data is stored and data residency

On your device (primary copy). Your inventory is stored locally using an on-device database. On iOS and Android this local database is encrypted at rest (AES-256) with a key held in the device’s secure keystore (iOS Keychain / Android Keystore).
In our EU cloud (for signed-in users). When you have an account, a copy of your data is synced to Google Firebase / Google Cloud, configured for the EU:
- Database (Cloud Firestore) — EU region;
- File storage (Firebase Storage) — europe-west10, Berlin, Germany;
- Server functions and AI processing (Cloud Functions / Vertex AI) — pinned to europe-west1 (Belgium).
Guests/anonymous users. If you have not signed up, your data and photos stay on your device and are not synced to our cloud (other than the feature-specific calls in Section 5 that you actively trigger).

Data in transit is protected with TLS encryption. Access to your cloud data is restricted by server-side security rules that scope your records to your own authenticated account.

07

Service providers (sub-processors) we share data with

We share data only with providers that help us run the App, and only as needed for the purposes above. Each acts as our processor or as an independent controller for its own platform.

Provider	Purpose	Region
Google (Firebase / Google Cloud) — Authentication, Firestore, Storage, Cloud Functions, App Check, Vertex AI (Gemini)	Accounts, cloud sync, file storage, AI valuation & photo recognition, anti-abuse	EU (storage Berlin; functions/AI `europe-west1`)
Apple — App Store	In-app subscription purchase & billing (iOS)	USA / global
Google — Google Play	In-app subscription purchase & billing (Android)	USA / global
RevenueCat	Subscription status and entitlement management	USA
OpenStreetMap Foundation / Nominatim	Address geocoding and map tiles	EU/UK
UPCitemdb	Barcode → product-information lookup	USA
Wiredash	Optional in-app feedback collection	EU (Germany)

We may add or change providers as the App evolves; we will update this list and, where required, notify you.

08

International data transfers

We process personal data in the EU by default. Some providers, however, may process limited data outside the EU/EEA and Switzerland — principally:

UPCitemdb (USA) — receives only the barcode number you scan, not your personal data;
Apple, Google (Play) and RevenueCat (USA / global) — for subscription processing and management.

Where personal data is transferred outside the EU/EEA or Switzerland, it is protected by appropriate safeguards, such as the EU Standard Contractual Clauses (SCCs), the Swiss addendum to the SCCs, and/or the provider’s certification under the EU–US / Swiss–US Data Privacy Framework, as applicable. You can request more detail on the safeguards in place by contacting us at [email protected].

09

How long we keep your data

Inventory and account data — kept for as long as you keep your account. You can edit or delete individual records at any time inside the App.
Account deletion — when you delete your account, we wipe your cloud copy (properties, rooms, items, containers, insurance policies, and stored photos/documents). Uninstalling the App removes the local copy from your device. Residual copies may persist briefly in routine backups before being overwritten.
Anonymous (guest) accounts — unused anonymous accounts may be cleaned up after a period of inactivity.
Subscription/payment records — retained by the App Stores and RevenueCat, and by us where required, for the periods their policies and applicable accounting/tax law require.

10

Your rights

Subject to the conditions in the GDPR and the Swiss FADP, you have the right to:

access the personal data we hold about you;
rectify inaccurate or incomplete data;
erase your data (“right to be forgotten”);
restrict or object to certain processing;
data portability — receive your data in a structured, common format;
withdraw consent where processing is based on consent;
lodge a complaint with a supervisory authority.

Many of these you can exercise yourself directly in the App — you can view, edit, export (for example, via the inventory/insurance export), and delete your data, including deleting your whole account. For anything else, contact us at [email protected] and we will respond within the timeframes required by law.

Supervisory authorities.

In Switzerland: the Federal Data Protection and Information Commissioner (FDPIC / EDÖB).
In the EU/EEA: your local data-protection authority.

11

Children

The App is not directed to children under 16, and we do not knowingly collect personal data from them. If you believe a child has provided us personal data, contact us and we will delete it.

12

Security

We protect your data with measures including: encryption at rest on mobile devices, TLS encryption in transit, server-side access rules that scope data to your own account, device attestation (App Check) to block tampered clients, and server-side quotas to limit abuse of AI features. No method of storage or transmission is ever completely secure, but we work to protect your data using appropriate technical and organisational measures.

13

Changes to this Policy

We may update this Policy as the App changes or as legal requirements evolve. When we make material changes, we will update the “Last updated” date above and, where appropriate, notify you in the App. Please review it periodically.

14

Contact

Questions, requests, or complaints about your data:

Abdullah Deniz
Winterthurerstrasse 33a, 8370 Sirnach
[email protected]

Privacy Policy