Privacy Policy
This policy explains what data we collect, why we collect it, and what you can do about it. We’ve tried to write it like a person, not a robot. If anything here is unclear, email support@thevibe.in.
The short version
We collect the minimum data we need to run the app, we never sell it, businesses only see aggregated anonymous insights about members, and you can export or delete everything at any time from the app.
1. Introduction
The Vibe (“we”, “us”, or “the service”) is operated by Vibe Labs, Unip. Lda., a company registered in Portugal (NIPC 516 842 301). We are the data controller for personal data collected through the app, the Business Console, and thevibe.in.
This policy describes our practices under the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA/CPRA), Brazil’s LGPD, and Mexico’s Federal Law on the Protection of Personal Data Held by Private Parties.
2. Who we are & how to reach us
Data controller: Vibe Labs, Unip. Lda., Rua da Boavista 84, 1200-068 Lisboa, Portugal.
Data Protection Officer: Lúcia Henriques, support@thevibe.in.
EU representative: same as controller.
UK representative: VeraSafe UK Ltd., London.
3. What we collect
| Category | Examples | Source |
|---|---|---|
| Account data | Name, email, phone, password hash, profile photo, date of birth | You |
| Usage data | Events viewed, RSVPs, check-ins, reviews, search queries | The app |
| Device & technical | Device model, OS, IP, app version, crash logs | The app / browser |
| Location | Approximate (city-level) always; precise only with explicit permission | Device, with consent |
| Payment | Card type, last 4 digits, billing country. Full card data never touches our servers. | Stripe / Adyen |
| Social sharing | Platform tokens you grant (Instagram, TikTok, etc.) for one-tap posting | You, via OAuth |
4. How we use it
We process your data only for the purposes listed below, and only on the legal bases stated. We do not use your data for automated decision-making that produces legal effects on you.
- Deliver the service (contract): account, offer claims, QR redemption, reviews, notifications.
- Personalize recommendations (legitimate interest, adjustable): learn experience, price, and category preferences to improve your feed. Toggle off any time.
- Measure & improve the product (legitimate interest): funnel analytics, performance monitoring, A/B testing.
- Prevent fraud & keep people safe (legitimate interest, legal obligation): duplicate ticket detection, abuse reports, safety flags.
- Send you essential updates (contract): booking confirmations, cancellations, refunds.
- Marketing communications (consent): newsletters and city drops. Unsubscribe at any time.
5. Who we share with
We share personal data only with the categories below, each under a written data-processing agreement.
- Venues hosting events you attend. They receive your first name, initial, and QR check-in status. They never see your email, phone, or profile. Aggregated demographics only; never individual.
- Payment processors (Stripe, Adyen) for ticket purchases.
- Infrastructure (AWS in eu-central-1 and us-east-1; Cloudflare) for hosting and delivery.
- Analytics & crash reporting (PostHog self-hosted, Sentry). No third-party ad networks. No Facebook or Google tracking SDKs.
- Authorities only when legally compelled, and we publish an annual transparency report.
We do not and will not sell your personal data. We do not share it with data brokers.
6. How long we keep it
- Account data: while your account is active; deleted 30 days after account closure.
- Event history & reviews: retained while account is active; anonymized on account closure.
- Payment records:7 years (tax & audit obligation in Portugal).
- Crash logs: 90 days.
- Marketing consent records: 3 years after withdrawal.
7. Your rights
You can exercise any of the rights below directly in the app (Settings → Privacy) or by emailing support@thevibe.in. We will respond within 30 days.
- Access: receive a copy of everything we hold on you, in a portable format.
- Rectification: correct inaccurate information.
- Erasure: delete your account and associated data.
- Restriction: pause processing while a dispute is resolved.
- Portability: export your data in a machine-readable format.
- Objection: to processing based on legitimate interests, including profiling.
- Withdraw consent: at any time, without affecting the lawfulness of prior processing.
- Lodge a complaint: with the Portuguese CNPD, your local supervisory authority, or the California Attorney General.
8. International transfers
Personal data of EU/UK users is hosted in Frankfurt (eu-central-1). Where transfers to the US are strictly necessary (e.g. Stripe webhooks), we rely on the EU–US Data Privacy Framework and Standard Contractual Clauses with supplementary measures (encryption in transit and at rest).
9. Children
The Vibe is an 18+ service. We do not knowingly collect personal data from anyone under 18. If you believe a minor has created an account, please email support@thevibe.in and we will delete it immediately.
10. Security
We apply industry-standard technical and organizational measures: TLS 1.3 in transit, AES-256 at rest, tokenized payments, hardware-backed key storage, continuous vulnerability scanning, and annual third-party penetration tests. We maintain SOC 2 Type II and ISO/IEC 27001 certifications. You can request our latest audit report at support@thevibe.in.
11. Changes to this policy
We’ll notify you in-app and by email at least 30 days before any material change. Older versions remain available at thevibe.in/legal/archive.
12. Contact
Questions, concerns, or complaints: support@thevibe.in or write to our DPO at the address above.