Privacy Policy — Co-Vibe

Effective May 28, 2026 · Last updated: 2026-06-03 (v3.42.65 — added AI disclosure, model providers, training opt-out)May 28, 2026

What we promise. We never sell your data. We never share what you watch with advertisers or data brokers. We collect the minimum needed to run the Service. Your reactions, saves, and notes are private by default. You can delete your account at any time, and we will delete your data within 30 days.

This Privacy Policy explains how Co-Vibe™ (“we,” “us,” or “our”) collects, uses, and protects your personal information when you use our website covibe.org, our mobile application, and any related services (the “Service”).

Co-Vibe is operated by Deepak Sharma, a sole proprietor located in Halifax, Nova Scotia, Canada. For privacy questions or to exercise your rights, contact us at [email protected].

1. What We Collect

Sign-in is required to use Co-Vibe. You cannot react, save scenes, send messages, or access any feature of the Service without first signing in with Google or Apple. The data described below is collected only after you have signed in and created an account. Our marketing pages at covibe.org are publicly viewable and do not collect personal information beyond standard server logs.

Category	What it is	Why we collect it
Account info	Email address, chosen display name, account creation date.	To create your account, send service emails, and let you sign in.
Authentication tokens	When you sign in with Google or Apple, we receive a unique identifier from that provider plus your email. We do not receive your password.	To verify your identity each session.
Your reactions and saves	The scenes you reacted to, which reaction you chose, scenes you saved, sticker posts you sent, optional notes you wrote.	To show you Co-Vibe Match suggestions, build your Wrapped recap, and let you find your saved scenes again.
Profile customization	Optional avatar, custom title, theme preference.	To personalize the look of your profile.
Premium subscription metadata	Whether your subscription is active, when it started, when it renews. We do NOT receive your full card number or bank account — that goes to Apple, Google, or our payment processor.	To unlock Premium features and handle billing edge cases.
Device + technical info	Approximate IP address (used for region inference and security), browser type, operating system, app version, language.	To deliver content compatible with your device, prevent abuse, and improve performance.
Crash and performance logs	When the app crashes or performs poorly, we may collect anonymous stack traces and timing data.	To fix bugs.

What we do NOT collect

We do not collect your precise location (GPS).
We do not collect your contacts, photos, calendar, or microphone unless you explicitly grant permission for a specific feature.
We do not collect your browsing history outside of Co-Vibe.
We do not collect your credit card number, bank account number, or other payment instrument details. Those go to Apple, Google, or our PCI-compliant payment processor and are governed by their respective privacy practices.
We do not use third-party advertising trackers, fingerprinting, or behavioral profiling.

2. How We Use Your Data

We use the data we collect only for the following purposes:

To run the Service — serve you Scene of the Day, save your reactions, suggest Co-Vibe Matches, build your Wrapped recap.
To verify your identity — let you sign in securely and prevent account takeover.
To bill Premium — confirm subscription status with Apple, Google, or our payment processor.
To communicate with you — send service emails (password reset, billing receipts, security alerts) and, only with your explicit opt-in, occasional product updates.
To improve the Service — aggregate, anonymous usage patterns help us decide which features to keep, build, or remove.
To prevent abuse — detect and stop spam, scraping, fraud, or violation of our Terms of Service.
To comply with law — respond to valid legal requests, defend our legal rights, and meet our regulatory obligations.

3. Who We Share Data With

We do not sell, rent, or trade your personal information. We do not share it with advertisers, data brokers, or marketing partners.

We share data only with the following categories of recipients, and only as needed to run the Service:

Cloud infrastructure providers — we use Cloudflare for content delivery and Supabase for backend storage. These providers are bound by data-processing agreements and may not use your data for their own purposes.
Payment processors — Apple (for App Store subscriptions), Google (for Play Store subscriptions), and our PCI-compliant web payment processor handle the actual card transaction. We receive only confirmation of payment status.
Identity providers — if you sign in with Google or Apple, your authentication flow goes through those providers under their respective terms.
Law enforcement and courts — only in response to a valid, narrowly-scoped legal request, and only the minimum data legally required.
Successors — if Co-Vibe is acquired or merges with another entity, your data may be transferred. We will notify you in advance and your rights will continue to apply.

4. Cookies and Local Storage

We use only the cookies and local storage needed to operate the Service. We do not use third-party advertising or tracking cookies.

What we set

Session cookies — to keep you signed in. Removed when you log out.
Preference storage — theme (light/dark), music on/off, accepted terms, your saved scenes list. Stored locally on your device.
Security tokens — to prevent CSRF and other abuse.

You can clear local storage at any time through your browser settings. Doing so will sign you out and reset your preferences.

5. How We Protect Your Data

Encryption in transit — all communication between your device and Co-Vibe uses HTTPS (TLS 1.2+).
Encryption at rest — user profile data and reactions are stored in encrypted databases at our cloud provider.
Access control — only Deepak Sharma has administrative access to user data. We do not employ third-party administrators.
Audit logging — administrative access to user data is logged.
Breach notification — if we discover a personal-data breach that creates a real risk of harm, we will notify affected users without undue delay, and in any event in accordance with applicable law.

6. How Long We Keep Your Data

Active account data — kept while your account exists.
Deleted accounts — personal data deleted within thirty (30) days of your deletion request, except where retention is required by law or for fraud prevention.
Billing records — retained for the period required by Canadian tax and accounting law (currently six years), in pseudonymized form where possible.
Backup snapshots — encrypted backups are retained for up to 30 days, then overwritten.
Aggregated analytics — once data is fully anonymized and cannot be linked to you, it may be retained indefinitely.

7. Your Rights

Wherever you live, you have the following rights over your personal information held by Co-Vibe:

Access — request a copy of the personal data we hold about you.
Correction — ask us to fix data that is inaccurate.
Deletion — ask us to delete your account and personal data.
Portability — request your data in a machine-readable format (JSON).
Withdraw consent — opt out of any optional communications or processing at any time.
Object — object to processing that you believe is unlawful.
Lodge a complaint — with your local data-protection authority (the Office of the Privacy Commissioner of Canada for Canadian residents; your national authority for residents of the European Union or the United Kingdom; the California Privacy Protection Agency for California residents).

To exercise any of these rights, email [email protected]. We respond within 30 days. We may need to verify your identity before fulfilling a request.

For California residents (CCPA / CPRA)

You have the right to know what personal information we collect, to delete it, to opt out of sale or sharing of personal information (we do not sell or share, so this opt-out is automatic), to limit use of sensitive personal information, to correct inaccurate information, and to non-discrimination for exercising your rights.

For European Union and United Kingdom residents (GDPR / UK GDPR)

Our lawful basis for processing your personal data is (a) the performance of our contract with you under our Terms of Service, (b) your consent where you have given it, (c) our legitimate interests in running and improving the Service in a way that does not override your rights, and (d) compliance with legal obligations.

You have the right to lodge a complaint with your supervisory authority. If you would like to exercise your GDPR rights, contact [email protected].

8. International Data Transfers

Co-Vibe operates from Canada. Our cloud infrastructure providers may store data in data centers in Canada, the United States, or the European Union. Where data is transferred outside your jurisdiction, we rely on Standard Contractual Clauses or equivalent safeguards approved by the relevant data-protection authority.

9. AI-Generated Content & Models

Co-Vibe uses artificial intelligence to generate certain content shown in the Service. This section discloses how we use AI in line with App Store and Play Store transparency requirements.

Scene illustrations

Every scene poster, indie card, and editorial illustration displayed in the Service is generated by Co-Vibe using Cloudflare Workers AI (SDXL Lightning, ByteDance). The model is licensed by Cloudflare for commercial use. We feed the model our own original text prompts that describe atmosphere, color palette, and emotional tone. Outputs are our own original cinematic illustration set. We do not train models on user-uploaded content.

Mascot animations

The Guppu and Guppy otter mascots, including the match-celebration animation and home-page byline mascot, are AI-generated original animations produced via Kling AI (Kuaishou Technology) on a paid subscription. All animations are generated from Co-Vibe’s own original character reference image. Kling AI’s commercial-use rights have been confirmed for the Service.

AI Matchmaker recommendations

When you ask the AI Matchmaker for a 2–3 word scene recommendation, your prompt is processed by Google Gemini via a Supabase edge function. Prompts are not stored beyond the duration of your session. We do not send any account identifiers, email, or personal data to the model — only the words you typed.

What we do NOT do with AI

We do not train any AI model on your personal data, messages, reactions, saves, or profile.
We do not generate fake content about real people without consent. Mascot characters are fictional otters; show titles and minute marks are factual metadata.
We do not use AI to make automated decisions that produce legal effects (e.g., account termination, payment denial) without human review.

Your rights regarding AI

You may request that we exclude your interaction data from any future model fine-tuning by emailing [email protected]. Note that, as of the date of this Policy, Co-Vibe does not perform model fine-tuning on user data.

10. Children’s Privacy

The Service is intended for users aged 18 and older. We do not knowingly collect personal information from anyone under 18. If we discover that we have collected personal information from a person under 18, we will delete it promptly.

If you are a parent or guardian and believe your child under 18 has provided personal information to Co-Vibe, please contact us at [email protected].

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you at least 30 days in advance by email or by an in-app notice. The “Effective” date at the top of this Policy shows when the current version took effect. We will keep prior versions available for reference upon request.

12. Contact

Privacy: [email protected]
Legal: [email protected]
DMCA: [email protected]
Mail: Co-Vibe, c/o Deepak Sharma, Halifax, Nova Scotia, Canada

For Canadian users, our data-protection authority is the Office of the Privacy Commissioner of Canada. For European users, you may also contact your national supervisory authority.