Privacy Policy

VibeConnect — a product of Sigma Pi Labs Inc.

1. Who we are & how to reach us

The data controller responsible for the Service is Sigma Pi Labs Inc., a Delaware C-corporation. For any privacy-related request, to exercise any right described in this Policy, or to lodge a complaint:

• Privacy, data-subject requests, grievance, DMCA: privacy@vibeconnect.io
• General support: support@vibeconnect.io
• India Grievance Officer (Rule 3(11), IT Rules 2021): privacy@vibeconnect.io

2. Scope & acceptance

This Policy applies to personal information we process in connection with the Service. It does not apply to information processed by third parties (such as the Apple App Store, Google Play, a mobile-network operator, or an external website you visit from a link within the Service), except as expressly stated. By using the Service, you acknowledge this Policy. Where consent is required by Applicable Law, you will be asked for it separately at the appropriate point.

3. Information we collect

3.1 Information you provide directly

• Account identifiers: email address, password (hashed and never visible to us), telephone number (where used for verification), and, where you choose Apple Sign-In or Google Sign-In, the identifier and email address exchanged through those flows.
• Date of birth, used to confirm you are at least 18 and to infer age for age-appropriate features.
• Profile: display name, full legal name (if entered), gender, connection-type preferences (friends, professional, family, romantic, interests), companion-role selection, romantic preferences (if applicable), interests (three to ten), personality description, bio, city or self-entered location, and avatar photograph(s).
• Messages: the content of text messages you exchange with other Users, and metadata such as sender, recipient, timestamp, delivery status, and read status.
• Mood & wellness: mood entries you create in the wellness feature, including a 1–10 numeric value and any free-text description. This is health-related data; see Section 4.
• Journal entries: notes you create in the Memory Book feature (up to 5,000 characters each, plus timestamps).
• Activity & interaction data: matches, saved connections, unmatches, skips, reports, blocks, RSVPs to activities, and any consent or opt-in flags you provide.
• Reports you submit: the reported User, the reason selected, and any details you type.
• Support tickets & correspondence: if you contact us, the content of your messages and any attachments.

3.2 Information collected automatically

• Device & app data: device make and model, operating-system version, application version, locale and language, crash logs, stack traces, device identifiers assigned by us and by the operating system, installation identifiers, and Firebase Installation IDs.
• IP address, connection type, and approximate coarse geolocation derived from IP by service providers.
• Push-notification tokens assigned by Apple Push Notification Service and Firebase Cloud Messaging.
• Precise location (latitude / longitude), when you grant location permission, used for matching and Places Discovery. You may revoke this permission at any time in your device settings.
• Diagnostic events and performance data (e.g., API latencies, error rates) collected for the purpose of troubleshooting and improving the Service.
• On-device voice input (when used): speech is converted to text by the operating system's speech-recognition framework. Audio of your voice is not transmitted to Sigma Pi Labs; only the transcribed text that you confirm for use.

3.3 Information from third parties

• Authentication providers — when you sign in with Apple or Google, we receive the identifier and email address you permit to be shared.
• Payment & subscription providers — Apple, Google, and RevenueCat provide us with transaction state (e.g., active subscription, renewal date, expiration) and a transaction identifier. We do not receive your payment-card number, CVV, or bank-account details.
• Telephone-verification provider (Twilio) — we receive the success or failure of a verification attempt.
• Abuse & safety signals received from Third-Party Services we use (e.g., automated content-moderation signals, error-reporting signals).

4. Sensitive personal information

The following categories of personal information we process may be considered sensitive or "special category" under various laws (including GDPR Article 9, the UK GDPR, the California Consumer Privacy Act as amended, and equivalent regimes):

• Precise geolocation (for matching and Places Discovery);
• Health-related data — mood entries you submit in the wellness feature;
• Information that may reveal sexual orientation or gender identity (inferred from your stated gender, companion-role selection, or romantic preferences);
• Telephone number, when provided for verification;
• Account credentials (e.g., authentication tokens).

We process these categories only with your explicit consent where required, or where otherwise permitted under Applicable Law, and only for the limited purposes described in this Policy. We do not process biometric identifiers for unique identification, we do not collect or scan government-issued identity documents, and we do not infer or collect information about your race, ethnicity, political opinions, religious or philosophical beliefs, trade-union membership, or genetic data.

5. Sources of information

Sources of information summarized: (a) you; (b) your device and operating system; (c) other Users who interact with you (e.g., send you a message or report you); (d) our service providers, as listed in Section 9; (e) public sources (limited; primarily for fraud-prevention purposes).

6. How we use information

We use personal information for the following purposes:

• Provide & operate the Service — create and manage your account, perform matching, deliver messages, provide Places Discovery, deliver push notifications, process subscriptions, verify eligibility, authenticate you, and respond to your requests.
• Personalization — tailor matches and suggestions based on the data you voluntarily provide.
• AI features — provide AI-assisted conversation, tone analysis, and mood-based suggestions. See Section 13.
• Safety, trust, & abuse prevention — detect, investigate, and respond to harassment, fraud, impersonation, spam, illegal activity, and violations of the Terms or Community Guidelines; enforce those rules; cooperate with law enforcement.
• Security — protect the integrity and security of the Service, prevent unauthorized access, and investigate security incidents.
• Compliance & legal obligations — comply with legal, regulatory, tax, accounting, and audit obligations, and respond to valid legal process.
• Customer support — respond to your questions, tickets, and grievance submissions.
• Service improvement & analytics — diagnose crashes and performance issues; analyze aggregate usage to improve features; develop new features. We do not use your messages, profile content, mood entries, journal entries, or photographs to train AI models.
• Transactional communications — send you account notices, verification codes, service updates, and other operational messages.
• Protection of rights — establish, exercise, or defend legal claims; protect the rights, property, or safety of Sigma Pi Labs, our Users, and the public.
• Corporate transactions — evaluate or execute a merger, acquisition, reorganization, financing, sale of assets, or similar transaction, with appropriate confidentiality safeguards.

7. Legal bases for processing (EEA / UK / Brazil)

If you are located in the European Economic Area, the United Kingdom, or a jurisdiction with equivalent legal-basis requirements, we process personal information on the following bases, as applicable to the purpose:

• Performance of a contract (GDPR Art. 6(1)(b)) — to provide the Service that you request under the Terms and Conditions.
• Legitimate interests (GDPR Art. 6(1)(f)) — including our interests in protecting the Service against abuse and fraud, improving performance, defending legal claims, and corporate-transaction due diligence. We weigh our interests against your rights and freedoms; you may object at any time, as described in Section 22.
• Consent (GDPR Art. 6(1)(a) and Art. 9(2)(a) for sensitive data) — where required, such as for precise-location processing for Places Discovery, wellness / mood entries (special category), AI features that are opt-in, and marketing communications. You may withdraw consent at any time.
• Legal obligation (GDPR Art. 6(1)(c)) — to comply with tax, accounting, anti-money-laundering, safety-reporting, child-safety, and other legal obligations.
• Vital interests (GDPR Art. 6(1)(d)) — in rare cases involving imminent risk of harm to you or another natural person.
• Public interest (GDPR Art. 6(1)(e)) — where applicable, for example in responding to child-safety authorities.

8. How we share information

8.1 With other Users

Information you choose to make visible in your profile (e.g., display name, age range, photographs, bio, interests, city or self-entered location, connection-type preferences, companion role) is visible to other Users through the Service's matching and discovery features. Messages you send to another User are delivered to that User. Activity RSVPs may be visible to co-participants in the activity. Do not post information in your profile that you would not want other Users to see.

8.2 With service providers (processors)

We share personal information with vendors who process it on our behalf, under written data-processing terms that restrict their use to the purposes we authorize. See Section 9 for a current list.

8.3 With authorities & to comply with law

We may disclose personal information when we believe in good faith that disclosure is necessary to: (a) comply with Applicable Law, legal process, subpoena, warrant, court order, or similar legal instrument; (b) protect the rights, property, or safety of Sigma Pi Labs, our Users, or the public; (c) enforce our Terms and Conditions and Community Guidelines; (d) detect, prevent, or address fraud, security, or technical issues; or (e) respond to a governmental or regulatory inquiry consistent with recognized data-protection principles.

8.4 Corporate transactions

If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, receivership, sale of company assets, or transition of service to another provider, your information may be transferred as part of that transaction, subject to standard confidentiality protections and notice where required.

8.5 With your consent

We may share information for purposes not described in this Policy if we have your consent to do so.

8.6 We do not sell your personal information

9. Sub-processors & service providers

We engage the following service providers, each of which processes personal information on our behalf and under written data-processing commitments.

Provider	Purpose	Categories of personal information	Processing location
Google LLC — Google Cloud Platform (incl. Cloud SQL, Cloud Run, Firebase Authentication, Firebase Cloud Messaging, Firebase Remote Config, Cloud Logging)	Hosting, databases, authentication, push notifications, logging, feature flags	Account identifiers, email, phone, profile data, messages, mood, journal, photos, device and diagnostic data, IP, push tokens	United States (us-central1)
Google LLC — Firebase Crashlytics & Firebase Analytics	Crash reporting, aggregate analytics	Crash stack traces, device identifiers, app version, event names, limited user identifiers	United States
Google LLC — Vertex AI (Gemini models)	AI conversational features, tone analysis, summarization	User prompts and conversation context, User identifier (for rate-limiting). Not used to train models.	United States (us-central1)
Google LLC — Google Places API	Places Discovery — search for public places	Approximate or precise location (as sent by app), search query, place identifier	United States
Anthropic, PBC — Claude (accessed via Google Cloud and/or an intermediary routing service)	Fallback / secondary AI conversational features	User prompts and conversation context, User identifier. Not used to train models.	United States
Apple Inc. — Apple Push Notification Service, Sign in with Apple, StoreKit	Push notifications, authentication, subscription billing	Device identifiers, push token, Apple identity token, transaction identifiers	Global (Apple-determined)
RevenueCat, Inc.	Subscription lifecycle management, receipt validation, entitlement resolution	User identifier, device identifier, subscription state, transaction identifiers	United States
Twilio, Inc.	SMS verification (Twilio Verify)	Telephone number, verification status	United States (with regional redundancy)
Resend (Resend.com Inc.)	Transactional email delivery (e.g., password reset, moderation correspondence)	Email address, email subject and body	United States
Mapbox, Inc.	Map rendering for Places Discovery	Approximate device location (tile requests), map-interaction events, IP address	United States

Where a service provider sub-processes data further (e.g., Google's own infrastructure sub-processors), those further sub-processors are disclosed in the provider's own privacy and sub-processor documentation.

10. International transfers of personal information

Sigma Pi Labs is based in the United States, and our primary infrastructure (including Google Cloud Platform's us-central1 region) is located in the United States. If you access the Service from outside the United States, your personal information will be transferred to, stored in, and processed in the United States and other countries where our service providers operate.

10.1 Safeguards for EEA / UK / Switzerland transfers

For transfers of personal information from the European Economic Area, the United Kingdom, or Switzerland to the United States or other third countries that are not the subject of an adequacy decision, we rely on appropriate safeguards, principally the European Commission's Standard Contractual Clauses (Decision 2021/914), the UK International Data Transfer Addendum, and/or the Swiss-Approved SCCs, as applicable. You may request a copy of the transfer safeguards applicable to a specific processing activity by writing to privacy@vibeconnect.io.

10.2 Transfer-impact assessments

We conduct transfer-impact assessments where required and implement supplementary technical measures (encryption in-transit and at-rest, access controls, audit logging) to protect transferred data.

11. Data retention

We retain personal information only for so long as necessary for the purposes described in this Policy, unless a longer retention is required or permitted by Applicable Law.

Category	Retention
Account profile (display name, photos, interests, personality, city, gender, connection types)	Until account deletion; purged within 30 days after deletion
Messages (ephemeral match & saved connections)	Deleted immediately upon account deletion. During active use, messages are retained as part of the account until deleted by you or by the expiration of a match.
Mood / wellness entries	Until account deletion; purged within 30 days after deletion
Journal (Memory Book) entries	Until you delete them or delete your account; purged within 30 days after deletion
Moderation reports (content, metadata)	Up to 24 months, or longer where necessary for safety, investigations, legal defense, or legal obligation; pseudonymized where feasible
Authentication & security logs	Up to 12 months for routine access; up to 24 months for incident-related logs
Crash, diagnostic, and API-metric logs	Up to 90 days
Subscription / billing records, tax records	Up to 7 years (as required by U.S. federal and state tax law and equivalent requirements in other jurisdictions)
Support correspondence	Up to 24 months
Records required to establish, exercise, or defend legal claims	For the duration of the applicable statute of limitations plus a reasonable buffer

12. Security of personal information

We implement administrative, technical, and physical measures designed to protect personal information against unauthorized access, disclosure, alteration, loss, and destruction. These measures include:

• Encryption of data in transit using industry-standard Transport Layer Security (TLS);
• Encryption of data at rest using AES-256 or equivalent, as provided by Google Cloud Platform and our other infrastructure providers;
• Least-privilege access controls and strong authentication for employees with access to production systems;
• Centralized identity and secrets management;
• Access, change, and audit logging for sensitive operations;
• Server-side deletion atomicity for account-deletion events;
• On-device Keychain / Secure Enclave (iOS) and comparable protected storage (Android) for credentials and cryptographic keys;
• Routine review of service providers' security postures.

13. AI features & your data

13.1 Providers

Certain features use large-language-model AI technology provided by Google LLC (Vertex AI / Gemini, hosted within Google Cloud Platform) and Anthropic, PBC (Claude). These are our only AI providers at this time.

13.2 What we send

When you use an AI feature, the inputs you provide (for example, your message to "Ask Vibe," or a mood entry being analyzed for tone-matching), together with limited context drawn from your conversation, are transmitted to the applicable AI provider for the sole purpose of generating the requested output.

13.3 No training

13.4 Retention at the provider

Provider-side retention of AI inputs and outputs is governed by each provider's contractual terms with us and is limited to short-term retention for abuse-detection and operational purposes. Provider retention is disclosed in the provider's own documentation.

13.5 Consent & opt-out

Opt-in AI features display a consent prompt on first use. You may disable AI features in Settings at any time. Disabling a feature does not retract any output already delivered.

13.6 Not professional advice

AI outputs are not medical, mental-health, legal, financial, relationship, or safety advice, and you should not rely on them as such. See Sections 10.4 and 10.5 of the Terms and Conditions.

14. Messaging & encryption

15. Location information

We collect location information only when and where you grant permission through your device's operating system. We use location information for:

• Matching — to present matches within a reasonable proximity you select;
• Places Discovery — to show public places near you;
• Coarse, IP-derived location — for security, fraud prevention, and to comply with legal restrictions.

We do not use location information for advertising. You can change location permissions at any time in your device settings; doing so may limit certain features.

16. Notifications & communications

We send transactional communications (account confirmations, password-reset emails, verification codes, safety/moderation correspondence, billing receipts where applicable, and service-operational messages). You cannot opt out of transactional communications while maintaining an active account. Marketing communications are not sent at this time; if we later introduce marketing communications, we will seek your separate, prior, opt-in consent where required, and we will provide an opt-out mechanism in every such message.

17. Cookies & similar technologies

The VibeConnect mobile application does not use browser cookies. Our website at vibeconnect.io may use strictly necessary and operational cookies or similar technologies for functionality, security, and basic traffic measurement. We do not use cookies or similar technologies for cross-site tracking, retargeting, or targeted advertising.

18. Children

The Service is intended solely for adults aged eighteen (18) or older. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a person under 18, we will promptly delete the information and terminate the associated account. If you believe a child has provided personal information to the Service, please contact privacy@vibeconnect.io immediately.

19. Automated decision-making & profiling

We use automated systems (including matching algorithms, spam and abuse detection, content-moderation classifiers, and AI-based tone suggestions) that process your personal information. These systems do not produce legal effects or similarly significant effects concerning you within the meaning of GDPR Art. 22. Where we make a decision with significant consequences for you (for example, suspension or termination of your account for a safety reason), a human reviewer is involved, or you may request human review as described in Section 22.

20. Your privacy rights (summary)

Subject to Applicable Law and the specific rules of your jurisdiction (Sections 21–26), you may have some or all of the following rights:

• Access — obtain confirmation of whether we process your personal information and, if so, receive a copy.
• Correction / rectification — correct inaccurate or incomplete personal information.
• Deletion / erasure — request deletion of your personal information, subject to limited exceptions.
• Portability — receive certain personal information in a structured, commonly used, and machine-readable format.
• Restriction / objection — restrict or object to certain processing activities.
• Withdraw consent — where processing is based on consent, withdraw it at any time, without affecting the lawfulness of prior processing.
• Non-discrimination — not be denied service or charged different prices for exercising your rights, except as permitted by Applicable Law.
• Complain — lodge a complaint with a supervisory or data-protection authority.

To exercise a right, email privacy@vibeconnect.io. We will verify your identity by matching the request to the account, and we will respond within the time required by Applicable Law (generally 30–45 days, extendable as permitted).

21. United States state privacy rights

21.1 California (CCPA / CPRA)

If you are a California resident, you have the right to know, delete, correct, and limit the use of sensitive personal information; the right to opt out of the sale or sharing of personal information (we do not sell or share personal information for cross-context behavioral advertising, so there is nothing to opt out of in that respect); and the right not to be retaliated against for exercising your rights. You may submit a verifiable request to privacy@vibeconnect.io.

21.2 Categories disclosed under CCPA

We collect the following CCPA-enumerated categories: identifiers (e.g., email, telephone, Firebase identifiers); commercial information (subscription history); internet or network activity information (device data, IP, crash logs); geolocation data; audio-like content that is immediately converted to text on-device (not retained as audio); sensory data (photographs you upload); inferences drawn for matching; and sensitive personal information limited to precise geolocation, health-related mood data (with your consent), account-log-in credentials, and data concerning sexual orientation as inferred from your preferences.

21.3 Other U.S. state laws

If you reside in a state with a comprehensive consumer-privacy law (including Virginia — VCDPA, Colorado — CPA, Connecticut — CTDPA, Utah — UCPA, Texas — TDPSA, Oregon, Montana, Iowa, Delaware, New Jersey, Tennessee, Minnesota, Maryland, and other states with similar laws), you have substantially similar rights to access, correction, deletion, portability, and opt-out of targeted advertising and sale of personal data (which we do not engage in). Submit requests to privacy@vibeconnect.io.

21.4 "Shine the Light" (California)

California Civil Code § 1798.83 permits California residents to request information about disclosure of certain personal information to third parties for the third parties' direct marketing purposes. We do not engage in such disclosures.

22. European Economic Area & United Kingdom — GDPR / UK GDPR rights

If you are in the EEA, the UK, or Switzerland, you have the rights described in Section 20 as implemented under the General Data Protection Regulation, the UK GDPR, and the Swiss Federal Act on Data Protection. In addition:

• You have the right to object to processing based on legitimate interests (GDPR Art. 21), including a right of absolute objection to direct marketing.
• Where processing is based on consent, you may withdraw it at any time.
• You may exercise your rights by emailing privacy@vibeconnect.io. We will respond within one (1) month, extendable by two (2) further months where justified under GDPR Art. 12(3).
• You have the right to lodge a complaint with your local Supervisory Authority. A list of EEA Data Protection Authorities is available on the European Data Protection Board website. For the UK, you may contact the Information Commissioner's Office (ICO).

23. India — Digital Personal Data Protection Act, 2023; IT Rules, 2021

If you are a Data Principal in India, we process your personal data as a Data Fiduciary. You may:

• Request access to, correction of, or erasure of your personal data;
• Nominate another individual who may, in the event of your death or incapacity, exercise your rights;
• Withdraw consent, where processing is based on consent;
• Submit grievances to our Grievance Officer at privacy@vibeconnect.io. The Grievance Officer will acknowledge receipt within 24 hours and attempt to resolve the grievance within 15 days.

You also have the right to register a complaint with the Data Protection Board of India, when established.

24. Brazil — Lei Geral de Proteção de Dados (LGPD)

If you are a Data Subject in Brazil, you have the rights set out in Article 18 LGPD, including confirmation of processing, access, correction, anonymization, blocking or erasure, portability, information about entities with which we share your data, information about the possibility of refusing consent, and revocation of consent. Requests may be submitted to privacy@vibeconnect.io. You may also lodge a complaint with the Autoridade Nacional de Proteção de Dados (ANPD).

25. Canada — PIPEDA

If you are a resident of Canada, we comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) and, where applicable, substantially similar provincial laws (including Quebec's Law 25). You may submit access and correction requests to privacy@vibeconnect.io. You may also lodge a complaint with the Office of the Privacy Commissioner of Canada (OPC).

26. Australia — Privacy Act 1988 (Cth) & Australian Privacy Principles

If you are in Australia, we handle your personal information in accordance with the Australian Privacy Principles. You may access and correct your personal information by contacting privacy@vibeconnect.io. If you are dissatisfied with our handling of a complaint, you may contact the Office of the Australian Information Commissioner (OAIC).

27. Account deletion & data purge

You may delete your account at any time through the in-app Settings → Delete Account flow. Upon confirmation:

• All messages you have sent and received through the Service are deleted immediately.
• Profile data, photographs, mood entries, journal entries, matches, saved connections, activity participation records, push tokens, device-local caches, Keychain items, and every device-local MMKV store are erased from Sigma Pi Labs systems and from the device within no more than 30 days of your deletion request.
• A 30-day grace period is maintained to allow reversal of inadvertent deletion. After the grace period, the account is permanently purged.
• Residual retention occurs only for the limited categories in Section 11 (moderation reports, financial records, records required to defend legal claims).

28. Breach notification

In the event of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify: (a) the relevant supervisory authority within 72 hours where required by GDPR Art. 33 or comparable law; (b) you, without undue delay, where the breach is likely to result in a high risk to your rights and freedoms, or where required by state breach-notification law. We will provide the nature of the breach, the likely consequences, the measures taken or proposed, and a contact point for further information.

29. Do Not Track & Global Privacy Control

The VibeConnect application is not served via web browsers and does not respond to browser-based Do Not Track signals. The application does not engage in cross-site tracking. Where required by Applicable Law (e.g., California), our website honors the Global Privacy Control signal as an opt-out of sale/sharing, although we do not sell or share personal information for cross-context behavioral advertising.

30. Changes to this Policy

We may update this Policy from time to time to reflect changes in our practices, technologies, legal requirements, or the Service. When we make a material change, we will notify you by in-app notice, push notification, or email before the change becomes effective, and we will update the "Last Updated" date at the top of this Policy. Your continued use of the Service following the effective date of a revised Policy constitutes your acknowledgment of the revised Policy.

31. Contact & grievance

Sigma Pi Labs Inc. — a Delaware Corporation (United States).

• Privacy, data-subject rights, DMCA, legal: privacy@vibeconnect.io
• General support: support@vibeconnect.io
• India Grievance Officer (Rule 3(11), IT Rules 2021): privacy@vibeconnect.io — acknowledgment within 24 hours, resolution within 15 days where reasonably feasible.
• Postal address for legal notices: available on request by email to privacy@vibeconnect.io.

---

© 2026 Sigma Pi Labs Inc. All rights reserved. VibeConnect, Ask Vibe, and VibeZone are trademarks of Sigma Pi Labs Inc.