DRAFT — pending legal review. This text is an engineering draft prepared to satisfy the App Store privacy-disclosure requirement and to document how Vinyaas handles personal data. It is not final legal advice and is subject to attorney review before launch.
Version: 0.1.1 (pre-release draft) — accompanies Terms of Service 0.1.1 Effective Date: Not yet in effect — pre-launch review Last Updated: June 22, 2026
1. Who We Are
This Privacy Policy describes how Holicow LLC ("Holicow," "we," "us," or "our"), a Washington limited liability company, handles personal data in connection with the Vinyaas mobile application and related services (collectively, the "Service").
Contact: [email protected] | https://holicow.app/vinyaas/privacy
2. The Two Roles in Vinyaas (Please Read First)
Vinyaas lets an organizer build a directory — a structured list of people (for a club, class, congregation, team, family, or community) — and optionally invite those people to view or manage their own entry. Because of this structure, there are two different data-protection relationships, and which one applies determines who is responsible for what:
-
Your own account. For the personal data of the person who holds a Vinyaas login (name, email, password) and uses the app, Holicow is the data controller. This Policy governs that processing.
-
The contents of a directory. For the personal data an organizer collects about other people and stores in their directory (the "directory data"), the organizer is the data controller and Holicow is a data processor that stores and processes that data on the organizer's instructions. The organizer decides what to collect, why, and on what lawful basis; Holicow provides the platform.
In plain terms: Holicow is responsible for the app and your account. The organizer is responsible for the people they choose to list and for having a lawful basis to list them. Organizers who are subject to the GDPR should also read our Data Processing Addendum, which forms the Article 28 contract between the organizer (controller) and Holicow (processor).
3. Who This Policy Applies To
- Organizers (directory owners, admins, and editors) — must be 18 years of age or older to create or administer a directory.
- Members and viewers — people invited into a directory who install the app to view or manage their own entry.
- Data subjects — people listed in a directory who may never install the app. Their personal data is collected and controlled by the organizer; Holicow processes it on the organizer's behalf.
The Service is offered internationally. Depending on where you live, the GDPR (EU/UK), the California Consumer Privacy Act ("CCPA"), and other regional privacy laws may apply.
4. Information We Collect
4.1 Information You Provide (Account)
- Account information: name, email address, password (stored as a one-way hash).
- Social login: if you sign in with a third-party provider (e.g. Google or Apple), the provider's account identifier and basic profile fields you authorize.
- Profile information: optional avatar image.
- Support communications: if you contact us, we keep a record of the correspondence.
4.2 Directory Data (Controlled by the Organizer)
When an organizer builds a directory, they define a schema and enter data about the people in it. Depending on the organizer's choices, this can include names, email addresses, phone numbers, photographs, and any other fields the organizer configures. Holicow stores and processes this data as a processor on the organizer's instructions; the organizer determines what is collected and why.
4.3 Information Collected Automatically
- Device information: device model, operating-system version, locale, time zone.
- App-version information: the version of the Vinyaas app you are using.
- Identifiers: an app-generated device identifier (used for sync and security) and push-notification tokens (if you grant permission).
- Usage information: API request logs, IP address, request timestamps, error reports, and crash diagnostics.
4.4 Information from Payment Processing
We do not collect or store payment-card numbers, CVCs, or bank-account details. Directory subscriptions ($69.99 per directory per year, after a 30-day free trial) are processed by Apple, Inc. through Apple In-App Purchase using your Apple ID. From Apple we receive an opaque transaction identifier, the product purchased, period start/end dates, renewal/cancellation status, and Sandbox-vs-Production markers. We do not receive your card brand or number.
5. How We Use Information
For account data (where Holicow is the controller), we use information to:
- operate, maintain, secure, and provide the Service;
- authenticate you and manage your sessions;
- send transactional communications (account verification, billing notices, Terms-update notices, push notifications you opt into, security alerts);
- prevent and investigate fraud, abuse, or violations of our Terms of Service;
- comply with legal obligations and respond to lawful requests;
- improve and develop features, using aggregated or anonymized analytics where reasonably possible.
For directory data (where Holicow is the processor), we process information only to provide the Service to the organizer and on the organizer's documented instructions, and as described in the Data Processing Addendum.
6. Lawful Bases (GDPR)
Where the GDPR applies, we rely on the following bases:
- Contract (Art. 6(1)(b)) — to create and operate your account and provide the Service you sign up for, and to bill directory subscriptions.
- Legitimate interests (Art. 6(1)(f)) — to secure the Service, prevent fraud and abuse, and maintain operational logs.
- Legal obligation (Art. 6(1)(c)) — to retain certain records and respond to lawful requests.
- Consent (Art. 6(1)(a)) — for optional features such as push notifications, and as the basis a member gives when they agree to share their entry within a directory.
For directory data, the organizer (as controller) is responsible for establishing the lawful basis for collecting and listing each data subject. Holicow processes that data on the organizer's behalf.
7. How We Share Information
7.1 Within a Directory
Data in a directory is visible to the directory's organizers and, depending on settings and member consent, to other members of that directory. A member can withdraw consent so their entry is hidden from other members.
7.2 With Sub-Processors
We share data only with service providers ("sub-processors") necessary to operate the Service, under written agreements that restrict their use of the data to providing services to us. As of the Last Updated date, these are:
| Sub-processor | Purpose | Processing location |
|---|---|---|
| Apple, Inc. | In-App Purchase billing, App Store distribution, push notifications (APNs) | United States |
| Cloudflare, Inc. | Object storage (Cloudflare R2) for uploaded files and images; content delivery | United States / global edge |
| Amazon Web Services, Inc. | Transactional email delivery (Amazon SES) | United States |
| Laravel Holdings, Inc. | Application hosting and database (Laravel Cloud) | United States |
The current sub-processor list is maintained in the Data Processing Addendum. We will update it as our providers change.
7.3 For Legal and Safety Reasons
We may disclose information if required by law, subpoena, or court order; to protect the rights, property, or safety of Holicow, our users, data subjects, or others; or to investigate fraud, security, or technical issues. We maintain a zero-tolerance policy for child sexual abuse material and will report it to NCMEC and law enforcement.
7.4 In a Business Transaction
If Holicow is involved in a merger, acquisition, financing, reorganization, or sale of assets, information may be transferred as part of that transaction, subject to this Policy and applicable law.
7.5 We Do Not Sell Your Information
We do not sell personal information for monetary consideration and do not engage in cross-context behavioral advertising.
8. International Data Transfers
The Service is hosted in the United States (Laravel Cloud) and uses a global content-delivery and storage network (Cloudflare). If you are located in the EEA, the UK, or elsewhere outside the United States, your personal data will be transferred to and processed in the United States. Where required, such transfers are made under appropriate safeguards, including the European Commission's Standard Contractual Clauses (SCCs) and the UK Addendum, which are incorporated into our agreements with sub-processors and into the Data Processing Addendum between organizers and Holicow.
9. Data Retention
We keep personal data only as long as necessary for the purposes described above, then delete or anonymize it. The periods below are our standard retention rules (periods marked [to be confirmed] are pending final operational confirmation):
| Category | Retention period |
|---|---|
| Active account data | For as long as your account is open. |
| Deleted accounts | Identifying fields deleted or anonymized within 30 days of account deletion, except records under legal hold and the audit/billing records below. |
| Directory data — on erasure ("forget me") | Entry hidden immediately; permanently deleted after a 31-day grace period. |
| Directory data — on non-payment | Directory archived, then permanently deleted after 90 days if not reactivated. |
| Consent & Terms-acceptance audit records | Retained for the life of the account plus 6 years [to be confirmed] as the legal record of consent. The incidental metadata in these records (IP address, user-agent, device identifier) is automatically scrubbed after 24 months [to be confirmed], while the proof of acceptance is preserved. |
| Support communications | 24 months [to be confirmed] after the matter is resolved. |
| Server, application & security logs | 90 days [to be confirmed], then deleted or anonymized. |
| Backups | Encrypted, on a rolling 35-day [to be confirmed] cycle; deletions of live data propagate as backups expire. |
| Billing & transaction records | Retained for 7 years [to be confirmed] to meet tax and accounting obligations (limited billing metadata only — Apple is the merchant of record). |
Where a longer period is required by law, or data is needed to establish, exercise, or defend legal claims, we retain it for that period and then delete it.
10. Your Privacy Rights
Subject to applicable law, you may have the right to access, correct, delete, restrict, or object to processing of your personal data, to data portability, and to withdraw consent. To exercise these rights:
- For your account data (Holicow as controller): contact [email protected] with the subject "Privacy Request." We will verify your identity using the email associated with your account and respond within the timeframes required by law (generally 30 days under the GDPR and 45 days under the CCPA).
- For directory data (organizer as controller): direct your request to the organizer of the directory. As the processor, Holicow will assist the organizer in responding. Members can also use the in-app self-service tools: export your data and delete your data (Profile → My Data).
You will not be discriminated against for exercising any privacy right.
11. California Residents (CCPA/CPRA Notice)
This section applies to California residents under the California Consumer Privacy Act, as amended by the CPRA. We provide these rights to all California residents whether or not Holicow currently meets the CCPA's business thresholds — that is, we honor them voluntarily as a baseline. [Confirm with counsel whether thresholds are met as the user base grows.]
Categories of personal information. In the past 12 months we have collected the categories in Section 4: identifiers (name, email, account/device identifiers, IP address); customer records (phone, postal address, photograph where you or an organizer provide them); commercial information (subscription/transaction metadata from Apple); and internet/network activity (app usage and log data). We collect these from you, your device, the organizer of a directory you are listed in, and any social-login provider you choose. We use them for the business purposes in Section 5 and disclose them only to the service providers in Section 7.
Sensitive personal information. As a controller, Holicow does not intentionally collect sensitive personal information; the main category we hold is account log-in credentials, used solely to provide and secure the Service. However, directory data is configured and uploaded by the organizer and may include sensitive information — for example photographs, precise addresses, or health, disability, religious, or community-affiliation details — if the organizer chooses to collect it; for that data the organizer is the controller and is responsible for it. We do not use or disclose sensitive personal information for purposes that would trigger the right to limit, and we do not "sell" or "share" it.
No sale or sharing. We do not sell personal information and do not share it for cross-context behavioral advertising, and we have not done so in the past 12 months. We do not knowingly sell or share the personal information of consumers under 16.
Retention. We retain each category of personal information only as long as necessary for the purposes it was collected, per the schedule in Section 9.
Your rights. You may request to know/access, delete, and correct your personal information, to opt out of any sale or sharing (none occurs), and to limit the use of sensitive personal information (not applicable as described above). We will not discriminate against you for exercising these rights.
How to exercise, and authorized agents. Submit a request to [email protected]. We will verify your identity using the email associated with your account before acting. You may use an authorized agent to submit a request on your behalf; we may require the agent to provide written, signed permission and may verify your identity directly. We respond within 45 days, extendable by a further 45 days with notice as permitted by law.
12. Children's and Minors' Privacy
Vinyaas is not directed to children. Organizers must be 18 or older. Directories must not include personal data about children under 13, and our Acceptable Use Policy prohibits it. We do not knowingly process the personal data of a child under 13. If you believe a child's data has been added to a directory, contact [email protected] (and, for directory data, the organizer) and we will act to delete it.
Minors aged 13–17. Directories may include personal data about individuals aged 13–17 only where the organizer has a lawful basis and any required parent, guardian, school, or organizational authorization, and only for a legitimate directory purpose (such as a school, youth sports team, club, congregation, family, or community organization). As the controller of directory data, the organizer is responsible for those authorizations and for limiting access, purpose, and the use of any sensitive data about a minor, as set out in Section 4 of the Terms of Service and the Data Processing Addendum. We do not use minor data for advertising, profiling, or any purpose unrelated to operating the directory, and a minor (or their parent, guardian, or representative) may request access, correction, or deletion at any time via the organizer or by contacting [email protected]. The GDPR age of digital consent varies by country (13–16) and governs when a minor can self-consent to a service; it does not, by itself, prohibit listing a 13–17-year-old where the organizer has another lawful basis or the required authorization.
13. Security
We use commercially reasonable safeguards, including HTTPS/TLS for data in transit, one-way password hashing, Apple Keychain storage of authentication tokens on iOS, and access controls and audit logging on our backend. No method of transmission or storage is 100% secure, and we cannot guarantee absolute security.
14. Changes to This Policy
We may update this Policy from time to time. Material changes will be communicated through the Service, by email, or both, before they take effect. The "Last Updated" date reflects the most recent revision.
15. Contact Us
For privacy questions or to exercise your rights:
Holicow LLC Attn: Privacy 1164 Palmer Loop Chewelah, Washington 99109 United States [email protected]