GDPR Compliance Policy

Last Updated: March 6, 2026

This document outlines how Vibe complies with the General Data Protection Regulation (EU) 2016/679 ("GDPR"). It supplements our Privacy Policy and provides detailed information about your rights as a data subject within the European Economic Area (EEA), the United Kingdom, and Switzerland.

1. Data Controller

The data controller responsible for the processing of your personal data is:

Stanley Williams
Operating as: Vibe
Email: vibetheapplication@gmail.com

2. Lawful Basis for Processing

We process your personal data under the following lawful bases as defined by Article 6 of the GDPR:

Contract Performance (Article 6(1)(b))

Processing necessary for the performance of a contract to which you are a party, or to take steps at your request prior to entering into a contract. This includes:

• Creating and maintaining your user account
• Processing venue searches based on your queries
• Managing your subscription and providing premium features
• Maintaining your favorites and venue lists

Legitimate Interest (Article 6(1)(f))

Processing necessary for the purposes of legitimate interests pursued by us, provided these are not overridden by your interests or fundamental rights. This includes:

• Improving the Service through usage analytics
• Ensuring the security and integrity of our platform
• Preventing fraud and abuse
• Building taste profiles to improve venue recommendations

Consent (Article 6(1)(a))

Where we rely on your consent for specific processing activities, including:

• Collecting and processing your location data for venue searches
• Sending optional marketing or promotional communications
• Using cookies and similar technologies for non-essential purposes

You may withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal.

3. Categories of Personal Data Collected

We collect and process the following categories of personal data:

Category	Data Elements	Lawful Basis
Account Data	Email address, name, username, profile picture	Contract Performance
Authentication Data	OAuth tokens, hashed passwords, authentication provider identifiers	Contract Performance
Location Data	Latitude and longitude coordinates (when using venue search)	Consent
Usage Data	Search queries, search history, venue interactions (views, favorites)	Contract Performance / Legitimate Interest
Preference Data	Taste profile, cuisine preferences, atmosphere preferences, feature weights	Contract Performance
Subscription Data	Subscription tier (free/premium), subscription status, payment metadata (processed by Stripe/RevenueCat)	Contract Performance
User-Generated Content	Venue lists, list names, shared list data	Contract Performance

4. Data Subject Rights

Under the GDPR, you have the following rights with respect to your personal data. To exercise any of these rights, please contact us at vibetheapplication@gmail.com.

Right of Access (Article 15)

You have the right to obtain confirmation as to whether your personal data is being processed, and to access a copy of that data. You can export your data at any time using the data export feature available in your account settings or by requesting it via email.

Right to Rectification (Article 16)

You have the right to have inaccurate personal data corrected and incomplete data completed. You can update your profile information directly within the app, or contact us for assistance.

Right to Erasure (Article 17)

You have the right to request the deletion of your personal data when:

• The data is no longer necessary for the purposes for which it was collected
• You withdraw your consent (where consent was the lawful basis)
• You object to processing and there are no overriding legitimate grounds
• The data has been unlawfully processed

You can delete your account through the app settings or by contacting us. We will process deletion requests within 30 days.

Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format (JSON). You can use our data export feature to download your data at any time.

Right to Restriction of Processing (Article 18)

You have the right to request the restriction of processing of your personal data in certain circumstances, such as when you contest the accuracy of the data or have objected to processing.

Right to Object (Article 21)

You have the right to object to the processing of your personal data based on legitimate interests. Upon receiving an objection, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.

Right to Withdraw Consent

Where processing is based on consent, you may withdraw your consent at any time. This does not affect the lawfulness of processing carried out prior to withdrawal. You can withdraw consent for location tracking by revoking location permissions on your device.

Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority in the EU Member State of your habitual residence, place of work, or place of the alleged infringement.

5. Cross-Border Data Transfers

Your personal data may be transferred to and processed in the United States and other countries outside the EEA. When we transfer personal data outside the EEA, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs): We rely on EU-approved Standard Contractual Clauses with our service providers to ensure an adequate level of data protection.
• Adequacy Decisions: Where applicable, we transfer data to countries that the European Commission has determined provide an adequate level of data protection.
• Service Provider Commitments: Our third-party service providers (Google, Stripe, Neon) maintain their own GDPR compliance programs and data processing agreements.

6. Data Breach Notification

In the event of a personal data breach, we will:

• Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where feasible, unless the breach is unlikely to result in a risk to individuals' rights and freedoms
• Communicate the breach to affected data subjects without undue delay if the breach is likely to result in a high risk to their rights and freedoms
• Document all breaches, including the facts, effects, and remedial actions taken
• Implement measures to mitigate any adverse effects and prevent future occurrences

7. Automated Decision-Making and Profiling

Vibe uses a rule-based venue recommendation system to match venues with your preferences. This system:

• Is not automated profiling: Our similarity algorithm uses explicit, rule-based matching (comparing your stated preferences against venue attributes) rather than inferring characteristics about you
• Does not make decisions with legal or similarly significant effects: Venue recommendations are suggestions only and do not affect your legal rights or produce other significant effects
• Is transparent: Recommendations are based on your explicitly provided preferences (cuisine types, atmosphere, price range) and your search history
• Can be influenced by you: You can adjust your taste profile and preference weights at any time to change the recommendations you receive

8. Children's Data

Vibe is not directed at children under the age of 16 (the GDPR threshold). We do not knowingly collect or process personal data from children under 16 years of age. If we become aware that we have collected personal data from a child under 16 without verified parental consent, we will take steps to delete that information promptly.

If you are a parent or guardian and believe that your child under 16 has provided us with personal data, please contact us at vibetheapplication@gmail.com so we can take appropriate action.

9. Data Protection Officer

Given the current scale of our operations, we have not appointed a formal Data Protection Officer (DPO). However, all data protection inquiries and requests should be directed to:

Email: vibetheapplication@gmail.com

We are committed to responding to all data protection inquiries within 30 days of receipt.

10. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected:

• Account Data: Retained for the duration of your active account, plus 30 days after account deletion to allow for recovery
• Search History: Retained for up to 12 months, then automatically purged
• Location Data: Not persistently stored; used only during active search sessions
• Subscription Data: Retained as required for financial record-keeping obligations
• Usage Analytics: Retained in aggregated, anonymized form indefinitely for service improvement

11. Sub-Processors

We use the following sub-processors to deliver the Service:

Sub-Processor	Purpose	Location
Google Maps Platform	Location services, geocoding, venue data	United States
Stripe	Payment processing for web subscriptions	United States
RevenueCat	In-app purchase and subscription management (iOS)	United States
Neon (PostgreSQL)	Database hosting and data storage	United States
Replit Object Storage	File and media storage	United States
YouTube Data API	Influencer content integration	United States

12. Security Measures

We implement appropriate technical and organizational measures to protect your personal data, including:

• Encrypted database connections (TLS/SSL)
• Secure authentication protocols (OAuth 2.0, OpenID Connect)
• Password hashing using industry-standard algorithms
• Role-based access controls
• Regular security reviews of our codebase and infrastructure
• Secure API communication over HTTPS

13. Changes to This Policy

We may update this GDPR Compliance Policy from time to time. We will notify you of any material changes by updating the "Last Updated" date at the top of this document. We encourage you to review this policy periodically.