'/%3e%3cdefs%3e%3clinearGradient%20id='paint0_linear_2851_453'%20x1='31.999'%20y1='0.340833'%20x2='31.999'%20y2='64.2663'%20gradientUnits='userSpaceOnUse'%3e%3cstop%20stop-color='%23FF897E'/%3e%3cstop%20offset='1'%20stop-color='%23F06C60'/%3e%3c/linearGradient%3e%3c/defs%3e%3c/svg%3e)
Privacy Policy
1. What we collect
- Account & auth. When you sign in with Google, our auth provider (Supabase) receives basic profile info from Google - your email, name, and avatar. We store a profile (display name, username, optional bio, role, avatar).
- Your content. Images and 3D models you upload, their generated thumbnails/previews, and the titles/notes you add. Files are stored in our cloud storage (Supabase Storage). Uploaded images are also sent to an automated content-moderation service to screen for disallowed material.
- Activity. Critiques, replies, votes, flags, likes, follows, bounties you post or enter, and your token ledger (purchases, escrows, payouts, refunds, fees).
- Teams. If you create or join a team, we store team membership and roles, your projects and the work in them, and - for paid seats - the team’s subscription status and Stripe billing identifiers.
- AI features. If you use the optional Strikelist (an author tool that turns approved and author critiques on your own piece into a checklist), the relevant critique text is sent to our AI provider to generate the result. We don’t use your content to train third-party AI models.
- Payment & payout references. When you buy tokens or pay for team seats we store a payment/subscription reference ID and the amount. When you set up cash-out, Stripe creates a connected payout account linked to your profile and we store its identifier and payout-readiness status. We do not receive or store your card number, CVC, bank details, or government ID - those go directly to Stripe.
- Contact messages. If you write to us through the in-app contact form, we store your message and any name/email you provide so we can respond.
2. Payments & payouts (Stripe)
Token purchases, team-seat subscriptions, and cash-out payouts are handled by Stripe (Stripe Checkout for purchases, Stripe Billing for team subscriptions, Stripe Connect for payouts). Stripe collects and processes your payment, identity, and bank information directly under its own privacy policy; Voxol only receives confirmations, reference identifiers, subscription status, and payout-readiness status so we can credit tokens, run team billing, and send payouts. We never see or store full card or bank data.
3. How we use your data
- To run the service: show your work and critiques, operate bounties, and credit/debit tokens.
- To process payments, send cash-out payouts, and apply refunds/clawbacks.
- To screen uploads and prevent abuse and enforce our rules (e.g. automated image moderation, flag thresholds, anti-farming and self-dealing limits).
- To send you notifications about activity on your work, and essential service emails.
- To diagnose and fix bugs (error reports - see §5).
4. Who processes your data
- Supabase - database, authentication, and file storage.
- Stripe - payment processing (purchases) and payouts (Stripe Connect).
- Sightengine - automated image moderation of uploads.
- Anthropic - AI generation for the optional Strikelist feature (receives the relevant critique text only when you use it).
- Resend - delivery of transactional / notification emails.
- Sentry - error monitoring (see §5).
- Netlify - website hosting / content delivery.
- Public content (your posted work, critiques, profile) is visible to other users and on the public web. Your data is processed primarily in the United States by these providers.
5. Analytics & error monitoring
We use an internal admin dashboard built on our own database to understand platform activity (sign-ups, critiques, bounties, revenue). To measure reach, we keep a privacy-preserving tally of daily unique visitors and active users: when the site loads we record a once-a-day, first-party visit keyed to a random identifier stored in your browser - it doesn’t identify you, isn’t shared with anyone, and is used only to count unique daily visitors; if you’re signed in, we also record that your account was active that day. We also use Sentry for error monitoring: when the app hits a bug, a report is sent to Sentry containing the error, the page URL, and your account’s id and username (no email or content) so we can diagnose and fix it. We do not use third-party advertising or cross-site tracking analytics. If that changes, we’ll update this policy.
6. Cookies & local storage
We use the storage needed to keep you signed in (an authentication session), plus a random, anonymous visitor identifier kept in your browser that we use only to count unique daily visitors (it doesn’t identify you and isn’t shared). We don’t use third-party advertising cookies.
7. Email & notifications
Activity on your work shows up as in-app notifications. We also send a small set of email notifications for key events - when you’re paid from a bounty, and when a bounty you posted closes. You can turn these activity emails off in Settings at any time, and every notification email links back to your preferences.
Separately, Stripe sends payment receipts, and we may send essential service emails (security, policy, or account notices, and payout confirmations) that are required to operate your account. We do not send marketing email; if we ever introduce promotional email it will be opt-in with one-click unsubscribe. Questions: support@voxol.io.
8. Data retention
- We keep your account, profile, content, and activity for as long as your account is open, so the service works as expected.
- When you delete a piece or critique, it’s removed from the live service; residual copies may persist in encrypted backups for a short period before they age out.
- When you delete your account, we remove your profile and content from the live service within 30 days, except where we must keep certain records longer.
- Financial records. Token purchases, payouts, refunds, and the underlying ledger and payment/payout references are retained for up to 7 years to meet tax, accounting, and anti-fraud obligations, even after account deletion.
9. Your choices & rights
- You can edit your profile, manage email notifications in Settings, and delete your own pieces and critiques in the app at any time.
- Account deletion. To delete your account, email support@voxol.io from your account email. We confirm the request, then remove your profile and content within 30 days, subject to the financial-record retention above.
- Depending on your state, you may have rights to access, correct, export, or delete your personal data (for example, under US state privacy laws such as California’s CCPA/CPRA). To exercise them, contact us at support@voxol.io; we’ll verify your request via your account email before acting on it.
10. Children
Voxol is intended for adults and is not directed to children. You must be at least 18 to use the service, and we don’t knowingly collect personal information from anyone under 18. If we learn we have, we’ll delete it.
11. Contact
Voxol’s mailing address is 51 Pleasant St # 884, Malden, MA 02148, United States. Privacy questions? Email support@voxol.io.