Privacy Policy

The responsible party for the processing of your personal information is:

Vibely Studio
Registration No. 2026/248424/07
Email: privacy@vibe-ly.net
Website: https://vibe-ly.net

Information Officer: Luka Mladjenovic
Email: informationofficer@vibe-ly.net

This is required under POPIA Section 55. Our Information Officer is registered with the Information Regulator of South Africa.

2.1 Information you provide directly

When you create an account or use Vibely, you may provide:

• Your name, email address, and profile photo
• Date of birth (to verify you're 18 or older)
• Your interests and vibe preferences
• Reviews, ratings, check-ins, and social interactions you post
• Messages you send through in-app chat
• Any content you upload (photos, text)

Providing this information is voluntary, except where indicated as required during account creation (name, email, date of birth). If you choose not to provide optional information, some features may be limited but you can still use Vibely.

2.2 Information we collect automatically

When you use Vibely, we automatically collect:

• Location data — your GPS coordinates, but only after you give explicit consent through the in-app consent gate. We use this to show nearby venues, power the heatmap, enable check-ins, and provide location-based recommendations. You can withdraw this consent at any time in your device settings or in the app's privacy settings. If you withdraw consent, location-dependent features will be unavailable.
• Device information — device model, operating system version, app version, and a unique device identifier. This is collected for crash reporting (via Sentry), security monitoring (via freeRASP), and to ensure the app works correctly on your device.
• Usage data — which screens you visit, features you use, and how you interact with the app. This is collected to improve Vibely and fix bugs.
• Crash and performance data — error logs, stack traces, and performance metrics collected by Sentry. This data is pseudonymised and used solely for debugging and improving app stability.
• Security telemetry — runtime security checks collected by freeRASP to detect tampering, rooting, and other security threats. This data does not include personal information and is used solely for app integrity.

2.3 Information from third parties

If you sign in with Google, Apple, or Facebook, we receive your name, email address, and profile photo from that service. We don't receive your password and we don't post to your social accounts on your behalf. Each SSO provider has their own privacy policy — we encourage you to review them:

• Google: https://policies.google.com/privacy
• Apple: https://www.apple.com/legal/privacy/
• Facebook: https://www.facebook.com/privacy/policy/

2.4 Google Places API

Vibely uses the Google Places API solely for real-time venue search autocomplete. Search queries are sent to Google to provide suggestions. We do not store Google Places address data in bulk. Google's privacy policy governs their handling of this data.

2.5 Information we do NOT collect

We do not collect or process:

• Special personal information as defined in POPIA Sections 26–33 (religious beliefs, race, ethnicity, political opinions, health data, sexual orientation, biometric data, trade union membership, or criminal history)
• Financial or payment card details directly — all payment processing is handled by our third-party payment processor
• Data from anyone under 18 (see Section 12 below)

We collect and process your personal information for the following specific purposes:

• Providing the service — showing you venues, enabling check-ins, connecting you with friends, displaying events, and running the loyalty programme
• Personalisation — recommending venues and experiences based on your preferences and location
• Heatmap and social features — aggregating and anonymising check-in data to show venue popularity. Individual users are never identifiable on the heatmap.
• Communication — sending you transactional messages about your account, responding to support requests, and (with your separate opt-in consent) marketing messages
• Improvement — analysing anonymised usage data to improve features and fix bugs
• Security — detecting fraud, preventing abuse, verifying check-in authenticity, and monitoring app integrity
• Legal compliance — meeting our obligations under POPIA and other applicable South African law

We will not process your personal information for purposes other than those listed here without first notifying you and, where required, obtaining your consent.

Under POPIA, we process your personal information on the following lawful bases:

• Your consent (Section 11(1)(a)) — for location tracking, marketing communications, analytics, and optional data sharing. You give this consent explicitly through the in-app consent gate before we collect anything. Consent is voluntary, specific, and informed. You can withdraw consent at any time by emailing privacy@vibe-ly.net or through the app's privacy settings. Withdrawing consent does not affect the lawfulness of processing before withdrawal.
• Contract performance (Section 11(1)(b)) — to provide the Vibely service you signed up for, including your account, profile, social features, and (for venue owners) your subscription.
• Legitimate interest (Section 11(1)(f)) — for security, fraud prevention, and app improvement, where this does not override your rights and interests.
• Legal obligation (Section 11(1)(c)) — where we are required by South African law to retain or disclose information (e.g. tax records for venue owner payments).

Vibely uses Google Gemini AI to enrich venue profiles — generating vibe descriptions, atmosphere tags, and summaries. This processing uses publicly available venue data sourced from OpenStreetMap, Overture Maps, Foursquare, and Geoapify. Your personal information is not sent to Google Gemini for this purpose.

All personal data is stored on servers in the European Union (eu-west-1 region, Ireland) via our database provider Supabase. This constitutes a cross-border transfer of personal information from South Africa as defined in POPIA Section 72.

This transfer is lawful under POPIA Section 72 because:

• The EU has comprehensive data protection legislation (GDPR) that provides protections comparable to POPIA
• We have entered into Standard Contractual Clauses (SCCs) and data processing agreements with Supabase that include appropriate technical and organisational safeguards
• We have conducted a transfer impact assessment confirming that EU data protection standards are upheld in practice

No personal data is stored outside the EU unless explicitly stated in this policy.

We share your information only when necessary and only with the following categories of recipients:

Service providers (operators under POPIA)

All service providers process data on our behalf under written data processing agreements that restrict them from using your data for their own purposes.

Other Vibely users

Your public profile, check-ins, reviews, and social activity are visible to other Vibely users as part of the app's social features. You control what's visible through your privacy settings.

Venue owners

Anonymised and aggregated data only (foot traffic trends, popularity metrics, check-in volumes). Venue owners never see your personal details unless you choose to interact with them directly (e.g. posting a public review).

Law enforcement

Only when legally required by a valid South African court order, subpoena, or regulatory request. We will notify you before disclosing your information unless legally prohibited from doing so.

We do not sell, rent, or trade your personal information. We do not share your data with advertisers or data brokers.

We will only send you marketing communications (push notifications, emails, or in-app messages promoting venues, events, or features) if you have given separate, explicit opt-in consent for marketing.

You can withdraw marketing consent at any time by:

• Tapping “unsubscribe” in any marketing email
• Turning off marketing notifications in the app's settings
• Emailing privacy@vibe-ly.net

Every marketing message we send identifies Vibely Studio as the sender and includes an unsubscribe option.

If you are an existing customer and we send you marketing about similar features or services, we rely on the existing customer exception under POPIA Section 69(1). You can opt out at any time.

We keep your personal information for as long as your account is active and as needed to provide the service.

Specific retention periods:

• Account data — retained while your account is active. We use reasonable efforts to delete it within 30 days of account deletion request, and in all cases no later than 60 days.
• Check-in and review data — retained while your account is active. Anonymised (stripped of identifying information) after account deletion; anonymised data may be retained indefinitely for aggregate analytics.
• Chat messages — retained while your account is active. Deleted within 30 days of account deletion.
• Crash and error logs (Sentry) — retained for 90 days, then automatically purged.
• Security telemetry (freeRASP) — not retained beyond the session.
• Venue owner financial records — retained for 5 years after the end of the subscription as required by the South African Tax Administration Act.
• Local device data (Hive cache) — cleared on logout. Encrypted at rest with AES-256 while the app is in use.
• Waitlist email addresses (vibe-ly.net) — retained until the app launches and you create an account, or until you request deletion. Used solely to notify you when the app is available. We will not send marketing to waitlist emails without separate opt-in consent.

When retention periods expire, data is either permanently deleted or irreversibly anonymised.

Under POPIA Chapter 3 (Sections 23–25), you have the right to:

• Access — request a copy of the personal information we hold about you (Section 23)
• Correct — request correction of inaccurate, incomplete, or misleading information (Section 24)
• Delete — request deletion or destruction of your personal information (Section 24)
• Object — object to processing based on legitimate interest (Section 11(3))
• Withdraw consent — withdraw consent for location tracking, analytics, or marketing at any time (Section 11(2)(b))
• Data portability — as a courtesy beyond POPIA requirements, we offer you the ability to request your personal data in a structured, commonly used, machine-readable format
• Restrict processing — request that we stop processing your data while a dispute is being resolved

How to exercise your rights

Email privacy@vibe-ly.net or informationofficer@vibe-ly.net with your request. We will verify your identity and respond within 30 days. If we need more time due to the complexity of your request, we'll notify you within the initial 30 days and explain why.

If we cannot fulfil your request (in whole or in part), we'll explain the legal basis for refusal.

If you're not satisfied

You have the right to lodge a complaint with the Information Regulator:

The Information Regulator (South Africa)
Physical address: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
Email: inforeg@justice.gov.za
Phone: 010 023 5207
Website: https://inforegulator.org.za

You can request full account deletion by:

• Using the “Delete Account” option in the app's settings
• Emailing privacy@vibe-ly.net

When you delete your account:

• Your profile, reviews, check-ins, chat messages, and all identifiable data are permanently deleted within 30 days
• Any locally cached data is cleared from your device on logout
• Anonymised, aggregated data (which cannot identify you) may be retained
• Financial records for venue owner accounts are retained for 5 years as required by law

Vibely is for users aged 18 and older. We verify age during account registration. We do not knowingly collect personal information from anyone under 18. If we discover that a user is under 18, we will immediately delete their account and all associated personal information.

If you believe a minor has created an account, contact us at privacy@vibe-ly.net.

Our website at vibe-ly.net uses cookies in the following ways:

Essential cookies (no consent required)

These cookies are strictly necessary for the website to function. They cannot be disabled. They include:

• Session cookies — keep you logged in to your Vibely account while you browse
• Security cookies — protect against cross-site request forgery (CSRF) attacks
• Load balancing cookies — ensure consistent performance

Analytics cookies (opt-in consent required)

We use Vercel Analytics to understand how visitors use our website. This collects anonymised data about page views, referral sources, and device types. No personal information is collected. This is only activated if you accept analytics cookies through our cookie consent banner.

Cookie consent

When you first visit vibe-ly.net, you will see a cookie consent banner. You can accept all cookies, accept essential cookies only, or manage your preferences. Your choice is stored for 12 months. You can change your preferences at any time by clicking the “Cookie settings” link in the footer.

We do not use advertising cookies, retargeting pixels, or third-party tracking cookies of any kind.

We implement appropriate technical and organisational measures to protect your personal information as required by POPIA Section 19:

• AES-256 encryption for locally cached data (Hive)
• SSL/TLS encryption for all data in transit
• SSL certificate pinning in the mobile app (fails closed — blocks connections if certificates don't match)
• Runtime application security monitoring (freeRASP)
• Secure storage for authentication tokens and sensitive credentials (flutter_secure_storage)
• Role-based access controls on our database
• Regular security reviews
• Staff access to personal data is limited to authorised personnel on a need-to-know basis
• All personnel with data access are bound by confidentiality obligations
• Documented incident response procedures

No system is 100% secure. If a security compromise occurs, we will follow our breach notification process (see Section 15).

If a data breach occurs that compromises your personal information:

• We will notify the Information Regulator as soon as reasonably possible after becoming aware of the breach, and in any event within 72 hours
• We will notify you as soon as reasonably possible after notifying the regulator, unless delayed notification is authorised by a law enforcement agency
• Our notification will include: the nature of the breach, the categories of personal information affected, the measures we've taken to address it, and what you can do to protect yourself

Vibely uses automated processing to personalise your venue recommendations based on your stated preferences, location, check-in history, and the preferences of similar users. This processing does not produce legal effects or similarly significant effects on you. You can reset your preferences at any time in the app's settings.

If we make material changes to this policy, we will:

• Notify you through the app (in-app notification) at least 14 days before changes take effect
• Send an email notification to the address associated with your account
• Update the “Last updated” date at the top of this policy

Continued use of Vibely after changes take effect means you accept the updated policy. If you don't agree with the changes, you can delete your account.

We will not retroactively apply changes that reduce your rights or expand our use of your data without obtaining fresh consent.

This policy is governed by the laws of the Republic of South Africa, in particular the Protection of Personal Information Act, 2013 (POPIA) and the Electronic Communications and Transactions Act, 2002 (ECTA).

Vibely Studio
Registration No. 2026/248424/07
Email: privacy@vibe-ly.net
Information Officer: Luka Mladjenovic — informationofficer@vibe-ly.net
Website: https://vibe-ly.net

Information Regulator (South Africa)
Physical address: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
Email: inforeg@justice.gov.za
Phone: 010 023 5207
Website: https://inforegulator.org.za