Privacy Statement

The short version

Volaire is designed so that the sensitive part — your camera footage — never reaches a server you do not control. There is no user account, and the app contains no analytics or tracking. Your video and recordings stay on infrastructure you operate. The only personal data we ever process on our own infrastructure is the minimum needed to deliver an optional push notification, and only if you turn that on.

This statement explains, as required by Articles 13 and 14 of the EU General Data Protection Regulation (GDPR), what data is processed, on what legal basis, for how long, and what rights you have.

Who is responsible (controller)

The controller for the processing described here is:
Johannes Lohmöller
Kasinostr. 95, 52066 Aachen, Germany
Email: imprint@volaire.app

Full contact details are in the imprint. We have not appointed a data protection officer, as we are not legally required to do so.

This website

This marketing site self-hosts its fonts, so no data is sent to third parties simply by browsing it. By default it sets no cookies and loads no analytics or advertising scripts.

We offer optional, privacy-friendly usage analytics through Google Analytics 4 (measurement ID G-8W84T5DGHD). Analytics stays switched off until you actively agree through the cookie banner. We use Google Consent Mode, so no analytics cookies are set and no analytics data is collected before you click "Accept". You can change or withdraw your choice at any time through the "Cookie settings" link in the footer.

• Provider and processor: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google acts as our processor under Article 28 GDPR on the basis of the Google Ads Data Processing Terms, and a data processing agreement is in place.
• What is processed: after you consent, Google Analytics sets cookies (for example _ga and _ga_<property>) and processes usage data such as the pages you view, the time and duration of your visit, the referring page, an approximate location, device and browser information, and online identifiers. IP addresses are shortened by Google and are not stored in full, and we never receive your IP address.
• Purpose: understanding, in aggregate, how the website is used so we can improve it.
• Legal basis: your consent under Art. 6(1)(a) GDPR. Storing and reading information on your device for this purpose is based on § 25(1) TDDDG.
• International transfer: data may be transferred to Google LLC in the United States. Google LLC is certified under the EU–U.S. Data Privacy Framework, and any transfer is additionally safeguarded by the EU Standard Contractual Clauses.
• Retention: Google retains the analytics data for the period configured for the property (at most 14 months); the _ga cookie expires after up to two years. We keep only aggregated reports.
• Withdrawal and opt-out: declining, or never accepting, keeps analytics fully disabled. Re-open "Cookie settings" to withdraw a previous acceptance. You can also block cookies in your browser or install Google's browser opt-out add-on.

The site is hosted by a provider located in the European Union. To deliver pages, that provider's servers temporarily process standard access data, in particular your IP address, the requested page, the date and time, the referring page, and basic browser/OS information. This is necessary to operate and secure the website.

• Purpose: delivering the website and protecting it against abuse and attacks.
• Legal basis: Art. 6(1)(f) GDPR — our legitimate interest in a functioning, secure website.
• Retention: access logs are kept only briefly (typically a few days) and then deleted or anonymised by the hosting provider, who acts as our processor under a data processing agreement (Art. 28 GDPR).

The Volaire app & edge

Volaire connects your iPhone directly to your own Frigate instance through a small "edge" service you run yourself. The connection is end-to-end encrypted (Iroh / QUIC). For this core functionality, we — the developer — do not receive any of your data.

• Video, snapshots and recordings are streamed over the encrypted peer-to-peer link and never transit a server we operate. Public relays used only for NAT traversal can see encrypted traffic only.
• No account. Pairing uses a NodeId and a one-time adoption code. Identity keys and the list of authorized devices live on your edge, under your control.
• On-device storage. The app stores only what it needs to work: a device identity key, your list of paired edges and their settings, and your in-app preferences. This data stays on your device (in the iOS Keychain and app sandbox, excluded from iCloud backup) and is not transmitted to us.
• Optional Face ID / Touch ID lock is evaluated entirely on your device by iOS. No biometric data is ever read by the app or transmitted.
• No analytics or telemetry. The app contains no third-party tracking, advertising, or crash-reporting SDKs.

Legal basis: to the limited extent on-device processing involves personal data, it serves to perform the service you requested (Art. 6(1)(b) GDPR) and is carried out locally under your sole control.

Push notifications (optional)

If — and only if — you enable push alerts, we process a small amount of data on a relay service we operate, solely to deliver the notification. For this specific feature, Johannes Lohmöller (see above) is the controller.

• What we receive: the Apple push device token for your device, an identifier for your edge ("site"), your notification preferences (e.g. which cameras/labels you want), and event metadata for each alert — typically the event id, camera name, and detected label. The notification's image is fetched peer-to-peer by an on-device extension; the relay never receives your video or snapshots.
• Legal basis: your consent, given by enabling push in Settings (Art. 6(1)(a) GDPR). You can withdraw it at any time by disabling push, with effect for the future; after that no further data is sent to the relay.
• Retention: registrations are held in memory only and are not written to a database; they are cleared when the relay restarts. Event metadata is processed transiently to forward the alert and is not retained. The relay's hosting provider may process connection data (such as IP address) briefly to operate and secure the service, on the basis of Art. 6(1)(f) GDPR.

Apple Push Notification service & international transfers

The website and the push relay are operated within the EU. When push is enabled, the actual delivery of the message is carried out by Apple's Push Notification service. This necessarily involves transmitting the device token and notification content to Apple Inc. in the United States, governed by Apple's privacy policy. This transfer is safeguarded under the EU–U.S. Data Privacy Framework and/or the EU Standard Contractual Clauses. We do not control Apple's processing. There are no other transfers of personal data to third countries.

Automated decisions & children

We do not carry out any automated decision-making or profiling within the meaning of Art. 22 GDPR. Volaire is not directed at children and is not intended for use by persons under 16.

Your rights

Under the GDPR you have the right to request access to your personal data (Art. 15), and its rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18) and portability (Art. 20). You may object to processing based on legitimate interests (Art. 21) and, where processing is based on consent, withdraw that consent at any time (Art. 7(3)).

Because your footage and edge data live on infrastructure you operate, you can exercise most of this control directly. For the limited data we process (the push relay), contact us at imprint@volaire.app.

You also have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR). The authority competent for us is the Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW), Düsseldorf — but you may contact the supervisory authority of your habitual residence or place of work.

Changes to this statement

We may update this statement to reflect changes to the app or to legal requirements. The current version is always available here; the date above indicates the latest revision. For questions, see the imprint or open an issue on GitHub.