Privacy Policy

Version: 2026-05-21  |  Last Updated: May 21, 2026

1. Introduction

Welcome to Vibe With Me™ ("we," "our," or "us"). We are committed to protecting your privacy and being transparent about how we collect, use, and share your information. This Privacy Policy explains our practices regarding your personal information when you use our mobile application, web platform, merchandise shop, and related services (collectively, the "Service"). The Service is intended for users located in the United States only at launch.

This Privacy Policy describes our data practices. Where applicable law requires consent, or where a feature is optional, we will request consent or provide a setting separately (for example, analytics/session replay, contact discovery, push notifications, auto-share, and crowd visibility).

2. Information We Collect

2.1 Information You Provide Directly

2.1.1 Account Information

  • Authentication via Apple or Google (primary sign-in methods)
  • Email and phone number also available as sign-in options
  • Age verification (required — must be 18+)
  • On iOS/Android: Age range from Apple/Google libraries (no date of birth stored)
  • On web or if libraries unavailable: Age input for verification only (ephemeral, not stored in our database)
  • We store your verification status (verified yes/no, verification method, and verification timestamp) for compliance purposes, but never your date of birth or specific age
  • First name (required)
  • Last name (required; only your last initial is displayed to other users)
  • Profile picture (optional)
  • Vibe description (personal bio — optional)
  • City and state (optional)

2.1.2 Optional Personal Information

  • Pronouns
  • Zodiac sign

2.1.3 Connection Information

  • Social media platform types you use (Instagram, Facebook, X/Twitter, Snapchat, SoundCloud, YouTube, TikTok, WhatsApp)
  • Social media usernames/handles
  • Email address (if not using email auth)
  • Phone number (optional)
  • These connection details are only visible to users you have shared vibes with (when you choose to make them visible)
  • Public profiles only show connection type icons (e.g., Instagram icon), never usernames

2.1.4 Music Preferences

  • Top 10 favorite artists (from Spotify or manual entry — minimum 3 required)
  • Top 10 favorite genres (minimum 3 required)
  • Music taste and preference data
  • Artist images and names

2.1.5 Event and Show Information

  • Shows you have attended (artist, venue, date/time)
  • Shows you are planning to attend ("I'm Going" status)
  • Show ratings (1–5 stars)
  • Event tags and categories
  • Event names and details for shared vibes
  • Event locations are derived from venue addresses, not from your device

2.1.6 Pulse Posts

  • Reflections and thoughts about shows you have attended
  • Text-based posts shared with your vibe connections
  • Reactions and engagement on posts

2.1.7 Vibe Requests

  • Vibe requests sent and received
  • Event context for vibe requests
  • Optional messages within vibe requests

2.1.8 Group Coordination

  • Links to external group chats (WhatsApp, Discord, Telegram, Signal)
  • Group names and member lists
  • We do not host or store group chat messages; all messaging occurs on the third-party platform you select

2.1.9 Merchandise Orders, Returns, and Refunds

  • Shipping address for physical Vibe Tags
  • Order history and purchase details
  • Shipping status, order confirmation information, customer-support communications, defective-product descriptions, and any photos or evidence you voluntarily provide in connection with a replacement or refund request
  • Payment transaction information from Stripe (we do not collect or store full payment card numbers)

2.2 Information We Collect Automatically

2.2.1 Location Information

  • City and state for profile display (user-provided)
  • Event venue locations (based on show data from Bandsintown/EDM Train)
  • City-level event context when marking shows as "going" (resolved from venue address or user-selected city/state, not device GPS)
  • We do NOT collect or store precise GPS coordinates from your device
  • We do NOT track your real-time location

2.2.2 Device and Usage Information

  • Device type, model, and operating system
  • Unique device identifiers
  • App usage patterns and feature interactions (only for consent-based analytics on web; enabled by default on mobile — see Section 2.2.4)
  • Crash reports and performance data
  • Network information and IP address
  • Screen navigation and feature usage analytics (only when analytics are active)

2.2.3 Crash & Error Tracking (Always Active)

  • Crash reports and critical error data are collected automatically to maintain app stability and security
  • This data includes error type, error message, stack trace, and device/OS context
  • Crash tracking is always active and cannot be disabled — it is essential for providing a reliable service
  • No usage analytics, page views, feature interactions, or session recordings are included in crash tracking

2.2.4 Usage Analytics & Session Replay

  • On mobile, usage analytics and session replay are enabled by default when you create an account. During onboarding, you are informed that analytics are active and shown how to opt out. You can disable analytics at any time in My Vibe → Analytics.
  • On web, usage analytics and session replay are disabled by default. A consent banner appears on your first visit; no usage events are transmitted until you opt in. You can change your preference at any time in Settings → Analytics.
  • When enabled, we collect pseudonymous or aggregated usage patterns, feature adoption, A/B test participation, and session recordings
  • Session replay (on both web and mobile) records screen content, taps, scrolls, and navigation when analytics are active. If you disable analytics, no replay is captured.
  • Text you type into input fields (messages, forms, search boxes, bios, etc.) is masked in replay recordings — we see that you typed something, but not what you typed
  • Network requests made by the app (metadata: URL, method, status code, timing) are captured alongside replay recordings for debugging purposes
  • Images rendered in the app (including artist photos, profile pictures, and show artwork) may appear in replays unless configured to be masked
  • Disabling analytics stops all usage event capture and session replay immediately; it does not affect crash tracking or any app functionality

2.2.5 QR Code and NFC Interactions

  • QR code scan timestamps
  • NFC tag reads, writes, and read history
  • NFC tag unique identifiers (UIDs) for tag functionality, tag tracking, anti-abuse, and analytics
  • Interaction success/failure rates
  • Tag claiming and registration data

2.2.6 Calendar Access (Optional)

  • With your permission, you can add a show to your device calendar via an "Add to Calendar" button on the show detail screen
  • Event details written locally: show name, venue and address, start/end time, and lineup with set times in the event notes
  • Calendar data is written to your device calendar only — we do not transmit or store your calendar contents on our servers
  • We store a local reference to the event ID (on your device only) so we can detect duplicates if you tap the button more than once
  • You can revoke calendar permission at any time in your device Settings; revoking does not affect any app functionality

2.2.7 Contact Discovery (Optional)

  • When you use "Find Friends on Vibe With Me," we process contact information client-side
  • Phone numbers and emails are hashed (SHA-256) on your device before transmission
  • Only hashes are sent to our servers for matching; while used for matching, these hashes are treated as pseudonymous personal data rather than de-identified data
  • Raw contact data never leaves your device
  • We do not store your contact list

2.2.8 Biometric Information

  • We do NOT collect or store biometric data
  • Biometric authentication (Face ID, Touch ID, Fingerprint) is handled locally on your device
  • Biometric preferences are stored locally on your device only

2.3 Information from Third Parties

2.3.1 Authentication Providers (Apple, Google)

  • Account identifier tokens
  • Name and email address (if you authorize sharing)
  • Age range verification (Apple/Google only, no birthdate)
  • Profile picture (if authorized)

2.3.2 Stripe (Payment Processing)

  • Stripe collects payment method details; we receive tokenized payment identifiers, transaction status, receipts, fraud signals, and order-related metadata
  • Billing information
  • Transaction history
  • Subscription status, if subscriptions are later enabled

2.3.3 PostHog (Analytics and Error Tracking)

  • Pseudonymous, aggregated, or de-identified usage patterns and feature adoption, depending on the configuration and whether the data remains linkable to a user or device
  • Error tracking and performance metrics
  • User journey and conversion data
  • A/B test participation

2.3.4 RevenueCat (Subscription Management, if subscriptions are enabled)

  • Subscription tier and status
  • Purchase history
  • Subscription renewal dates
  • Trial period information

2.3.5 Push Notification Services (Expo)

  • Device tokens for sending notifications
  • Notification delivery status and engagement
  • Push notification preferences

2.3.6 Music Services (Spotify)

  • Artist names and images (when you select favorites)
  • We do NOT access your listening history
  • We do NOT connect to your music accounts beyond initial artist selection
  • All music data is manually selected by you

2.3.7 Event Data Providers (Bandsintown, EDM Train)

  • Event listings and show information
  • Artist tour dates and venues
  • Ticket links and pricing information
  • Artist social media links
  • Event images and descriptions

3. How We Use Your Information

We limit our collection of personal data to what is adequate, relevant, and reasonably necessary for the purposes disclosed in this policy. We do not process your personal data for purposes that are incompatible with those purposes without your consent.

3.1 Core Service Functionality

  • Account Management: Create and maintain your account, authenticate users, verify age requirements (18+)
  • Vibe Connections: Facilitate connections between users at live music events
  • QR Code & NFC Features: Enable vibe request creation through scanning and tapping
  • Contact Discovery: Help you find friends already on Vibe With Me (with your permission)
  • Event Tracking: Help you track shows you have attended and plan future shows
  • Social Features: Enable vibe requests, Pulse posts, and group coordination
  • Music Matching: Connect you with users who share similar musical tastes
  • Merchandise: Process orders for physical Vibe Tags

3.2 Communication and Notifications

  • Send vibe requests and responses
  • Notify about group invitations and activities
  • Alert you about shows from artists you follow
  • Notify about friends attending the same shows
  • Provide customer support and service updates
  • Send order confirmations and shipping updates
  • Send security alerts and important account information
  • Notify about Pulse posts from your vibe connections

3.3 Platform Improvement

  • Analyze usage patterns to improve features
  • Troubleshoot technical issues and bugs
  • Develop new features and enhancements
  • Conduct research and analytics for product development
  • Test new features with select users
  • Measure feature adoption and engagement

3.4 Safety and Security

  • Prevent fraud, abuse, and harmful activities
  • Enforce our Terms of Service and Community Guidelines
  • Comply with legal obligations
  • Protect user safety at live events
  • Moderate user-generated content (including Pulse posts)

3.5 Business Operations

  • Process payments and subscriptions
  • Process, fulfill, and support physical NFC merchandise orders, including shipping, defective-product replacement or refund requests, customer-support communications, and tax/accounting records
  • Manage inventory and shipping
  • Calculate and remit sales tax
  • Provide customer support
  • Send transactional emails and receipts

3.6 Legal Basis for Processing (EEA/UK Users, if Applicable)

The Service is intended for users in the United States only at launch and is not directed to individuals located in the European Economic Area, the United Kingdom, or other non-U.S. jurisdictions. If, notwithstanding that launch scope, the GDPR, UK GDPR, or similar law applies to our processing of your personal data, we rely on the following legal bases as applicable:

  • Contractual Necessity: Processing necessary to provide the Service you request or sign up for, including account management, authentication, vibe connections, event tracking, QR/NFC functionality, merchandise order fulfillment, and customer support.
  • Consent: Processing that depends on your separate opt-in or permission, including web usage analytics, web session replay, contact discovery, push notifications, calendar access, optional profile fields, auto-share settings, and crowd visibility settings. You may withdraw consent at any time through your account settings, device permissions, or by contacting us. Withdrawal does not affect processing that occurred before withdrawal.
  • Legitimate Interests: Processing for platform stability, security, fraud prevention, abuse prevention, content moderation, crash/error diagnostics, mobile usage analytics and session replay (enabled by default; may be disabled at any time in My Vibe → Analytics), enforcement of our Terms of Service and Community Guidelines, and improvement of core product functionality, where those interests are not overridden by your rights and interests.
  • Legal Obligation: Processing required to comply with applicable laws, including tax, accounting, consumer-protection, dispute-resolution, lawful-request, and recordkeeping obligations related to merchandise orders, account records, safety reports, and legal compliance.
  • Protection of Users and Others: In limited circumstances, we may process information to protect the safety, rights, or vital interests of users or others, including where we believe there is a risk of harm, illegal activity, or public-safety concern.

3.7 International / Non-U.S. Use

The Service is intended for users in the United States only at launch and is not directed to individuals located outside the United States. If we later offer the Service internationally, we will update this Privacy Policy to describe any additional rights, legal bases, transfer mechanisms, and local-law disclosures that apply.

4. How We Share Your Information

We disclose personal information in the categories and for the purposes described below. We distinguish between disclosures to service providers/processors/contractors that process personal information on our behalf and disclosures to other users, integration partners, or third parties that receive information to provide features you request.

4.1 With Other Users

4.1.1 Public Profile Information

  • First name and last initial
  • Profile picture
  • Vibe description
  • City and state (if provided)
  • Music preferences (top artists and genres)
  • Connection type icons (Instagram, TikTok, etc. icons) — usernames are NOT shown on public profiles
  • Optional personal information you choose to display (pronouns, zodiac sign)
  • Age/birthdate is NEVER shared with other users

4.1.2 Shared Vibe Connections Only

  • Connection usernames/handles (only if you make them visible to shared vibes)
  • Event details for vibes you have shared together
  • Shows you are attending (visible to your vibe connections; also visible to all users if you enable "Show me in the crowd")
  • Pulse posts you create
  • Show ratings and tags (if you choose to share)

4.1.3 Group Members

  • Profile information within groups you join
  • Links to external group chats (WhatsApp, Discord, Telegram, Signal)
  • Group membership status
  • Show attendance information shared with group

4.1.4 Show Discovery

  • Your "I'm Going" status on shows is always visible to your vibe connections
  • "Show me in the crowd" setting (off by default): When enabled, your first name, last initial, profile photo, and ticket status are visible to all platform users viewing the event's attendee list — not just your vibe connections. When disabled, only your vibe connections can see that you are attending.
  • Total count of platform users attending shows (anonymized)
  • You can see which of your vibe connections are attending the same shows

4.2 With Service Providers, Processors, Contractors, and Other Recipients

We disclose information to vendors, processors, service providers, contractors, and integration partners that help us operate the Service. Where a recipient acts as our service provider, processor, or contractor, it may use personal data only to provide services to us under applicable contractual restrictions. Some integrations may also receive data as independent third parties or APIs as described below.

4.2.1 Supabase (Database and Authentication)

  • Account information and authentication data
  • User-generated content and preferences
  • Show history and vibe connections
  • Pulse posts
  • All data except payment information

4.2.2 Cloudflare (Hosting and Content Delivery)

  • API requests and web traffic are routed through Cloudflare infrastructure
  • IP addresses and request metadata for security and performance
  • Web application hosting (Cloudflare Pages) and API hosting (Cloudflare Workers)
  • DDoS protection and security filtering

4.2.3 Twilio (SMS Delivery)

  • Phone numbers for SMS delivery when you use phone-based sign-in
  • SMS delivery status and metadata
  • Phone number verification data

4.2.4 Resend (Transactional Email)

  • Email addresses for sending account notifications, security alerts, order confirmations, and policy change notices
  • Email delivery status and metadata
  • Message content for transactional emails

4.2.5 Stripe (Payment Processing)

  • Stripe collects and processes payment method details and billing information; we receive tokenized payment identifiers, transaction status, receipts, fraud signals, and order-related metadata
  • Transaction history
  • Subscription management, if subscriptions are enabled
  • Physical merchandise orders
  • Shipping addresses

4.2.6 PostHog (Analytics and Error Tracking)

  • Crash and error data is always transmitted for app stability (not gated on consent)
  • On mobile, usage analytics and session replay are enabled by default and may be disabled at any time. On web, usage analytics and session replay are gated on your explicit consent; no usage events are sent by default.
  • Pseudonymous, aggregated, or de-identified usage data and feature interactions (when analytics are active), depending on whether the data remains linkable to a user or device
  • Error logs and performance metrics (always active)
  • User behavior patterns and session replay metadata (when analytics are active); we do not treat this data as de-identified unless it cannot reasonably be linked to a user or device

4.2.7 Expo/React Native Services

  • Push notification delivery
  • App performance and crash reporting
  • Feature usage analytics only where enabled and consistent with your analytics preferences

4.2.8 RevenueCat (Subscription Management, if subscriptions are enabled)

  • Subscription tier and payment status, if subscriptions are enabled
  • Purchase history and billing details, if subscriptions are enabled
  • Trial period management, if subscriptions are enabled

4.2.9 EDM Train / Bandsintown (Event Data)

  • Your show attendance preferences, to the extent needed to provide personalized recommendations and event features
  • Aggregated or de-identified platform usage data; we do not provide user-identifying data unless specifically disclosed or required to provide the feature

4.2.10 Mailchimp Transactional / Mandrill (Inbound Email Processing)

  • Processes inbound venue newsletter emails to extract show and event data for the Shows discovery feature
  • Email content is processed solely to extract show, venue, and event metadata. Any incidentally included personal information (such as venue staff names in email signatures) is discarded after processing and is not stored or used for any other purpose

4.2.11 Amazon Web Services — Rekognition (Content Moderation)

  • Photos uploaded to Pulse posts are sent to Amazon Rekognition for automated content moderation
  • Images are analyzed for prohibited content (nudity, violence, etc.) and moderation labels are returned
  • We do not use Rekognition for facial recognition or identification of individuals
  • Image data sent to Rekognition is processed in accordance with AWS's data processing terms

4.2.12 Merchandise Fulfillment Partners

  • Shipping address and order details (only what is necessary to fulfill your order)
  • Replacement or refund-related order information when needed to resolve defective-product claims

4.2.13 Authentication Providers (Apple, Google)

  • Account verification requests
  • Age verification requests
  • Token refresh requests

4.2.14 Mapbox (Location & Mapping)

  • Receives venue address queries and map tile requests for geocoding and event venue display
  • No user account or contact information is transmitted

4.2.15 Google Places API (Venue Enrichment)

  • Receives venue address queries to enrich venue metadata (name, address, hours)
  • No user PII is transmitted

4.2.16 Ticketmaster API (Event Data)

  • We query Ticketmaster for concert and event information to populate show listings
  • No user PII is transmitted

4.2.17 OpenWeatherMap (Weather Data)

  • Receives venue-level location queries (latitude/longitude of event venues, not your location)
  • Used to provide weather context for upcoming shows

4.2.18 Linear (Moderation Issue Tracking)

  • When you submit a content report, a ticket is created in Linear for our moderation team
  • Tickets include the report details, a snapshot of the reported content, and your user ID so we can follow up

Note: If we add additional service providers in the future, we will update this policy accordingly. We encourage you to review this policy periodically.

4.3 Legal Requirements and Law Enforcement

We may disclose your information when required by law or in good faith belief that such action is necessary to:

  • Comply with legal process or government requests, including subpoenas, court orders, and search warrants
  • Protect and defend our rights or property
  • Prevent or investigate possible wrongdoing, including illegal activity facilitated through connections made on the platform
  • Protect user safety or public safety
  • Protect against legal liability
  • Enforce our Terms of Service

We may also voluntarily report information to law enforcement when we have reason to believe that a user is engaging in illegal activity that poses a risk to the safety of others, even in the absence of a legal order requiring disclosure.

Off-Platform Conduct: Vibe With Me facilitates connections between users at live music events. Users may share contact information (social media handles, phone numbers, etc.) with their vibe connections, and may coordinate through external platforms (WhatsApp, Discord, Telegram, Signal) linked from groups. We are not responsible for the conduct of users outside our platform, including communications, meetings, or transactions that occur through external services or in person. Information you voluntarily share with other users through your profile or connection details is shared at your own discretion, and we cannot control how other users may use that information once received.

4.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity, subject to substantially similar privacy protections. We will notify you via email and/or a prominent notice within the Service before your personal information is transferred and becomes subject to a different privacy policy.

5. Data Retention

We retain your information for as long as necessary to provide our Service and fulfill the purposes outlined in this Privacy Policy:

  • Account Information: Retained while your account is active; active-system deletion is initiated when you submit an account deletion request and generally completed within 30 days, subject to legal retention, fraud prevention, and backup retention described below
  • Vibe History: Retained while account is active; deleted upon account deletion
  • Show Journal: Retained while account is active; deleted upon account deletion
  • Pulse Posts: Retained while account is active; deleted upon account deletion
  • Location Data: We only store city-level information derived from venue addresses (no GPS coordinates)
  • NFC Tag Data: Tag ownership retained for product warranty and anti-abuse purposes; tag reads and read history are retained in aggregated or de-identified form for analytics where possible, but are treated as personal data if linked or reasonably linkable to your account, device, or claimed tag
  • Contact Hashes: Not stored; only used for real-time matching during contact discovery
  • Analytics Data: Retained in aggregated, de-identified, or pseudonymous form for up to 3 years, depending on whether the data remains linkable to a user or device
  • Order History: Retained for 7 years for tax and accounting purposes as required by law
  • Age Verification: Age input (when collected on web) is used only for verification during onboarding and is NOT stored in our database. However, your verification status, verification method, and verification timestamp are retained for regulatory compliance for as long as your account is active.
  • Backup Systems: After account deletion, residual copies may persist in encrypted backups for up to 90 days before being automatically purged. During this period, backup data is not accessible or used for any purpose.

You may request deletion of your data at any time by contacting us at privacy@vibewithme.co or by using the account deletion feature within the app.

6. Your Privacy Rights

6.1 Access and Control

6.1.1 Account Settings

  • View and edit your profile information
  • Update privacy preferences and connection visibility
  • Manage notification settings
  • Control contact discovery participation
  • Manage subscription and payment settings
  • Control auto-share settings for QR/NFC
  • Control crowd visibility on event attendee pages

6.1.2 Data Portability

  • Request a copy of your data in machine-readable format
  • Export your vibe history and connections
  • Export your show journal
  • Export your Pulse posts

6.1.3 Deletion Rights

  • Delete individual vibes, shows, and Pulse posts
  • Remove specific pieces of information
  • Delete your entire account and associated personal data (active-system deletion is initiated when submitted and generally completed within 30 days; see Section 5 for backup and legal-retention details)

6.1.4 Non-Discrimination

We will not discriminate against you for exercising any of your privacy rights. We will not deny you goods or services, charge you different prices, or provide you with a different level or quality of service for exercising your rights under this policy or applicable law.

6.2 Communication Preferences

6.2.1 Email Communications

  • Opt out of marketing emails (transactional emails still required)
  • Manage notification frequency

6.2.2 Push Notifications

  • Control notification types in app settings
  • Disable push notifications entirely in device settings

6.3 Analytics Preferences

We use PostHog for crash tracking, product analytics, and session replay. Data collection is split into two tiers:

6.3.1 Always Active — Crash & Error Tracking

  • Crash reports and critical errors are always collected to maintain app stability and security
  • This cannot be disabled and does not require consent
  • No usage analytics, page views, feature interactions, or session recordings are included

6.3.2 Usage Analytics & Session Replay

  • Mobile: Usage analytics and session replay are enabled by default. During onboarding, you are informed that analytics are active and can opt out. You can disable analytics at any time in My Vibe → Analytics. Opting out stops all usage event capture and session replay immediately.
  • Web: Usage analytics are off by default. A consent banner appears on your first visit; no usage events or session replay data are transmitted until you opt in. You can change your preference at any time in Settings → Analytics.
  • On both platforms, session replay masks text input content in recordings; network request metadata is captured alongside recordings for debugging.
  • Disabling analytics does not affect crash tracking or any app functionality.

6.4 Do Not Sell or Share My Personal Information

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. Analytics data sent to PostHog is used solely for product improvement and is not shared with third parties for their own purposes. To opt out of analytics data collection, visit your account settings or contact us at privacy@vibewithme.co.

6.5 Auto-Share Settings

  • Auto-share for QR/NFC scanning is disabled by default
  • You can enable auto-share in your settings at any time
  • When disabled, people who scan your code see your public profile and must take an affirmative action, such as pressing "Vibe With," to send a vibe request
  • Setting can be changed at any time

6.6 Crowd Visibility Settings

  • "Show me in the crowd" is disabled by default
  • When enabled, your first name, last initial, profile photo, and ticket status appear on event attendee pages visible to all platform users
  • When disabled, only your vibe connections can see that you are attending a show
  • Setting can be changed at any time in your privacy settings

6.7 Contact Discovery Controls

  • Contact discovery is entirely opt-in
  • You must explicitly grant contacts permission
  • You can revoke permission at any time in device settings
  • Contact data is only processed when you use the "Find Friends" feature
  • All contact matching happens with hashed identifiers (raw data never leaves device)

7. Regional Privacy Rights

7.1 Nebraska Residents (NDPA)

  • Right to confirm whether we are processing your personal data and to access that data
  • Right to correct inaccuracies in your personal data
  • Right to delete personal data provided by or obtained about you
  • Right to obtain a portable copy of your personal data
  • Right to opt out of processing for targeted advertising, data sales, or profiling that produces legal or similarly significant effects
  • We do not sell your personal data
  • We honor Universal Opt-Out Mechanisms (UOOMs) as required by law
  • To exercise these rights, contact us at privacy@vibewithme.co or use the in-app privacy request form. We will respond within 45 days. If we deny your request, you may appeal, and we will respond to your appeal within 60 days with a written explanation. If your appeal is also denied, we will provide you with an online mechanism to submit a complaint to the Nebraska Attorney General.

7.2 Texas Residents (TDPSA) (where applicable)

  • Right to confirm whether we are processing your personal data and to access that data
  • Right to correct inaccuracies in your personal data
  • Right to delete your personal data
  • Right to obtain a portable copy of your personal data in a readily usable format
  • Right to opt out of processing for targeted advertising, data sales, or profiling that produces legal or similarly significant effects
  • We do not sell your personal data, sensitive personal data, or biometric data
  • We honor Universal Opt-Out Mechanisms as required by Texas law (effective January 1, 2025)
  • To exercise these rights, contact us at privacy@vibewithme.co or use the in-app privacy request form. We will respond without undue delay, but no later than 45 days after receipt of your request. If we deny your request, we will provide a justification and instructions for how to appeal. If your appeal is also denied, we will provide information on how to submit a complaint to the Texas Attorney General.

7.3 California Residents (CCPA/CPRA) (where applicable)

  • Right to know the categories and, where required, specific pieces of personal information we collect, the categories of sources, the purposes for collection/use/disclosure, and the categories of recipients
  • Right to delete personal information
  • Right to correct inaccurate personal information
  • Right to opt out of sale or sharing for cross-context behavioral advertising (we do not sell personal information or share it for cross-context behavioral advertising)
  • Right to limit the use and disclosure of sensitive personal information, where applicable
  • Right to non-discrimination for exercising privacy rights, and the right to use an authorized agent where applicable

7.4 European Union / EEA / UK Residents (GDPR / UK GDPR, if applicable)

The Service is intended for users located in the United States only at launch and is not directed to individuals in the European Union, European Economic Area, or United Kingdom. If, notwithstanding that launch scope, the GDPR, UK GDPR, or similar law applies to our processing of your personal data, you may have the following rights, subject to applicable conditions and limitations:

  • Right of access to your personal data
  • Right to rectification of inaccurate or incomplete personal data
  • Right to erasure of your personal data, also known as the "right to be forgotten"
  • Right to restrict processing of your personal data
  • Right to data portability
  • Right to object to processing, including processing based on legitimate interests, where applicable
  • Right to withdraw consent at any time, where processing is based on consent, without affecting the lawfulness of processing based on consent before withdrawal
  • Right to lodge a complaint with a competent supervisory authority

7.5 Non-U.S. Users / U.S.-Only Launch

The Service is intended for users located in the United States only at launch and is not directed to individuals outside the United States. If you are located outside the United States and believe local privacy law applies to your request, contact us at privacy@vibewithme.co; we will evaluate and respond as required by applicable law.

To exercise the rights described in this section, contact us at privacy@vibewithme.co.

8. Data Security

We implement appropriate technical and organizational security measures to protect your information:

8.1 Technical Safeguards

  • Secure data transmission using TLS/SSL
  • Client-side hashing for contact discovery
  • Tokenized payment processing (we never see full credit card numbers)
  • Regular security audits and vulnerability assessments
  • Access controls and authentication requirements
  • SHA-256 hashing for sensitive identifiers
  • Age verification through trusted platform providers (Apple, Google)

8.2 Organizational Safeguards

  • Limited access to personal information on need-to-know basis
  • Regular review and updating of security procedures
  • Incident response procedures for data breaches
  • Third-party vendor security assessments

8.3 Infrastructure Security

  • Secure cloud hosting with enterprise-grade providers (Supabase, Cloudflare)
  • Regular backups and disaster recovery procedures
  • Network security monitoring and intrusion detection
  • Compliance with industry security standards

9. Data Breach Notification

In the event of a data breach that compromises the security, confidentiality, or integrity of your personal information, we will:

  • Conduct a prompt investigation to determine the scope and impact of the breach
  • Notify affected users as soon as possible and without unreasonable delay, consistent with the legitimate needs of law enforcement and any measures necessary to determine the scope of the breach and restore the integrity of our systems
  • Notify the Nebraska Attorney General contemporaneously with user notification, as required by Nebraska law (Neb. Rev. Stat. §§ 87-801 to 87-807)
  • Notify additional state attorneys general and regulatory authorities as required by applicable state and federal law
  • Provide details about the nature of the breach, the types of information involved, and steps you can take to protect yourself
  • Take immediate steps to contain and remediate the breach

10. International Data Transfers

Our Service is intended for users located in the United States only at launch. If you access the Service from outside the United States, your information will be transferred to and processed in the United States, which may have different data protection laws than your country of residence. We may restrict access from outside the United States or update this Policy before expanding internationally.

11. Children's Privacy

Our Service is intended only for users 18 years of age and older. We enforce age verification during registration through the following methods:

  • iOS and Android: We use age attestation APIs provided by Apple and Google to verify that users meet our minimum age requirement. These APIs provide an age range without disclosing the user's exact date of birth.
  • Web and fallback: When platform age attestation APIs are unavailable (due to device software version limitations or web-based registration), we require users to input their age during onboarding. This age input is used solely for verification during the registration session and is not stored in our database or retained after verification is complete.

We do not knowingly collect personal information from anyone under 18. If we become aware that we have collected personal information from a person under 18, we will take steps to immediately terminate their account and delete all associated data.

If you are a parent or guardian and believe someone under 18 has provided us with personal information, please contact us at privacy@vibewithme.co.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable laws.

For material changes (changes that significantly affect how we collect, use, or share your personal information), we will:

  • Provide at least 30 days advance notice before the changes take effect
  • Send an email notification to your registered email address describing the key changes
  • Display a prominent in-app notification requiring you to acknowledge the updated policy before continuing to use the Service
  • Provide a summary of changes alongside the full updated policy
  • If required by applicable law, obtain your affirmative consent before applying material changes to your data

For non-material changes (minor updates, clarifications, or formatting adjustments), we will:

  • Post the updated policy in the app with a notice
  • Update the "Last Updated" date at the top of this policy

If you do not agree with any material changes, you may delete your account before the changes take effect. Your continued use of the Service after the effective date of any changes indicates your acceptance of the updated Privacy Policy.

13. Contact Information

If you have questions about this Privacy Policy or our privacy practices, please contact us:

  • Email: privacy@vibewithme.co
  • In-App: Use the privacy request form in Settings > Privacy > Submit a Request
  • Mail: 6311 Ames Ave #1024, Omaha, NE 68104
  • Phone: +1 (402) 431-2472

For Nebraska residents exercising rights under the NDPA: privacy@vibewithme.co
For Texas residents exercising rights under the TDPSA: privacy@vibewithme.co
For California residents exercising rights under the CCPA: ccpa@vibewithme.co


14. Specific Features Privacy Details

14.1 QR Code and NFC Privacy

  • Scan History: We track successful scans for product functionality, abuse prevention, and analytics as described above, but do not store failed attempts
  • Tag Ownership: NFC tag ownership is recorded but not publicly displayed
  • Tag Movement: We track tag movement patterns in aggregate or de-identified form; if a tag event is linked or reasonably linkable to your account, device, or claimed tag, we treat it as personal data
  • Tag Claims: When you claim a tag, we associate it with your account
  • Auto-Share: Disabled by default; when enabled, an approved scan or tap can send a vibe request according to your settings. When disabled, the scanning user must take an affirmative action, such as pressing "Vibe With," to send a request
  • Profile Mode: When auto-share is disabled, scanning shows your public profile instead

14.2 Contact Discovery Privacy

  • Opt-in Only: You must explicitly grant permission to access contacts
  • Client-Side Processing: Contacts are processed entirely on your device
  • Hashing: Phone numbers and emails are hashed (SHA-256) before transmission. Hashing reduces exposure of raw contact data, but hashes used for matching are treated as pseudonymous personal data rather than de-identified data.
  • No Storage: We do not store your contact list or the hashes
  • Matching Only: Hashes are only used to find existing users, then immediately discarded
  • No Automatic Notifications: Matched contacts are not automatically notified that they were discovered. They only receive a notification if you explicitly send them a vibe request.
  • Revocable: You can revoke contacts permission in device settings anytime

14.3 Show Journal Privacy

  • Ratings: Individual show ratings are private. Ratings contribute to anonymized aggregate "Vibe Check" scores displayed on show pages; your individual rating is never attributed to you publicly.
  • Tags: Show tags you create may be visible to your vibe connections through the Pulse feed.
  • Attendance Visibility: Your vibe connections can always see which shows you are attending. If you enable "Show me in the crowd" in settings (off by default), your profile is also visible to all users on event attendee pages.
  • Statistics: Show attendance is aggregated anonymously for platform statistics
  • Export: You can export your complete show history

14.4 Pulse Posts Privacy

  • Vibe Connections Only: Pulse posts are only visible to users you have shared vibes with
  • Reflections: Posts contain your thoughts and reflections about shows
  • Photo Moderation: Photos uploaded to Pulse posts are automatically screened for prohibited content using Amazon Rekognition. This is used solely for content safety — we do not use facial recognition or identify individuals in your photos.
  • Reactions: You can see who reacts to your posts (limited to vibe connections)
  • Control: You can delete your posts at any time
  • No Algorithm: Posts are shown chronologically, not algorithmically

14.5 Music Data Privacy

  • Required Minimum: You must add at least 3 top artists and 3 top genres
  • Manual Control: You manually select all artists and genres
  • Limited Account Access: We only access artist names and images, not your listening history
  • Matching: Music data is used for connection recommendations
  • User Control: Music preferences can be edited anytime
  • No Listening History: We never access what you are currently listening to

14.6 Group Coordination Privacy

  • External Platforms: We do not host group chat messages
  • Links Only: We only store links to WhatsApp, Discord, Telegram, or Signal groups
  • Member Lists: Group member lists are visible to all group members
  • Show Planning: Groups can coordinate show attendance
  • Third-Party Responsibility: When you click a link to an external group chat, you leave our Service. Your use of WhatsApp, Discord, Telegram, Signal, or any other external platform is governed by that platform's own terms of service and privacy policy. We are not responsible for the privacy practices of these third-party services.

14.7 Subscription and Payment Privacy

  • Stripe Processing: Payment method details are collected and processed by Stripe (PCI-DSS compliant); we receive transaction, token, receipt, fraud-signal, and order metadata
  • Tokenization: We do not collect or store full card numbers. We may receive tokenized payment identifiers and transaction metadata from Stripe.
  • Merchandise Orders and Defective-Product Claims: We process shipping addresses, order details, order confirmations, shipping updates, support communications, and any defect-related information or photos you voluntarily submit to administer physical NFC merchandise orders, replacement requests, and refunds under the Terms of Service.
  • Subscription Management: If subscriptions are enabled, subscription status may be managed through RevenueCat or the applicable app marketplace
  • Purchase History: Order history retained for tax and accounting purposes
  • No Sharing: Payment information is never shared with other users

14.8 Authentication Privacy

  • Multiple Options: Sign in with Apple or Google (primary); email and phone also available
  • Third-Party Auth: When using Apple/Google, we receive limited data they authorize
  • Age Verification: Apple and Google provide age range verification without sharing birthdate; web fallback uses ephemeral age input that is not stored. Your verification status (verified yes/no, method, and timestamp) is retained for compliance.
  • No Password Storage: We do not store passwords when using third-party authentication
  • Token Security: Authentication tokens are securely stored and encrypted
  • SMS Delivery: When you sign in with your phone number, SMS messages are delivered via Twilio; your phone number is shared with Twilio for this purpose

This Privacy Policy is effective as of the last updated date listed at the top of this document.

End of document — Privacy Policy, version 2026-05-21.