Privacy Policy

Definitions

In this policy, the following terms have the following meanings:

• "Personal Data" means any information relating to an identified or identifiable natural person, such as name, email address, or other identifiers.
• "User" means any individual who uses the Service.
• "Service" means the website, applications, and all related services provided by VAYSS.
• "Processing" means any operation performed on personal data, including collection, recording, storage, use, disclosure, and deletion.

Information We Collect

3.1 Account Information

• Email address (obtained via authentication provider)
• Display name
• Username (auto-generated, modifiable)
• Profile picture
• Authentication provider information (Google or Apple)
• Age confirmation (confirmation of being 17 years or older)

3.2 Profile Information

• Bio/self-introduction
• Website and social media links
• Country/region
• Cover image

3.3 Activity Data

• Message content and timestamps in rooms
• Direct message content and images
• Room participation and creation history
• Block and mute settings
• Uploaded images (PNG, JPEG, GIF, WebP format, max 5MB)
• Camera (only when scanning a QR code to add a friend; the video stream stays on your device and is never uploaded — only the decoded text is processed)

3.4 Technical Data

• IP address (used for rate limiting purposes)
• Device and browser information
• Session tokens and access tokens
• Access logs
• WebAuthn passkey credentials (administrators only; biometric data such as fingerprint or Face ID never leaves your device)

Purpose of Data Processing

• User authentication and account management
• Provision, maintenance, and improvement of the Service
• Message delivery and notification distribution
• AI-powered automatic translation of messages and room titles
• Prevention of abuse, security assurance, and rate limiting
• Content moderation to detect and address violations of our Terms of Service. Our automated systems scan messages and images for serious violations such as violence, hate speech, and child exploitation. User-reported content is reviewed by our team within 24 hours, and appropriate action is taken in accordance with our Terms of Service.
• Service quality improvement and usage analysis
• Compliance with legal obligations and dispute resolution

Legal Basis for Processing

The legal basis for processing your personal data depends on applicable laws in your region and includes:

• Consent: When you have given explicit consent to the processing (GDPR Art. 6(1)(a), APPI, PIPA, etc.)
• Contractual necessity: Processing necessary for providing the Service (GDPR Art. 6(1)(b))
• Legitimate interests: Ensuring service security, fraud prevention, etc. (GDPR Art. 6(1)(f))
• Legal obligation: Compliance with applicable laws and regulations (GDPR Art. 6(1)(c))

Third-Party Services

We use the following third-party services. Each service is governed by its own privacy policy:

6.1 Supabase

Used for database, authentication, and file storage. Your account information, messages, and uploaded images are stored on Supabase. Supabase processes data in compliance with GDPR under a Data Processing Addendum (DPA).

6.2 OpenAI

Used for automatic translation of messages and room titles via the OpenAI API. Only the text to be translated is sent to OpenAI; no personally identifiable information is included. OpenAI does not use data sent via the API for model training.

6.3 Upstash (Redis)

Used for API rate limiting. Hashed IP addresses are temporarily stored, but no personally identifiable information is retained.

6.4 Authentication Providers

Social login is available through Google and Apple. Only the minimum information required for authentication (email address, display name, profile image) is obtained from these providers. Please also check each provider's privacy policy.

6.5 Sentry

Used for error monitoring and performance tracking. When an error occurs, diagnostic information such as error messages, stack traces, and browser/device metadata may be sent to Sentry. Email addresses and authentication tokens are scrubbed from error payloads before transmission. Sentry processes data under its Data Processing Addendum (DPA).

6.x Cloudflare

Used for bot mitigation (Cloudflare Turnstile, shown at registration) and privacy-preserving traffic analytics (Cloudflare Web Analytics). IP address, user-agent, and basic browser signals are transmitted to Cloudflare Inc. (US) but no cookies are set, no individual users are tracked, and no behavioural advertising profile is built. Legal basis: legitimate interest (Art. 6(1)(f)) for fraud and abuse prevention. Transfers to the US are governed by Standard Contractual Clauses and the EU-US Data Privacy Framework.

6.7 Firebase Cloud Messaging (FCM)

Used for delivering push notifications via Google servers. When you enable push notifications, a device token is generated and stored to route notifications to your device. No message content is stored by FCM; it serves only as a delivery mechanism. Firebase processes data in accordance with Google's privacy policies.

6.7 Mobile App SDKs

The VAYSS iOS and Android apps additionally include the following SDKs from Expo, React Native, and Apple/Google: Expo Notifications and Apple APNs / Google FCM (delivery of push notifications), Expo Updates (over-the-air JavaScript bundle updates with version metadata), Expo SecureStore / iOS Keychain / Android Keystore (encrypted on-device storage of session tokens), Expo Image Picker (photo library access only when you choose to upload), Expo Device and react-native-community/netinfo (device model, OS version, network connectivity for diagnostics), and ImageKit (CDN URL transformation for images served from Supabase Storage). These SDKs do not collect content of messages or DMs and are not used for advertising.

AI and Automatic Translation

To enable multilingual communication, the Service provides automatic translation powered by the OpenAI API:

• Only message text and room titles are subject to translation
• User personal information (name, email, etc.) is not sent to the translation API
• Text sent via the OpenAI API is not used for AI model training
• Translation results are cached in our database to improve service quality

International Data Transfers

As the Service is available globally, your personal data may be processed and stored on servers in countries other than your country of residence. Such transfers are conducted based on GDPR Standard Contractual Clauses (SCCs), adequacy decisions, or other appropriate safeguards. For transfers under Japan's APPI, appropriate measures are taken for provision to third parties in foreign countries. For cross-border transfers under South Korea's PIPA, necessary consent and information disclosure are provided.

Data Retention

Personal data is retained for as long as necessary to fulfill the purposes for which it was collected, and is promptly deleted when no longer needed:

• Account information: Fully deleted 30 days after deletion request (can be cancelled during this period)
• Room messages: Automatically deleted 90 days after creation
• Rooms: Expire 12 hours after creation (become inaccessible)
• Access logs and technical data: Retained for up to 90 days

Your Rights

Subject to applicable law, you have the following rights regarding your personal data:

• Right of access: Access to and copies of your collected personal data
• Right to rectification: Correction of inaccurate personal data
• Right to erasure (right to be forgotten): Request deletion of your personal data
• Right to restriction: Restriction of processing under certain conditions
• Right to data portability: Receive your personal data in a structured, machine-readable format
• Right to object: Object to specific types of processing
• Right to withdraw consent: Withdraw consent at any time (without affecting the lawfulness of processing prior to withdrawal)

To exercise these rights, please contact us using the information at the end of this policy. We will verify your identity and respond within 30 days. If the request is complex or requires additional time, we may extend this period by up to 60 days with prior notice to you.

Region-Specific Provisions

Children's Privacy

The Service is not intended for individuals under 17 years of age, and we do not knowingly collect personal information from anyone under 17. Age confirmation (17 years or older) is required during account registration to align with the App Store age rating and to ensure protections under COPPA (US, <13), GDPR Article 8 (EU, <16), PIPA (Korea, <14), and PIPL (China, <14) are exceeded. If we become aware that someone under 17 is using the Service, we will promptly delete their account and associated personal information.

Security

We implement the following security measures to protect your personal information:

• HTTPS (TLS) encryption for all communications
• Row Level Security (RLS) for database-level access control
• API rate limiting to prevent unauthorized access
• Magic byte verification for uploaded files
• Security headers (CSP, HSTS, X-Frame-Options, etc.)

Cookies and Local Storage

The Service uses the following essential cookies and local storage:

• Session management cookies (maintaining authentication state)
• Language preference cookie (NEXT_LOCALE)
• Theme preference (dark/light mode)

We do not use advertising tracking cookies or third-party cookies.

Changes to This Policy

This policy may be updated due to changes in laws or the Service. If significant changes are made, we will notify you through in-service notifications or other appropriate means. Your continued use of the Service after changes constitutes acceptance of the updated policy.

Contact Us

For questions about this policy, or to submit requests regarding disclosure, deletion, or other handling of your personal information, please use the in-app support form or contact us at support@vayss.com.