Privacy Policy

Last updated: July 15, 2026

1. Who is responsible for your data?

Volio is an interactive digital album creation platform operated by an individual residing in Colombia. If you have any questions about this policy, you can contact us at the email address listed at the end of this document.

2. What data do we collect?

We only collect the data necessary to provide the service:

Registration data

  • Email address (required).
  • First and last name (optional).
  • Password hashed with bcrypt.

Profile data (optional)

  • Profile picture.
  • Phone number.
  • Country of residence.
  • Preferred language.
  • Backup email address.

User content

Images, videos, audio, and any other media files uploaded by the user to create their albums. This content is stored on Cloudflare R2 servers.

Automatically collected data

  • IP address from which you connect.
  • Browser and operating system information (user-agent).
  • Approximate geographic location derived from IP.
  • Activity logs: album creation, editing and publishing, logins, and usage preferences.

3. Purpose and legal basis for processing

Service provision

Manage your account, allow creation, editing, publishing and viewing of digital albums, and process your requests.

Legal basis: performance of the service contract (Art. 6.1.b GDPR).

Communications

Send verification emails, password reset, subscription notifications, and service changes.

Legal basis: contract performance and, for commercial communications, your consent (Art. 6.1.a and 6.1.b GDPR).

Improvement and optimization

Analyze platform usage to identify errors, improve user experience, and develop new features.

Legal basis: legitimate interest of the controller (Art. 6.1.f GDPR).

Legal compliance

Comply with applicable tax, accounting and regulatory obligations, and respond to competent authority requests.

Legal basis: legal obligation (Art. 6.1.c GDPR).

4. Data recipients (data processors)

Volio uses the following third-party services to operate. Each acts as a data processor and has its own privacy policy. This list may be updated as the platform incorporates or replaces providers:

Payment processor (currently LemonSqueezy)

Manages payments, subscriptions and refunds. Receives the data necessary for billing. Privacy policy: https://www.lemonsqueezy.com/privacy

Resend

Email delivery service. Receives the user's email address to send verification codes, password recovery and notifications. Privacy policy: https://resend.com/privacy

Cloudflare R2

Media file storage (images, videos, audio). User-uploaded files are stored on Cloudflare's servers. Privacy policy: https://www.cloudflare.com/privacy

5. Data retention periods

  • Account data and user content: kept while the account is active. After account deletion request, we will make reasonable efforts to delete the data within 90 days.
  • Billing and transaction data: kept for the period required by applicable tax and accounting legislation (up to 5 years in Colombia).
  • Session and activity logs: kept up to 12 months after last activity.
  • Verification codes: deleted once verified or upon expiry (15 minutes).

6. User rights

Under Colombian law (Law 1581 of 2012) and the European General Data Protection Regulation (GDPR), you have the following rights:

  • Right of access: know what personal data we hold about you.
  • Right of rectification: request correction of inaccurate or incomplete data.
  • Right of erasure (right to be forgotten): request deletion of your personal data when no longer necessary.
  • Right to object: object to processing of your data for direct marketing or legitimate interest purposes.
  • Right to withdraw consent at any time, without affecting the lawfulness of prior processing.

To exercise any of these rights, send an email to the address listed at the end of this policy. We will handle your request as soon as possible, within the timeframes established by Colombian law.

7. Security measures

We implement technical and organizational measures to protect your data against unauthorized access, loss or alteration. These include: password hashing with bcrypt, HTTPS on all communications, expiring JWT tokens, HttpOnly and Secure cookies for refresh tokens, and restricted-access file storage on Cloudflare R2 infrastructure.

8. International data transfers

Your data may be transferred and processed in countries other than Colombia, including the United States (where our service providers are domiciled). These transfers are based on standard contractual clauses or other adequate safeguards under GDPR. By using Volio, you consent to these transfers to the extent necessary for service provision.

9. Cookies

Volio uses strictly necessary cookies for authentication (refresh token cookie) and session maintenance. We do not use advertising tracking cookies or third-party marketing cookies. You can configure your browser to reject cookies, but this may affect platform functionality.

10. Minors

Volio is intended for users aged 13 and older. We do not knowingly collect data from children under 13. If we become aware that a child under 13 has provided us with personal data, we will delete it immediately. If you are a parent or guardian and believe your child has provided us with data, please contact us.

11. Changes to this policy

We may update this Privacy Policy periodically. We will notify you of material changes through the platform or by email. The date of the last update appears at the top of this document. As the platform constantly evolves, the third-party services and features described in this policy may be incorporated, modified or replaced; any material change will be notified.

12. Contact

To exercise your rights, make inquiries about this policy, or request account deletion, contact us at: thesantiagorex@gmail.com. For residents of the European Union, you may lodge a complaint with your local data protection authority.