Your Data.
Your Rights.

Vibra Music ("Vibra", "we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and share your information when you use the Vibra iOS application and web platform (collectively, the "Service").

By creating an account or using the Service, you agree to the practices described in this policy. If you do not agree, please do not use the Service.

This policy applies to all users globally. If you are located in the European Economic Area, you have additional rights under the General Data Protection Regulation (GDPR), described in the "Your Rights" section below.

Account Information

When you register, we collect your email address, username, artist name, and password (stored as a one-way bcrypt hash — we never see your plain-text password). You may optionally add a profile photo and bio.

Content You Upload

We store the audio files, cover artwork, and metadata (title, collaborators, lyrics) you upload as tracks. This content is public and visible to all Vibra users.

Activity Data

We record which tracks you play and how often (used to power Smart Radio recommendations), tracks you like, comments you post, and search queries you enter. This data is tied to your account.

Authentication Data

We issue a session token (JWT, valid 30 days) stored in an httpOnly cookie on your device. If you sign in with Google, we receive your Google account email and display name only — we do not access your Gmail, Drive, contacts, or any other Google service.

Technical Data

Our servers automatically log your IP address, device type, and browser/app version in standard server access logs. These logs are retained for 30 days and used only for security monitoring and debugging.

We use the information we collect for the following purposes:

• Provide the Service — authenticate your account, store and serve your uploads, display your profile, process likes and comments.
• Personalised Recommendations — your play history and liked tracks power the Smart Radio feature, which builds queues tailored to your taste using collaborative filtering.
• Search — your search queries are used to return relevant results in real time. We do not store individual search queries tied to your identity beyond server logs.
• Improve the Service — aggregated, anonymised usage patterns help us understand which features are most valuable and where to focus improvements.
• Security — IP addresses and session data are used to detect fraudulent activity, investigate abuse reports, and enforce our Terms of Service.
• Communications — if you opt in, we may send you product updates or important service notices by email. We do not send marketing emails without your explicit consent.

We do not use your data to serve third-party advertisements, sell to data brokers, or build profiles for external targeting.

We do not sell, rent, or trade your personal information. Full stop.

Service Providers

We share data with the following sub-processors, solely to operate the Service:

• Google Cloud Platform (US) — Cloud Run (app hosting), Cloud SQL (PostgreSQL database), Cloud Storage (audio files and images). Google processes data on our behalf under a Data Processing Agreement and does not use your data for their own purposes.
• Google OAuth — if you choose "Continue with Google", Google processes your authentication. Their privacy policy applies to that interaction.

Legal Requirements

We may disclose your information if required to do so by law, court order, or governmental authority, or if we believe disclosure is necessary to protect the rights, property, or safety of Vibra, our users, or the public.

Business Transfers

If Vibra is acquired, merged, or its assets are transferred, your data may be part of that transaction. You will be notified via email and an in-app notice at least 30 days in advance, and you will have the opportunity to delete your account before any transfer.

Where Your Data Lives

All data is stored on Google Cloud Platform infrastructure in the United States (us-central1). Audio files and images are stored in Google Cloud Storage buckets with public read access (since they are user-published content). Account data is stored in a Cloud SQL (PostgreSQL) instance accessible only by the application.

Technical Safeguards

• Encryption in transit — all communication between your device and our servers uses TLS 1.2 or higher (HTTPS). There is no unencrypted channel.
• Password hashing — passwords are hashed using bcrypt with a cost factor of 12 before storage. We cannot retrieve your plain-text password.
• Session tokens — authentication tokens are signed JWTs stored in httpOnly cookies (not accessible to JavaScript), preventing XSS-based token theft.
• Database isolation — the database is not publicly accessible; only the Cloud Run application service can connect via a secure Unix socket.

Data Retention

Your data is retained for as long as your account is active. If you delete your account, your personal data (email, username, artist name, profile photo, play history, and likes) is deleted within 30 days. Uploaded audio files and cover art are deleted within 7 days. Comments are anonymised rather than deleted so that conversations remain coherent for other users. Server logs containing IP addresses are purged after 30 days.

You have meaningful control over your data. Regardless of your location, you may exercise the following rights at any time:

• Access — request a copy of all personal data we hold about you.
• Correction — update your email, username, artist name, bio, and avatar directly from the Profile settings screen in the app.
• Deletion — delete your account from the Profile settings screen. This triggers permanent deletion of your personal data within 30 days.
• Portability — request an export of your data in a machine-readable format (JSON).
• Objection — object to processing of your data for personalisation (Smart Radio). You can disable this by not playing tracks while logged in, or by contacting us.
• Restrict processing — request that we restrict processing of your data while a dispute is resolved.

GDPR (European Users)

If you are in the EEA, our legal basis for processing your data is contract performance (to provide the Service), legitimate interests (security, fraud prevention, product improvement), and consent (email communications). You have the right to lodge a complaint with your national data protection authority.

California (CCPA)

California residents have the right to know what personal information is collected, the right to delete it, and the right to opt out of sale (which we do not engage in). We do not discriminate against users who exercise these rights.

To exercise any right, email coincatcher14@gmail.com with the subject "Privacy Request". We will respond within 30 days.

We use a minimal, purposeful set of cookies — no advertising trackers, no third-party analytics.

That is the complete list. One cookie. We do not use:

• Advertising or retargeting cookies
• Third-party analytics (Google Analytics, Mixpanel, etc.)
• Social media tracking pixels
• Fingerprinting techniques

The vibra_session cookie is strictly necessary to provide the Service. Deleting it will sign you out. You can manage cookies in your browser settings or in the iOS app's system settings.

Vibra is rated 12+ on the Apple App Store due to user-generated content. We do not knowingly collect personal information from children under the age of 13 (or under 16 in the EEA).

If you are a parent or guardian and believe your child under 13 has created an account, please contact us at coincatcher14@gmail.com with the subject "Child Account Removal". We will verify the request and delete the account and all associated data within 5 business days.

We do not serve advertisements to any users, which eliminates a common vector for child-directed data collection. Our platform does not contain content specifically targeted at children.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons.

When we make a material change — one that meaningfully affects your rights or how your data is used — we will:

• Post the updated policy at this URL with a new "Last Updated" date
• Send an email notification to your registered address at least 14 days before the change takes effect
• Display an in-app notice on your next login

For minor changes (clarifications, corrections, contact details), we will update the policy without advance notice, but the "Last Updated" date will always reflect the most recent revision.

Your continued use of the Service after the effective date of a material change constitutes your acceptance of the updated policy. If you do not accept the changes, you may delete your account before they take effect.

If you have any questions, concerns, or requests relating to this Privacy Policy or your personal data, please reach out:

Developer: Matthew Watson
Email: coincatcher14@gmail.com
Subject line: "Privacy Request — Vibra Music"

We aim to respond to all privacy-related inquiries within 5 business days and to resolve requests within 30 days in accordance with applicable law.

For general app support, use the Help section within the Vibra app, or visit our web platform.

This policy was last updated May 2026 and is effective immediately.