Privacy Policy

Last updated: 4 July 2026

VibTribe is a privacy-first messaging app. This Privacy Policy explains exactly what data we collect when you sign up and use the service, how we use it, who can see it, and the choices you have. It is a separate document from our Terms & Conditions, although both must be accepted to use the App.

A. Information We Collect About You

The following list is exhaustive — these are every field we store about a user account in our database:

  • Full name — required at signup; shown to other users you chat with.
  • Date of birth — required at signup, used to enforce our age policy: sign-up is blocked under 13; users aged 13–17 must complete verifiable guardian consent; users 18+ sign up directly. Kept strictly confidential: visible only to you and our authorised admin team; never shown to other users.
  • Mobile number & country code — required at signup; serves as your unique identifier and is visible to other users so they can add you as a contact.
  • Email address — required at signup. Used for OTP verification, password recovery, support replies, and (only if you opted in) promotional emails. Your email is visible only to you and our admins, never to other users.
  • Password — stored only as a salted bcrypt hash. We never see or store your plaintext password.
  • Username (optional) — a public handle other users can find you by.
  • Profile photo / avatar (optional) — stored in a private storage bucket and served only via short-lived signed URLs to viewers permitted by your Profile photo visibility setting (All / Contacts / Nobody). Direct public URLs are not issued.
  • Tribe (group) avatar (optional) — stored in a private storage bucket and served via short-lived signed URLs only to current members of that tribe. Non-members cannot fetch the image.
  • Short bio (optional).
  • App preferences — selected theme, notification toggles, language, and per-feature permissions you have granted (microphone, camera, contacts, notifications).
  • Two-factor authentication state — whether 2FA is enabled, and if so, the encrypted TOTP secret (readable only by you, never to other users).
  • Encryption material — your ECDH public key (used by others to send you encrypted messages) and your private key, wrapped/encrypted with a key derived on your device from your 6-digit PIN. We never store your PIN or the unwrapped private key.
  • Chat messages & media (1-to-1) — encrypted on your device before upload; we store only the ciphertext plus routing metadata (chat id, sender id, timestamp, delivery/read status, expiry).
  • Group / tribe messages — stored on our servers in plaintext to enable group features; protected in transit (HTTPS) and at rest by access controls. Not end-to-end encrypted today.
  • Status updates (stories) — caption, media file URL, visibility audience and views. Automatically and permanently deleted 24 hours after posting.
  • Contacts — only the contact entries you create inside the App. We do not upload or read your phone's address book.
  • Blocked users — the list of accounts you have blocked.
  • Calls metadata — caller, callee, start/end timestamps, missed/answered status. Call audio/video is peer-to-peer (WebRTC) and is not recorded.
  • Presence & technical data — last-seen timestamp, online status, device push-subscription tokens (web push and Firebase Cloud Messaging tokens for Android).
  • Support tickets — name, email, issue title and body, attachments and reply thread that you submit through the in-app help form.
  • Login & session security — count of failed login attempts, account status (active / suspended / blocked), active session records, OTP rate-limit records.
  • Consent records — timestamps for when you accepted these Terms, when you accepted this Privacy Policy, and when you opted in (or out of) promotional emails. For the marketing choice we also record the IP address and the screen the choice was made on (signup form, re-consent prompt, or profile settings) for compliance audit purposes (DPDP Act 2023, GDPR, CAN-SPAM).
  • Role flags — whether your account is a standard user, admin, or master admin; whether you carry the blue Verified badge.

B. What We Do Not Collect

  • We do not read or sell the contents of your end-to-end encrypted 1:1 messages or media.
  • We do not expose your date of birth, email address, or two-factor secret to other users.
  • We do not upload your phone's contact list.
  • We do not record your voice or video calls.
  • We do not track your precise GPS location.
  • We do not run third-party advertising or behavioural-profiling trackers.

C. How We Use Your Data

  • To operate the messaging, calling, status and group features you use.
  • To verify your identity at signup and during password resets (email OTP).
  • To enforce safety, prevent abuse, and respond to lawful requests from authorised Indian agencies.
  • To respond to support tickets you submit.
  • To send service notifications (delivery, security alerts) and, only with your explicit opt-in, promotional emails.

D. Encryption Approach

  • Key exchange: ECDH on the NIST P-256 curve via the Web Crypto API.
  • Message & media encryption: AES-GCM-256 with a fresh random IV per payload.
  • Private-key protection: your private key is wrapped with an AES-GCM key derived from your 6-digit PIN using PBKDF2-SHA256 (100,000 iterations) before being stored on our servers.
  • If you forget your PIN, encrypted chat history cannot be recovered.

E. Account Deletion & Retention

You can delete your account any time from Profile → Danger Zone → Delete My Account. This removes your profile, contacts, encrypted keys, chats, messages, statuses, push tokens, support tickets, and your authentication record. Some operational logs and backups may persist for a short period for security and legal reasons. Status media is auto-deleted 24 hours after posting regardless of account state. For any data-protection request, contact the Grievance Officer at Labhansh.garg@outlook.com.

Admin-initiated offboarding. When an administrator removes your account, we send an email to your registered address stating the reason — General, Breach of Terms & Conditions, or Incomplete Sign-up — and personal data associated with the account is deleted immediately. A limited set of records (e.g. audit logs, consent records, records required for security, fraud prevention, dispute resolution and statutory retention under Indian law) may be retained for the periods required by applicable law.

Incomplete sign-up reminders. If you verify your email address but do not complete onboarding, we send up to three reminder emails (at approximately 24 hours, 72 hours and 7 days after email verification) to help you finish. Reminders stop the moment onboarding is completed. This processing is based on legitimate interest in completing the account creation you started, and no reminders are sent once onboarding is complete or the account is deleted.

F. Third-Party Processors

  • Supabase (managed backend: authentication, database, file storage, realtime).
  • Cloudflare (hosting, CDN, edge runtime serving the web and API).
  • Resend (transactional and marketing email delivery).
  • Firebase Cloud Messaging and Web Push providers (notification delivery, when you opt in).

G. Device Permissions We May Request

  • Camera & microphone — for sending photos, voice notes, and voice/video calls.
  • Notifications — to alert you of new messages and calls.
  • Storage / file access — to attach files you choose.

H. Children & Guardian Consent

Sign-up is blocked for anyone under 13. We do not knowingly collect data from anyone under 13; if we learn that we have, we will delete the account and associated data promptly.

Users aged 13 to 17 may sign up, but the account is restricted to the guardian setup flow (/guardian-setup) until a parent or legal guardian:

  • receives a one-time verification code by email;
  • reviews the consent request page (linked from the email) and explicitly ticks the confirmation box; and
  • submits verifiable consent under §9 of India\u2019s Digital Personal Data Protection Act, 2023.

Until consent is recorded the minor cannot chat, call, share media, or use age-restricted features. The guardian can withdraw consent at any time from the same link, which immediately restricts the minor\u2019s account. We send the guardian a monthly reminder email while the account is active.

When the user turns 18, the guardian consent flow is automatically retired, monthly reminders stop, and all minor-related restrictions are lifted. The historical consent record is retained for compliance audit purposes.

Users aged 18 and above may sign up and use the app directly.

I. Your Rights

Subject to applicable law (including India's Digital Personal Data Protection Act, 2023, and the EU/UK GDPR where applicable) you may request access, correction, export, or deletion of your personal data, and may withdraw consent at any time. Contact the Grievance Officer at Labhansh.garg@outlook.com.

J. Marketing Emails

We send promotional emails (product updates, tips, and announcements) only to users who have explicitly opted in. We record the timestamp, source (signup form, re-consent prompt, or profile settings), and IP address of your consent for compliance audit purposes.

  • Legal basis: your explicit consent — DPDP Act 2023 § 6 (India), GDPR Art. 6(1)(a) (EU/EEA), and CAN-SPAM Act compliance (US).
  • Sender: VibTribe <promotions@news.vibtribe.in>. Reply-to: Labhansh.garg@outlook.com.
  • Withdrawal: click the unsubscribe link in any promotional email (no login required, takes effect immediately) or toggle off in Profile → Notifications.
  • Suppression: hard bounces and spam complaints are automatically suppressed and the user is opted out across the platform.
  • Right to complain: you may lodge a complaint with India's Data Protection Board or your local EU data-protection authority.

Transactional and security emails (OTP codes, password resets, ticket replies, account notices) are not covered by this consent and will continue regardless.

K. Contact

For any privacy question or request, email the Grievance Officer at Labhansh.garg@outlook.com. We acknowledge within 24 hours and resolve within 15 days as required by the IT Rules, 2021.