EmpathySphere

1. Information We Collect

1.1 Account Information

When you sign in with Google, we receive:

• Google account email address and display name -- used for account identification and profile display
• Google profile photo URL -- displayed in your profile
• Firebase Authentication UID -- unique identifier for your account

We do not collect passwords. Authentication is handled entirely by Google Sign-In and Firebase Authentication.

1.2 Messages and Screenshots You Submit

When you use Vibe Check to analyze a message:

• Text messages you paste are sent to OpenAI's API for analysis via our secure cloud proxy
• Chat screenshots you upload are first processed on your device using Google ML Kit (on-device OCR) to extract text, then the extracted text is sent to OpenAI's API
• Messages are processed in real-time and are not stored on our servers after analysis is complete
• OpenAI processes data per their API data usage policy -- API inputs are not used to train their models

1.3 App Usage Data

We collect the following through the app:

• Analysis history -- your past analysis results (category, explanation, input preview) stored locally on your device (Room database) and synced to Firebase Firestore for cloud backup
• Engagement data -- streak count, gem balance, achievements, daily challenge progress, Vibe Score
• Referral data -- your referral code and referral history (stored in Firestore)
• Notification preferences -- your opt-in/out choices for push notifications

1.4 Automatically Collected Data

• Firebase Analytics -- anonymous event data (e.g., analysis completed, share tapped, achievement unlocked) for understanding app usage patterns. No personally identifiable information is included in analytics events.
• Crash logs and diagnostics -- collected via Firebase for stability monitoring and bug fixes
• Device identifier (ANDROID_ID) -- used locally on your device for SharedPreferences integrity verification (HMAC-SHA256). This ID is not sent to our servers.
• FCM token -- Firebase Cloud Messaging device token for delivering push notifications, stored in Firestore tied to your account
• Advertising ID -- collected by Google AdMob for serving ads, subject to your GDPR consent preferences

2. How We Use Your Information

• Provide AI analysis -- process your text messages and screenshots through OpenAI to deliver relationship analysis results
• Maintain your account -- sync gems, streaks, achievements, and history across sessions
• Serve advertisements -- display banner, interstitial, and rewarded video ads via Google AdMob (our sole revenue source)
• Send notifications -- streak reminders, achievement alerts, weekly reports (only if you opt in)
• Improve the app -- use anonymous analytics to understand feature usage and fix bugs
• Prevent abuse -- rate limiting, server-side gem validation, and integrity checking
• Referral rewards -- track referral codes to credit gem bonuses to referrers and referees

3. Third-Party Services

We share data with the following third-party services to operate the app:

We do not sell your personal data to any third party. Data shared with third-party services is limited to what is necessary for their specific function.

4. Advertising and GDPR Consent

Vibe Check is a free, ad-supported app. We use Google AdMob to serve advertisements including banner ads, interstitial ads, and rewarded video ads.

• GDPR compliance: For users in the EU/EEA/UK, we use Google's User Messaging Platform (UMP) to request consent before initializing ads. You can choose personalized or non-personalized ads.
• Ad personalization: If you consent, AdMob may use your Advertising ID and device information to serve personalized ads. If you decline, non-personalized ads are served instead.
• No ads are loaded before your consent preference is resolved.
• You can update your ad consent preferences at any time through your device settings.

5. Virtual Currency (Gems)

The app uses a virtual currency called "Gems" for in-app features. Important details:

• Gem balances are managed through a server-authoritative system -- all gem transactions are validated by our Cloud Function to prevent manipulation
• Local gem data is protected by HMAC-SHA256 integrity checking using a device-bound key (APP_SECRET + ANDROID_ID)
• Gems have no real-world monetary value and cannot be exchanged for real currency
• Tampering with gem balances may result in account flagging and server-side balance reset

6. Data Storage and Security

6.1 Where Your Data is Stored

• On your device: Analysis history (Room database), gem balance, streaks, settings (SharedPreferences)
• In the cloud: Account data, gem balance, streaks, achievements, referrals (Firebase Firestore)
• Not stored: Message content submitted for analysis -- processed in real-time, not retained

6.2 Security Measures

• All API communications use HTTPS encryption in transit
• Firebase App Check with Play Integrity verifies app authenticity
• Server-side rate limiting (10 requests/minute, 200 requests/day) prevents abuse
• Firestore Security Rules enforce data isolation between users
• Prompt injection detection on our cloud proxy sanitizes malicious inputs
• R8 code obfuscation in release builds

7. Data Retention

• Account data: Retained while your account is active. Deleted upon account deletion request.
• Analysis history: Stored locally on your device and in Firestore. Deleted with your account.
• Message content: Not retained after real-time analysis. Not stored on our servers.
• Anonymous analytics: Retained for up to 14 months per Firebase Analytics default settings.
• Crash logs: Retained for up to 90 days.
• Ad-related data: Managed by Google AdMob per their privacy policy.

8. Your Rights

Depending on your location, you may have the following rights:

• Access: Request a copy of your personal data
• Rectification: Request correction of inaccurate data
• Deletion: Request permanent deletion of your data (see Section 9)
• Portability: Request your data in a portable format
• Objection: Object to data processing for specific purposes
• Withdraw consent: Withdraw ad personalization consent at any time

To exercise any of these rights, contact us at contact@vibecheck.onl. We will respond within 30 days.

9. Account Deletion

You can delete your account and all associated data at any time:

• In-app: Settings → Account → Delete Account
• Via email: Send a request to contact@vibecheck.onl
• Web: Visit our Account Deletion page

Upon deletion, all personal data is permanently removed from Firebase Authentication and Firestore. Local data on your device is cleared. Anonymized aggregate analytics data may be retained.

10. Children's Privacy

Vibe Check is not intended for users under 18 years of age. We do not knowingly collect personal information from anyone under 18. If we become aware that a user under 18 has provided personal information, we will take steps to delete such information promptly.

11. Information We Do NOT Collect

For clarity, Vibe Check does not:

• Access your contacts, call logs, or SMS messages
• Track your location
• Collect passwords (authentication is via Google Sign-In)
• Record audio or video
• Access files beyond photos you explicitly select for screenshot analysis
• Sell personal data to third parties
• Use message data to train AI models

12. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be communicated by posting the revised policy with an updated effective date. Continued use of the app after changes constitutes acceptance. We will notify users of significant changes via in-app notifications.

13. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, contact us at:

Email: contact@vibecheck.onl

Publisher: EmpathySphere

Website: vibecheck.onl