1. Data controller
The data controller under the GDPR for processing within the Vibecheck app is:
TODO: Name / Company (depends on legal form)
TODO: Street, ZIP, City
E-mail: [email protected]
2. Scope
This policy describes the processing of personal data within the Vibecheck application (Android, Desktop, iOS planned). The website is covered by the separate privacy policy.
3. What data we process
| Category | Specific data | Source |
|---|---|---|
| Account data | e-mail address, internal identifier (UUID) | Google sign-in |
| Real profile | display name, age, profile photos | provided by you |
| Anonymous identity | nickname, gender, age, “vibes” (interests), photos | provided by you |
| Location data | approximate or precise position (latitude/longitude) | your device, only after consent |
| Device information | model, manufacturer, operating system, app version, cryptographic keys | your device |
| Communication content | chat messages, voice messages, reactions | created by you, end-to-end encrypted |
| Relationship data | matches, likes, blocked users | from your usage |
| Subscription data | tier (FREE / VIBE+ / VIBE PRO), status | App Store / Play Store |
| Push data | push token (FCM or desktop) | your device |
4. Purposes and legal bases
| Processing | Purpose | Legal basis |
|---|---|---|
| Account, sign-in, device management | providing the service | Art. 6 (1) (b) GDPR (contract) |
| Profile, identity, matching | core app functionality | Art. 6 (1) (b) GDPR |
| Gender & gender preference in matching | personalized matching | Art. 9 (2) (a) GDPR (explicit consent) |
| Location-based discovery | nearby search | Art. 6 (1) (a) GDPR (consent) |
| Chat & voice messages | communication between users | Art. 6 (1) (b) GDPR |
| Push notifications | alerting you to new activity | Art. 6 (1) (a) GDPR (consent) |
| Subscription billing | contract performance | Art. 6 (1) (b) GDPR |
| Security, abuse prevention, blocking | secure operation | Art. 6 (1) (f) GDPR (legitimate interest) |
5. Special categories of personal data
When you select a particular gender you are looking for during matching, this may allow conclusions about your sexual orientation. This information is a special category of personal data under Art. 9 GDPR. We process it solely on the basis of your explicit consent, which you give separately during use and which you can withdraw at any time with effect for the future.
6. End-to-end encryption
Chat and voice messages are end-to-end encrypted using a Signal-style scheme (X3DH + Double Ratchet). Content is stored on our servers only in encrypted form; we cannot decrypt or read it. Push notifications therefore contain no message content, only a generic notice.
7. Recipients and processors
We use carefully selected service providers with whom data processing agreements (Art. 28 GDPR) are in place:
- Server hosting: TODO: hosting provider and location (EU)
- Media storage (photos, voice messages): S3-compatible object storage, TODO: provider and region (ensure EU)
- Sign-in: Google (Google Sign-In)
- Push notifications (Android): Firebase Cloud Messaging (Google)
- Payment processing: Apple App Store and Google Play (independent controllers for payment data)
By design, other users are recipients of the content you share with them (profile, identity, messages).
8. International data transfers
When using Google Sign-In and Firebase Cloud Messaging, data may be transferred to Google in the USA. Google is certified under the EU-US Data Privacy Framework; Standard Contractual Clauses apply in addition. TODO: verify the chosen media storage is located in the EU; if so, no third-country transfer occurs for it.
9. Retention and deletion
- Account, profile, and identity data are stored for as long as your account exists.
- Anonymous identities expire automatically (
expires_at) and are then removed. - You can delete your account at any time in the app. On deletion we remove your account, profile, identity, messages and voice messages, reactions, likes, matches, blocked users, push tokens, and the associated media files.
- TODO: add specific retention periods for security-related log data.
10. Location data
Users near you are shown only if you actively grant location access. This permission is disabled by default and can be turned off at any time in settings (including via Ghost Mode).
11. Push notifications
You can enable push notifications to be informed about new activity. Notifications contain no decrypted content. You can disable them at any time in your system or app settings.
12. Minimum age
Use of Vibecheck is restricted to persons 18 years and older. By using the app you confirm that you have reached this age. Accounts of minors are deleted upon discovery.
13. Your rights
You have the right at any time to:
- Access (Art. 15 GDPR)
- Rectification (Art. 16 GDPR)
- Erasure (Art. 17 GDPR)
- Restriction of processing (Art. 18 GDPR)
- Data portability (Art. 20 GDPR)
- Object (Art. 21 GDPR)
- Withdraw consent with effect for the future (Art. 7 (3) GDPR)
- Lodge a complaint with a supervisory authority (Art. 77 GDPR)
To exercise your rights, contact [email protected].
14. Supervisory authority
Competent supervisory authority:
TODO: relevant state data protection authority based on the controller’s location
15. Changes
We update this policy when our processing or legal requirements change. You can find the current version on this page at any time.