Privacy Policy

1. Scope

This Privacy Policy explains how Appelux, Inc. collects, uses, shares, and protects personal data when you use Ovlo.

2. Data We Collect

Account and profile data: email, display name, avatar, and sign-in provider details.

Financial app data you create: accounts, categories, transactions, budgets, shared spaces, and related notes.

Receipt scan data: camera images or selected photos, extracted OCR text, and related metadata.

AI data: messages you send to AI features and contextual finance data needed to generate responses.

Subscription data: entitlement status, product identifiers, billing period dates, and restore status.

Analytics data: aggregated product analytics events such as screen views, feature usage, session start/stop, and basic device attributes, collected via Firebase Analytics.

Crash and error data: stack traces, error messages, device model, OS version, and app version, sent to our error reporting endpoint when a crash or handled error occurs.

Advertising data: on iOS, if you grant App Tracking Transparency permission, the Identifier for Advertisers (IDFA) may be collected for rewarded ad personalization and measurement; otherwise only limited, non-personalized ad signals are used.

Device/app data: app version, locale, time zone, and technical logs needed for operation and security.

3. How We Use Data

To provide core app features, sync your data, and maintain your account.

To process receipt OCR and AI assistant requests.

To provide Premium access, restore purchases, and enforce feature limits.

To measure product usage and improve the app through aggregate analytics (Firebase Analytics).

To diagnose and fix crashes and errors through our error reporting pipeline.

To serve rewarded ads in free features, deliver ad rewards securely via Server-Side Verification, and measure ad performance.

To secure the service, prevent abuse, and improve reliability.

4. Sharing of Data

We share data only as needed with the following categories of service providers that operate the app:

Google / Firebase — Firebase Authentication (sign-in), Cloud Firestore (optional cloud sync for Premium users), Firebase Storage (profile avatars and receipt images), and Firebase Analytics (aggregate product analytics).

RevenueCat — processes in-app subscription purchases, manages entitlements, and syncs restore state.

Google Mobile Ads / AdMob — serves rewarded ads and handles Server-Side Verification of ad rewards.

Apple Sign-In — authentication provider when you choose to sign in with Apple.

Google Sign-In — authentication provider when you choose to sign in with Google.

OCR and AI processing endpoints — operated by Appelux, Inc. to extract text from receipt images and generate AI assistant responses.

Error reporting endpoint — operated by Appelux, Inc. to receive crash and error telemetry.

We do not sell your personal data.

5. Advertising

The free tier of Ovlo shows rewarded video ads served by Google Mobile Ads (AdMob).

On iOS, we use Apple's App Tracking Transparency (ATT) framework and display the system prompt before any tracking occurs. If you allow tracking, the Identifier for Advertisers (IDFA) may be used to personalize ads and measure performance. If you decline, ads are served in a non-personalized mode.

We use Server-Side Verification (SSV) for rewarded ads: when a rewarded ad is completed, Google sends a signed callback tied to your account user ID (UID) so that we can securely grant the in-app reward. This callback does not include your email or profile content.

Google may collect and process data according to its own policies. See Google's ad partner policies at https://policies.google.com/technologies/partner-sites.

6. Analytics

We use Firebase Analytics to understand how the app is used in aggregate. Events include screen views, feature usage, subscription funnel events, and basic device attributes.

Analytics data is used for product improvement, reliability, and aggregate metrics. Where required by local law, analytics collection is subject to your consent.

7. Crash and Error Reporting

When the app crashes or encounters a handled error, we may send technical data — stack traces, error messages, device model, OS version, and app version — to an error reporting endpoint operated by Appelux, Inc..

This data is used solely to diagnose, reproduce, and fix issues, and to improve stability. It is not used for advertising.

8. Permissions

Camera permission is used only to capture receipt images.

Photo library permission is used only when you choose to upload profile or receipt images.

Microphone and speech recognition permissions are used only when you use voice input features (via expo-speech-recognition) to transcribe your spoken input into text.

Notifications permission is used to send push and local notifications such as reminders and subscription-related alerts; you can disable notifications in system settings at any time.

App Tracking Transparency: on iOS, we request tracking permission before using advertising identifiers for personalization.

9. Cookies and Similar Technologies

Ovlo is a mobile app and does not use browser cookies. However, the app and our service providers use similar technologies on your device, including local storage, device identifiers, and SDK-level identifiers.

These technologies are used by Firebase (authentication tokens, analytics identifiers), RevenueCat (subscription identifiers), and Google Mobile Ads (advertising identifiers, subject to ATT on iOS) for the purposes described in this Policy.

10. Data Retention and Deletion

We keep data while your account is active or as needed to provide services and meet legal obligations.

You may request account/data deletion by contacting support@appelux.com.

When deletion is completed, personal data is removed or anonymized unless retention is legally required.

11. Your Rights

Depending on where you live, you may have rights under the GDPR, UK GDPR, CCPA/CPRA, or similar laws, including: access to your personal data, rectification of inaccurate data, erasure (deletion), data portability, objection to processing, and restriction of processing.

California residents have the right to know what personal information is collected, to request deletion, and to opt out of the sale or sharing of personal information. We do not sell your personal data.

To exercise any of these rights, contact us at support@appelux.com. We will respond within the time frame required by applicable law.

12. Legal Bases for Processing (GDPR)

For users in the European Economic Area and the United Kingdom, we rely on the following legal bases: contract — to provide the app, your account, and Premium features you purchase; consent — for advertising identifiers, personalized ads, and analytics where required by local law; legitimate interest — for security, fraud prevention, crash reporting, and service reliability; legal obligation — where processing is required to comply with law.

You can withdraw consent at any time by changing your device or in-app permissions (for example, revoking ATT or disabling notifications).

13. Security

We use reasonable technical and organizational measures to protect data, but no method is 100% secure.

14. Children

Ovlo is not directed to children under 13 (or higher age where required by local law).

15. International Transfers

Your data may be processed in countries other than your own. We apply safeguards required by applicable law.

16. Changes to This Policy

We may update this Privacy Policy from time to time. We will post the updated version with a new Last Updated date.

17. Contact

Privacy contact: support@appelux.com

Controller: Appelux, Inc.