Privacy Policy

Privacy Policy

Effective Date: 20 May 2026 Last Updated: 20 May 2026

This Privacy Policy explains how OnlyVibeApps ("OnlyVibeApps," "we," "us," or "our") collects, uses, stores, shares, and protects your information when you download, install, register for, access, or use the Alive mobile application ("Alive," the "App," or the "Service"), our website at https://www.onlyvibeapps.com (the "Website"), and any related products, features, content, tools, communications, or services we provide (together with the App and the Website, the "Services").

By creating an Alive account or otherwise using the Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with any part of it, please do not use the Services.

---

1. Who We Are and How to Contact Us

Alive is operated by OnlyVibeApps, the data controller for personal information processed in connection with the Services.

• Publisher: OnlyVibeApps
• Product: Alive (iOS bundle ID com.onlyvibeapps.alive; Android package com.onlyvibeapps.alive)
• Website: https://www.onlyvibeapps.com
• Privacy contact / general support: aditya@onlyvibeapps.com
• Data deletion requests: aditya@onlyvibeapps.com (or use Settings → Delete Account in the App)
• EU/UK representative or DPO (if applicable): contact us at the address above and we will route appropriately.

If you have any questions, requests, or complaints about how we handle your personal information, please contact us using the email addresses above before approaching a regulator — we want the chance to resolve concerns directly.

---

2. What Alive Is (Privacy Context You Should Know Before Reading Further)

Alive is a closed, friends-only social application. Understanding the product is essential to understanding the privacy posture, because the design choices below shape what we do and do not collect:

• No public feed. There is no global discovery surface, no algorithmic timeline, no "for you" page, and no public posts. Content is only seen by people the user explicitly shares with (and, optionally and at the user's explicit choice, by friends-of-those-recipients).
• No AI processing of post content. We do not run any artificial intelligence, machine learning, sentiment analysis, mood detection, automatic captioning, content moderation classifiers, or recommendation models on any text, audio, image, or video you create or upload. There is no AI anywhere in the product.
• Local-first storage. Posts that you create but never share are stored only on the device that captured them. They never reach our servers, never sync to other devices you may own, and are lost if the App is uninstalled or the device is replaced.
• Mutual-only friend graph. There are no asymmetric "followers." Connections require explicit acceptance from both sides.
• Cap on friend-of-friend propagation. Friend-of-friend visibility is one hop only, defaults to OFF, and must be enabled per recipient per post.
• No advertising and no advertising identifiers. We do not show ads, run ad networks, sell ad space, or share information with ad-tech vendors. We do not request IDFA on iOS and we do not use Google Advertising ID on Android.
• No tracking across other apps or websites. We do not participate in cross-app or cross-site tracking, audience pixels, ad attribution networks, or fingerprinting.

If a particular description in this Policy ever conflicts with the product behavior described in the App itself, the actual product behavior controls.

---

3. Eligibility and Children

Alive is not directed at children under 13 (or under the higher minimum age required by the laws of your country — for example, 14 in South Korea, 15 in France, 16 in many EU countries pursuant to GDPR national derogations). You must be at least 13 years old (or the local equivalent minimum digital-consent age) to create an account.

We do not knowingly collect personal information from children below the applicable minimum age. If you are a parent or guardian and believe your child has provided personal information to us without your consent, please contact aditya@onlyvibeapps.com and we will delete the account and associated data without undue delay.

We may add COPPA-aligned and EU age-verification mechanisms in the future. Until then, we rely on age representations made at sign-up and on platform-store age-gating provided by Apple and Google.

---

4. Information We Collect

We collect only the information needed to operate, secure, and improve Alive. We do not collect more than necessary, we do not retain it longer than necessary, and we do not sell it.

4.1 Information You Provide Directly

a) Account information (required to create and operate your account):

• Email address (required for authentication, account recovery, and transactional notifications).
• Username (a unique, public handle; 3–30 characters, alphanumeric plus _ and ., case-insensitive uniqueness).
• Display name (a short label visible to other users; emoji permitted).
• Profile picture / avatar (optional; you may also leave it blank or use a default).
• Bio (optional; up to three lines of free text).
• Date of birth or age affirmation (used solely for age-gating; we may store the value or only the derived "is over minimum age" flag).
• Authentication metadata returned by Apple Sign In or Google Sign In if you choose those methods (we receive only the minimum identifiers the provider returns; if you use "Hide My Email" with Apple, we only ever see Apple's relay address).

b) Content you create and post ("User Content"):

• Text posts and captions you write.
• Audio recordings you create or upload (voice notes, sound layered over images).
• Photos you capture or import.
• Videos you capture or import (up to 120 seconds per post).
• Backgrounds chosen for text and audio posts (palette color, uploaded image, captured image, or library image).
• Comments you write on posts you can see.
• Reactions (likes) on posts and comments.
• Chat messages you send in 1:1 chats.
• Reports you submit about other users or posts.

Important: User Content that you create but never share is stored only on your device. It is not uploaded to our servers, not backed up by us, and not synced to any other device you may own. See Section 5 ("Local-First Storage") for the details and the trade-offs.

c) Social-graph and preferences:

• Friend requests sent and received.
• Confirmed friend connections.
• User-defined groups (Family, Work, Closest Friends, etc.) and group memberships you create.
• Blocks and mutes (and the variant — direct mute vs. via-friend-of-friend-link mute).
• Privacy settings ("Who can message me," friends-list visibility, loop visibility default, notification preferences).
• Saved posts.

d) Subscription and purchase metadata (only if you become a founding subscriber):

• A flag indicating you have an active or historical founder entitlement.
• The opaque identifier RevenueCat uses to link your Alive account to the underlying App Store or Google Play transaction.
• The product/SKU purchased, currency, country of the storefront, original purchase date, and renewal/cancellation/expiration timestamps that RevenueCat forwards to us.

We do not see or store your full credit-card number, debit-card number, bank account, billing address, CVV, Apple ID, Google account password, or any other payment instrument detail. The actual purchase is performed entirely inside Apple's App Store In-App Purchase system or Google Play Billing — neither we nor RevenueCat ever touch the underlying payment instrument.

e) Communications you send us:

• Support emails, abuse reports, deletion requests, and any other correspondence (including attachments).

4.2 Information Collected Automatically

When you use the Services, the App and the Website automatically collect technical information needed to deliver the Service, prevent abuse, and diagnose problems:

• Device and app identifiers: an installation-scoped device identifier we generate (used to enforce that private posts are device-bound per the product design), the OS family and version (iOS / Android version), the App build version, the device model class, the device locale and timezone.
• Approximate region / IP-derived signals: the IP address used to contact our servers (used for security, rate limiting, fraud prevention, abuse signals, and approximate region inference) and the rough region derived from it. We do not collect precise GPS location.
• Push notification tokens: the Expo Push token (and, transitively, the underlying APNs token on iOS and the FCM token on Android) we need to deliver notifications you have enabled.
• Session and authentication tokens: the Supabase Auth JWT and refresh token used to keep you signed in.
• Service logs: request timestamps, request paths, latency, response codes, error traces, and similar operational telemetry generated by Supabase, Cloudflare, Mux, Inngest, and Upstash as the Service runs. These logs are used to operate, secure, and debug the Service. They may briefly contain personal identifiers (your userId) before being aged out.
• Diagnostic / crash data via Sentry: stack traces, performance data, and breadcrumb timelines when the App misbehaves or crashes. We configure Sentry to scrub identifiers before upload, so Sentry data is treated as not linked to a specific user. Sentry breadcrumbs and any session-replay-style capture are disabled on screens that display post content or chat.
• Product-interaction analytics via PostHog: which screens you visit, which buttons you tap, which features you use, and the funnels you complete. We identify the PostHog event stream with your userId so we can analyse funnels (e.g., how many people who reach the paywall complete sign-up). PostHog is used solely for our own product analytics — it is not used for cross-app or cross-site tracking, advertising, or audience selling.
• Rate-limit and abuse signals stored in Upstash Redis: short-lived counters keyed by IP and/or userId used to enforce the rate limits described in Section 8 (e.g., sign-up attempts per IP per hour, friend-request volume per user per day).
• CAPTCHA challenge data (sign-up only): Cloudflare Turnstile uses minimal, privacy-preserving signals to verify you are not a bot. Turnstile does not use cookies or fingerprinting in a way comparable to reCAPTCHA, and does not run image puzzles.

4.3 Information Collected Only With Your OS-Level Permission

The App requests OS-level permissions for the features that need them. We only ask for a permission at the moment you first use a feature that requires it, not at sign-up:

• Camera: to capture photos and videos when you open the composer.
• Microphone: to record audio when you create an audio post or record audio while filming video.
• Photo Library / Media Library: to import existing photos or videos into a post, or to choose a background image.
• Notifications: to send push notifications for the categories you enable (new shared posts, likes, comments, mentions, friend requests, chat messages, and — on iOS only — screenshot-detection alerts to post owners).
• Network state: to determine whether you are online or offline so the App can queue actions while you have no connectivity.

You may revoke any of these permissions at any time from your device's OS settings. Revocation does not delete data already collected through that permission; revocation only prevents future collection.

4.4 Information We Do Not Collect

We do not collect:

• Precise location / GPS coordinates.
• Contacts or phone book.
• Calendar, reminders, or health data.
• SMS, MMS, or call logs.
• Web browsing history outside the App.
• Advertising identifiers (IDFA on iOS, AAID on Android).
• Cross-app or cross-website tracking signals.
• Biometric templates (Face ID / Touch ID stay on-device and are handled by the OS, not by us).
• Financial-instrument details such as card numbers, CVV, bank account numbers, or billing addresses.

We also do not run any AI on the content of your posts (text, audio, image, video, captions, comments, or chat messages).

---

5. How Local-First Storage Works (and Why It Matters)

A defining product choice of Alive is that posts you create but never share never reach our servers.

• Until you share a post, the compressed file, the higher-quality original (kept on-device for approximately 30 days), and the post's metadata are stored exclusively on the device that captured them. They are not backed up by us, not synced across your devices, and not visible to anyone other than you on that specific device.
• The first time you share a post, the App uploads the relevant media to our object storage (Cloudflare R2, video via Mux) and creates database records for the share and its recipients. After this point, the media exists in our cloud infrastructure so that recipients can view it.
• If you never share a post, the moment you uninstall the App, switch to a new device, or wipe your device, that post is gone. We cannot recover it because we never had it.
• A "Backup my data" cloud-backup feature and a "Download my data" export feature are not offered in this version of Alive. You can still request a copy of your account data we hold on our servers under Section 14 ("Your Rights"); that export will not include never-shared, local-only content because we do not hold it.

You will be reminded of this constraint during onboarding. By proceeding past that screen, you acknowledge that local-only posts are your responsibility and that loss of the device or uninstall of the App causes irreversible loss of those local-only posts.

---

6. How We Use Your Information

We use the information described above only for the following purposes:

a) To provide the Service.

• Create and maintain your account.
• Authenticate you securely.
• Enable you to capture, save, and (when you choose) share posts with the recipients and friends-of-friends you select.
• Deliver direct shares, friend-of-friend posts, comments, likes, and chat messages between users.
• Enforce blocks, mutes, "Who can message me" preferences, friends-list visibility, and loop visibility per the product specification.
• Resolve usernames, display names, friend requests, friend-of-friend visibility, mentions, and other social-graph operations.
• Render compressed and adaptive-bitrate media efficiently via Cloudflare Image Transformations (for images) and Mux (for video).

b) To keep the Service safe and operational.

• Detect, prevent, and mitigate abuse, spam, fraud, brute-force attacks, scraping, denial-of-service patterns, and rate-limit violations.
• Investigate reports of inappropriate content or behavior submitted via the in-app reporting flow.
• Maintain audit trails of security-relevant events.
• Notify the post owner when a screenshot or screen recording is detected on iOS for a post they own (see Section 12).

c) To communicate with you.

• Send authentication emails (sign-in magic links and OTPs).
• Send service-related notices, such as security alerts, account-deletion confirmations, billing-related notices about a founder subscription, and material updates to this Privacy Policy or the Terms of Service.
• Reply to support requests and abuse reports.
• We do not send marketing emails, growth nudges ("you haven't posted in N days"), "on this day" resurfacing emails, or streak prompts.

d) For analytics and product improvement (first-party only).

• Understand which screens are used, where users drop off, and how to fix the rough edges. This is performed only with our own first-party PostHog instance. We do not pass this data to advertising partners.

e) For diagnostics and reliability.

• Stack traces and performance signals captured via Sentry are used to find and fix crashes and performance regressions. Sentry data is scrubbed of personal identifiers before upload.

f) To comply with law and protect rights.

• Respond to validly issued subpoenas, court orders, or other legal process; enforce our Terms of Service; protect the safety of users and the public; and pursue remedies legally available to us.

We do not use your information for any of the following:

• We do not sell, rent, lease, or trade your personal information.
• We do not use your User Content to train AI or machine-learning models — ours, our vendors', or anyone else's.
• We do not display ads inside Alive, anywhere, on any tier, free or founding subscriber. The lifetime ad-free guarantee for founding subscribers is one of the canonical product commitments of Alive (see Terms of Service §7).
• We do not build advertising profiles, do cross-app tracking, or pass your information to ad networks.

---

7. Legal Bases for Processing (EEA, UK, and Other Comparable Regions)

If you are in the European Economic Area, the United Kingdom, Switzerland, or another jurisdiction that requires us to identify a legal basis for processing your personal information, our legal bases are:

Where our legal basis is legitimate interests, we have weighed those interests against your rights and have concluded that our processing is proportionate. You can object to legitimate-interests processing under Section 14.

---

8. How We Share Information

Alive is friends-only. The default state of the Service is that your information is not shared with anyone other than the specific recipients you choose. The sharing described below is the complete list:

8.1 Sharing With Other Users (Driven by You)

When you take an action inside the App that necessarily involves another user, the relevant information becomes visible to that user. Specifically:

• Your profile information (username, display name, avatar, bio, friends count, and — if you have not hidden your list — friends list) is visible to other users to the extent your profile-visibility settings allow.
• Posts you share are visible to the direct recipients you select, and — if and only if you explicitly enable the "link icon" toggle for a particular recipient on a particular post — to that specific recipient's confirmed friends. Friend-of-friend propagation is one hop only and cannot be re-shared.
• Comments, likes, and mentions are visible to the loop of the post (poster, direct recipients, and any friends-of-friends with visibility on the post).
• Chat messages are visible to the other participant in your 1:1 thread.
• Reports you submit are visible to OnlyVibeApps personnel reviewing reports; they are not visible to the user being reported.
• A founder badge is visible everywhere you are identifiable in the App: on your profile, on every post you make, on every comment you leave, on chat, on the Founders Wall, and on any future surface that displays you as the actor of an action. This is one of the explicit visual perks of the founder tier (see Terms of Service §7).

8.2 Service Providers (Sub-Processors)

We use carefully selected third-party service providers to operate the Service. Each is contractually bound to use the data we share only to provide their service to us, to protect it with appropriate technical and organizational measures, and not to use it for their own purposes.

We may add or replace sub-processors over time. Material changes to this list will be reflected in updates to this Policy.

8.3 Legal and Safety Disclosures

We may disclose information to law enforcement, government authorities, or other third parties if we believe in good faith that disclosure is necessary to:

• Comply with a subpoena, court order, search warrant, or other legally valid request.
• Comply with applicable law in any jurisdiction where the Service operates.
• Investigate or prevent fraud, security incidents, abuse of the Service, or violations of our Terms of Service.
• Protect the rights, property, or safety of OnlyVibeApps, our users, or the public.

Where legally permitted, we will attempt to notify the user whose data is sought before disclosing — except where doing so would be unlawful or would risk harm to a person.

8.4 Business Transfers

If OnlyVibeApps is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or a portion of its assets, your information may be transferred as part of that transaction. We will notify you in advance (where practicable) and the acquiring party will be bound by this Privacy Policy or by a successor policy that is no less protective.

8.5 No Sale of Personal Information; No "Sharing" for Cross-Context Behavioral Advertising

We do not sell personal information for money or other valuable consideration. We do not "share" personal information for cross-context behavioral advertising, as those terms are defined under the California Consumer Privacy Act and the California Privacy Rights Act. This statement is not contingent on you opting out — it is the default and only state of the Service.

---

9. International Transfers

OnlyVibeApps may be based outside the country in which you reside. The sub-processors listed above are headquartered primarily in the United States. As a result, when you use the Service, your information may be transferred to, stored in, and processed in countries other than the country in which you are located, including the United States.

For transfers from the EEA, the UK, or Switzerland to a country that has not received an EU Commission adequacy decision (or the UK equivalent), we rely on Standard Contractual Clauses approved by the European Commission and, where required, supplementary safeguards. Copies of the SCCs can be requested by emailing aditya@onlyvibeapps.com.

If you are located in a jurisdiction that requires data localization for certain categories of data, please be aware that the Service is not designed for compliance with strict data-localization mandates. Do not use the Service if such mandates would be violated by transferring your data to the United States or other regions used by our sub-processors.

---

10. Data Retention

We keep personal information only for as long as we need it for the purposes described in this Policy.

After the retention period elapses, we delete or anonymize the data so that it can no longer be associated with you. Anonymized data may be retained indefinitely.

---

11. Where Your Information Is Stored

Our primary infrastructure runs in the United States, with media delivery served from a global CDN edge:

• Database / authentication / realtime / edge functions: Supabase (project region: United States — wxnodsmmeqxuehhyntti namespace).
• Object storage (media): Cloudflare R2 (primary region as configured by us; delivery via Cloudflare's global edge).
• Image delivery: Cloudflare Image Transformations (negotiated at the edge — AVIF/WebP/JPEG per request).
• Video: Mux ingest in the United States; HLS playback delivered via Mux's global CDN.
• Cache and rate-limiting: Upstash Redis (regions configured by us).
• Background jobs: Inngest (United States).
• Email delivery: Resend.
• Push notifications: Expo Push (which fans out to APNs/FCM at Apple and Google).
• Analytics: PostHog Cloud EU.
• Diagnostics: Sentry.

If you have specific data-residency questions, please contact aditya@onlyvibeapps.com.

---

12. Anti-Screenshot and Screen-Recording Behavior

To help protect the privacy of content shared inside Alive, the App applies the following protections on screens that display user-generated content (the feed, post detail, the profile post tabs, and chat):

• Android. Screenshots and screen recordings are technically blocked on these screens using the platform's FLAG_SECURE mechanism. When you attempt to capture, the OS will refuse and the screen will appear black in the resulting image or recording.
• iOS. Apple does not allow apps to block screenshots. Therefore, on protected screens, Alive detects when you take a screenshot (and similarly when a screen recording is initiated). For each detected screenshot of a post, we send a notification to the post's owner that reads something like "Someone took a screenshot of your post." The notification identifies the user who took the screenshot. Screen-recording detection is handled analogously.

By using the Service, you acknowledge and agree that:

• The post owner will be notified if you take a screenshot of their post or a chat with them on iOS.
• These protections are best-effort, not absolute. Rooted/jailbroken devices, secondary cameras, hardware capture tools, or other workarounds can still capture content. We do not promise — and cannot promise — absolute prevention of capture.
• Onboarding, authentication, settings, and the Founders Wall are not protected because they do not display private user content.

---

13. Account Deletion and Data Erasure

You may delete your Alive account at any time from Settings → Delete Account.

• The deletion request enters a 30-day grace period during which signing back in cancels the deletion. We surface this clearly in the App so you can change your mind.
• During the grace period, your account is suspended: posts are hidden, the profile is not searchable, friend requests cannot reach you, and chat threads with you appear inactive to the other party.
• At the end of the 30-day grace, we delete the account record and trigger the cascade described below.

Cascade on account deletion:

• All shared posts authored by you are deleted, which removes them from every recipient's feed and every saver's Saved tab.
• All comments and likes you authored are deleted.
• Your friend edges, friend requests, blocks, and mutes are removed.
• Your chat threads are deleted from our active store; the other participant will see that you have left.
• Your saved posts (saves of other people's content) are deleted.
• Your push tokens are revoked.
• Your founder subscription record, if any, is retained in an anonymized form to permit reconciliation with Apple, Google, or RevenueCat against fraud or refund disputes, but is no longer associated with you.
• Any in-progress reports you submitted are anonymized to preserve the integrity of the safety review while removing your identity.
• Locally stored private (never-shared) posts: because they exist only on the device, they are not deleted by the server-side flow. They are removed when you uninstall the App or when you sign out and reset local storage.

If you also need a copy of your account data before deletion, request it via aditya@onlyvibeapps.com at least seven (7) calendar days before the end of the grace period.

We may retain certain limited information after deletion as required for security, fraud prevention, dispute resolution, tax, accounting, audit, regulatory compliance, or the enforcement of our Terms of Service. Any such retention will be limited to the minimum necessary and only kept for the period required.

---

14. Your Privacy Rights

Depending on where you live, you may have one or more of the following rights:

14.1 Rights Available Globally

• Access the personal information we hold about you.
• Correct inaccurate or outdated personal information (most fields are editable directly in Settings → Profile).
• Delete your account and the associated personal information (Section 13).
• Withdraw consent for any processing that depends on your consent, at any time.
• Object to processing based on our legitimate interests.
• Restrict processing in certain situations (for example, while we are verifying a correction).
• Lodge a complaint with the data-protection authority of your residence.

14.2 EEA, UK, and Swiss Residents (GDPR)

You have the rights set out in Articles 15–22 of the General Data Protection Regulation, including the right to data portability (where applicable), the right not to be subject to a decision based solely on automated processing (we do not perform such automated decisions in Alive), and the right to lodge a complaint with your supervisory authority.

14.3 California Residents (CCPA / CPRA)

You have:

• The right to know what personal information we have collected about you, the categories of sources, the business or commercial purposes, and the categories of third parties with whom we shared it.
• The right to delete that personal information.
• The right to correct inaccurate personal information.
• The right to opt out of "sale" or "sharing" of personal information. As stated in Section 8.5, we do not sell or share personal information; there is nothing to opt out of, but the right is preserved.
• The right to limit use and disclosure of sensitive personal information. We process only minimal sensitive personal information (email address used to authenticate, and you may voluntarily place sensitive content inside posts or chats). We use it only for service provision.
• The right to non-discrimination — exercising any of these rights does not result in degraded service.

To exercise these rights, email aditya@onlyvibeapps.com. We will not require you to create an account in order to exercise a right, and we will not charge a fee for a verifiable request, except as expressly permitted by law for excessive or repetitive requests.

14.4 Other US State Residents

Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Tennessee, Delaware, New Jersey, New Hampshire, Minnesota, Maryland, and other US states with comparable privacy laws have rights similar to those above. We honor them through the same email-based intake.

14.5 Brazilian Residents (LGPD)

You have the rights set out in Article 18 of the LGPD, including confirmation of processing, access, correction, anonymization, data portability, deletion, and information about public and private entities with whom we have shared data.

14.6 How to Exercise a Right

Send an email to aditya@onlyvibeapps.com from the email address associated with your Alive account, describing the right you wish to exercise. We will verify your identity (commonly by sending a one-time code to the email on file) and respond within the timeframe required by your local law (typically 30 days, extendable once with notice).

14.7 Authorized Agents

You may designate an authorized agent to act on your behalf. We will require written authorization or a power of attorney and may take reasonable steps to verify the agent and the request.

---

15. Security

We use a defense-in-depth approach to protect your information:

• In transit: all traffic between the App, our edge functions, our database, our object storage, and our other sub-processors is encrypted with TLS 1.2 or higher.
• At rest: the Supabase Postgres database, Cloudflare R2 storage, and Mux video assets are encrypted at rest using industry-standard mechanisms (commonly AES-256). The Supabase Auth JWT and refresh token are stored on the device inside expo-secure-store, which uses the iOS Keychain on iOS and the Android Keystore on Android.
• Authentication: Supabase Auth issues short-lived JWTs and rotating refresh tokens. We support Sign in with Apple, Google Sign In, and email magic-link/OTP. We do not use passwords; there is no "forgot password" flow because there is no password to forget.
• Authorization: Postgres Row Level Security is the primary authorization layer. Every table has RLS enabled and policies enforce that a given user only ever reads or writes the rows they are entitled to. Edge functions add additional checks for logic RLS cannot express alone (e.g., friend-of-friend eligibility, webhook signature verification, rate limits).
• Rate limiting and abuse prevention: enforced via Upstash Redis at the per-IP and per-user level, with Cloudflare WAF and Turnstile (sign-up only) as the outermost layer.
• Webhook integrity: every inbound webhook (RevenueCat, Mux) is verified for an HMAC signature and de-duplicated against a Redis-backed registry.
• Background uploads: media transfers from the device to R2 use platform-native long-running transfer APIs (NSURLSession on iOS, WorkManager on Android), which use the OS's TLS stack.
• Screen-content protection: Android secure-window flag on protected screens; iOS screenshot/screen-recording detection (see Section 12).
• End-to-end encryption is not offered for chat in v1. TLS in transit + encryption at rest is the security floor. If we add E2EE in a future version, we will update this Policy.

No security control is perfect. If we become aware of a security incident affecting your information, we will notify you and the relevant authorities to the extent required by applicable law (in many jurisdictions, within 72 hours of becoming aware of the incident).

---

16. Third-Party Sign-In, External Links, and Other Apps

When you choose Sign in with Apple or Google Sign In, the relevant provider (Apple or Google) controls the authentication flow and its own data collection. Their privacy policies govern that processing:

• Apple: https://www.apple.com/legal/privacy/
• Google: https://policies.google.com/privacy

The App may contain links to external websites (for example, the marketing site, this Privacy Policy on the web, support content, or store-management pages on Apple's and Google's properties). Once you leave the App via such a link, this Privacy Policy no longer applies; the destination's policy does.

You may also choose to use the OS share sheet to share your profile outside of Alive (for example, to iMessage, WhatsApp, or another messaging app). What happens to that link and to any preview metadata once it leaves the App is governed by the receiving service. Posts cannot be shared outside Alive; only profiles can be.

---

17. Cookies and Similar Technologies

The Alive mobile application does not use traditional browser cookies because it is not a browser-based experience. We rely on:

• Secure on-device key/value storage for the session token and other small flags (expo-secure-store and react-native-mmkv).
• A local SQLite store (op-sqlite) for the device-side relational data described in Section 5.
• A local filesystem (expo-file-system) for media artifacts.

The Website (https://www.onlyvibeapps.com) may use a small number of strictly necessary cookies for security and load balancing, and may use first-party analytics cookies if and where we deploy them. Where consent is required by local law, we will surface a cookie banner with appropriate controls.

---

18. Do Not Track and Global Privacy Control

Because we do not engage in cross-context behavioral advertising and do not sell or share personal information for advertising purposes, Do Not Track signals and the Global Privacy Control signal do not change our behavior — there is nothing we would have been doing that would need to stop. We honor the underlying intent regardless.

---

19. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in the Service, the law, or our practices. When we make material changes, we will:

• Update the Effective Date and Last Updated dates at the top of this document.
• Post the revised Policy at https://www.onlyvibeapps.com/alive/privacy-policy and in the App at Settings → Help & Legal → Privacy Policy.
• Where required by law or appropriate given the nature of the change, provide a more prominent notice in the App or via email.

If you continue to use the Service after the revised Policy takes effect, you are accepting the changes. If you do not agree, you should stop using the Service and may delete your account (Section 13).

---

20. Special Notices

20.1 No AI; No Use of Your Content for Model Training

We reiterate this because it matters: we do not run any AI model on the content of your posts or chats, and we do not provide your content (or any derivative of it) to any third party for the purpose of training AI or machine-learning models. This is an architectural commitment, not just a policy commitment.

20.2 Founder Subscription — Disclosure About Reconciliation

If you purchase a founder subscription, Apple (App Store IAP) or Google (Play Billing) processes the payment. Apple or Google shares limited transaction metadata with RevenueCat, who forwards it to us so we can map your founder entitlement to your Alive account. The lifetime ad-free guarantee is contingent on you remaining identifiable as the original subscriber on the account, which is why we retain the entitlement record for the life of the account, even after a lapse, refund, or platform-store change.

20.3 Screenshot Notifications Are Best-Effort

See Section 12. We rely on the OS to fire the detection event. If the OS does not fire the event (because of a future OS change, a rooted/jailbroken state, or some other reason), the post owner will not be notified.

20.4 Local Posts Cannot Be Recovered

See Section 5. We cannot recover posts you never shared because we never had them.

20.5 Aggregated and Anonymized Data

We may produce aggregated or anonymized data (for example, total number of users, total number of posts shared, total number of founders) and may publish or use that aggregated/anonymized data for any purpose. This data does not identify you.

---

21. Contact Us

Questions, requests, or complaints about this Privacy Policy or our handling of your information:

• Email: aditya@onlyvibeapps.com (or use Settings → Delete Account in the App for deletion requests)
• Postal: M/s VIBE APPS Prop ADITYA GUPTA, 2758/ A New Tagore Nagar Ludhiana Punjab 141001 In
• Website: https://www.onlyvibeapps.com

We aim to respond to all privacy inquiries within 30 days, and faster where legally required. You also have the right to lodge a complaint with your local data protection authority. We would, however, appreciate the chance to address your concerns directly first.

---

Document version: 1.0 (initial public version) This Privacy Policy is provided for the Alive mobile application published by OnlyVibeApps under bundle identifier com.onlyvibeapps.alive on the Apple App Store and Google Play Store, and the related website at https://www.onlyvibeapps.com.