Privacy Policy

Last Updated: January 28, 2026

Introduction

ViaHuman ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application and web services (collectively, the "Service").

By using ViaHuman, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, please do not use our Service.

1. What Data We Collect

1.1 Account Information

When you create an account, we collect:

  • Email address - Used for account authentication, notifications, and communication
  • Full name - Optional, used for personalization
  • Password - Stored securely using industry-standard encryption (handled by Supabase Auth)

1.2 Push Notification Tokens

When you enable push notifications in our mobile app, we collect:

  • Expo Push Token - A unique identifier that allows us to send push notifications to your device
  • This token is stored in your user profile and is only used to deliver approval request notifications

1.3 Approval Request Data

When you or your workflows create approval requests, we collect and store:

  • Approval titles and descriptions - The content of your approval requests
  • Context data - Additional JSON data you provide for context (e.g., customer emails, order IDs)
  • Response data - Your approval decisions, input values, and comments
  • Timestamps - Creation time, response time, and expiration time
  • Status information - Whether requests are pending, approved, rejected, cancelled, or timed out
  • Images - Any images you upload as part of your approval responses (stored securely in Supabase Storage)

1.4 API Usage Data

When you use our API through n8n or other integrations, we collect:

  • API keys - Stored as encrypted hashes for authentication
  • Usage metrics - Number of API calls, timestamps, and operation types (for billing and rate limiting)
  • Request metadata - IP addresses, user agents, and timestamps (for security and debugging)

1.5 Payment Information

If you subscribe to a paid plan, we collect:

  • Stripe customer ID - A reference to your Stripe account
  • Subscription details - Plan type, status, and renewal dates
  • Note: We do NOT store credit card numbers or payment details directly. All payment processing is handled securely by Stripe.

1.6 Automatically Collected Information

We automatically collect certain information when you use our Service:

  • Device information - Mobile device type, operating system version
  • Usage data - Features used, time spent in app, interaction patterns
  • Log data - IP addresses, browser types, access times, and error logs

2. How We Use Your Data

We use the collected data for the following purposes:

2.1 Core Service Functionality

  • Creating and managing approval requests
  • Sending push notifications for new approval requests
  • Authenticating API requests from your workflows and integrations
  • Storing and retrieving approval decisions
  • Processing webhook callbacks to notify your workflows of approval decisions

2.2 Account Management

  • Creating and maintaining your user account
  • Authenticating your login sessions
  • Providing customer support
  • Communicating important service updates and security alerts

2.3 Billing and Usage Tracking

  • Tracking API usage for billing purposes
  • Processing subscription payments through Stripe
  • Enforcing rate limits and usage quotas
  • Generating usage reports and invoices

2.4 Service Improvement

  • Analyzing usage patterns to improve features
  • Debugging technical issues and errors
  • Monitoring service performance and reliability
  • Developing new features based on user needs

2.5 Security and Compliance

  • Detecting and preventing fraud, abuse, and security incidents
  • Enforcing our Terms of Service
  • Complying with legal obligations and law enforcement requests
  • Protecting the rights and safety of ViaHuman and our users

3. How Long We Retain Your Data

3.1 Active Account Data

While your account is active, we retain all data necessary to provide the Service:

  • Account information - Retained for the lifetime of your account
  • Approval requests - Retained indefinitely for historical reference and auditing
  • API keys - Retained until you delete them (soft delete; hashes retained for audit trail)
  • Usage data - Retained for billing and usage tracking purposes

3.2 Deleted Account Data

When you delete your account:

  • Your account information, approval requests, and API keys are permanently deleted within 30 days
  • Some data may be retained in encrypted backups for up to 90 days for disaster recovery purposes
  • Aggregated, anonymized usage statistics may be retained indefinitely for analytical purposes
  • Data required for legal compliance, fraud prevention, or dispute resolution may be retained longer as legally required

3.3 Log Data

  • Application logs - Retained for 90 days for debugging and security purposes
  • Access logs - Retained for 30 days for security monitoring

4. How We Share Your Data

We do not sell, rent, or trade your personal information to third parties. We only share your data in the following limited circumstances:

4.1 Service Providers

We use trusted third-party services to operate our platform:

  • Supabase - Database hosting and authentication (data stored in secure cloud infrastructure)
  • Vercel - Web application hosting
  • Expo - Push notification delivery for mobile app
  • Stripe - Payment processing (payment details stored securely by Stripe, not by us)

These providers have access only to the data necessary to perform their functions and are obligated to protect your information.

4.2 Your Workflow Integrations

When you configure webhook callbacks, approval data is sent to the URLs you specify. You are responsible for the security and privacy practices of your own systems and integrations.

4.3 Legal Requirements

We may disclose your information if required to do so by law or in response to:

  • Valid legal processes (subpoenas, court orders, search warrants)
  • Government or regulatory investigations
  • Requests to protect the safety of individuals or prevent illegal activity

4.4 Business Transfers

If ViaHuman is involved in a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our Service of any change in ownership or use of your personal information.

5. Your Privacy Rights

You have the following rights regarding your personal data:

5.1 Access and Portability

  • You can access your account data at any time through the ViaHuman dashboard
  • You can export your approval history and usage data by contacting us at privacy@viahuman.xyz

5.2 Correction and Updates

  • You can update your profile information (name, email) through the Settings page
  • You can update or revoke push notification permissions through your mobile device settings

5.3 Deletion

  • You can delete individual approval requests from the mobile app or dashboard
  • You can delete API keys from the API Keys page
  • You can request full account deletion by contacting us at privacy@viahuman.xyz
  • Account deletion is permanent and irreversible. All data will be deleted within 30 days, except as noted in Section 3.2

5.4 Opt-Out of Communications

  • You can disable push notifications through your mobile device settings
  • You can unsubscribe from marketing emails by clicking the unsubscribe link in any email
  • Note: You cannot opt out of essential service communications (security alerts, billing notices, etc.)

5.5 Data Protection Rights (GDPR/CCPA)

If you are located in the European Economic Area (EEA), United Kingdom, or California, you have additional rights:

  • Right to know - Request a copy of all personal data we have about you
  • Right to rectification - Correct inaccurate or incomplete data
  • Right to erasure - Request deletion of your data (subject to legal retention requirements)
  • Right to restrict processing - Limit how we use your data
  • Right to object - Object to certain types of processing
  • Right to data portability - Receive your data in a machine-readable format
  • Right to withdraw consent - Withdraw consent for data processing at any time
  • Right to lodge a complaint - File a complaint with your local data protection authority

To exercise any of these rights, contact us at privacy@viahuman.xyz.

6. Data Security

We implement industry-standard security measures to protect your data:

6.1 Encryption

  • In transit - All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher
  • At rest - All data stored in our database is encrypted at rest
  • API keys - Stored as bcrypt hashes, never in plain text
  • Passwords - Handled securely by Supabase Auth with industry-standard encryption

6.2 Access Controls

  • Row-level security (RLS) ensures users can only access their own data
  • API keys are scoped to individual users and cannot access other users' data
  • Administrative access is restricted to essential personnel only
  • All database access is logged and monitored

6.3 Infrastructure Security

  • Hosted on secure, SOC 2 compliant cloud infrastructure (Supabase, Vercel)
  • Regular security audits and penetration testing
  • Automated vulnerability scanning
  • Regular software updates and security patches

6.4 Incident Response

In the event of a data breach, we will:

  • Notify affected users within 72 hours
  • Provide details about the nature and scope of the breach
  • Outline steps we are taking to address the breach
  • Provide guidance on how you can protect yourself
  • Comply with all legal notification requirements

While we implement strong security measures, no system is 100% secure. You are responsible for maintaining the security of your account credentials and API keys.

7. Children's Privacy

ViaHuman is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children under 18. If you believe we have inadvertently collected information from a child, please contact us immediately at privacy@viahuman.xyz, and we will delete the information promptly.

8. International Data Transfers

Your data may be stored and processed in any country where we or our service providers operate. By using ViaHuman, you consent to the transfer of your information to countries outside your country of residence, which may have different data protection laws.

For users in the EEA and UK, we ensure that data transfers comply with GDPR through:

  • Standard Contractual Clauses (SCCs) with our service providers
  • Ensuring service providers are certified under relevant data protection frameworks
  • Implementing appropriate technical and organizational measures to protect your data

9. Cookies and Tracking Technologies

9.1 Cookies We Use

We use cookies and similar tracking technologies to:

  • Essential cookies - Required for authentication and core functionality (Supabase session cookies)
  • Performance cookies - Help us understand how you use the Service to improve it
  • Preference cookies - Remember your settings and preferences

9.2 Third-Party Tracking

We do not use third-party advertising or analytics cookies. Our analytics are limited to first-party usage data collected through our own systems.

9.3 Managing Cookies

You can control cookies through your browser settings. Note that disabling essential cookies may affect the functionality of the Service.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

  • Update the "Last Updated" date at the top of this page
  • Notify you via email (for significant changes)
  • Display a prominent notice in the app or on our website

Your continued use of ViaHuman after any changes to this Privacy Policy constitutes your acceptance of the updated terms. We encourage you to review this Privacy Policy periodically.

11. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Privacy Inquiries: privacy@viahuman.xyz

Support: support@viahuman.xyz

Discord: Join our Discord server

Website: https://viahuman.xyz

We will respond to your inquiry within 30 days. For GDPR/CCPA requests, we will respond within the timeframes required by applicable law.

12. Your Consent

By using ViaHuman, you acknowledge that you have read and understood this Privacy Policy and consent to the collection, use, and sharing of your information as described herein.