Privacy Policy

Last updated: February 10, 2026

The short version

We care about your data — that's exactly why we don't want it. Your mood entries stay on your device by default. If you turn on cloud sync, everything is encrypted with a key only you own — we can't read it, and we go out of our way to make sure nobody else can either. We don't run ads, we don't sell your data, and we never will. The biggest tech companies in the world have built their businesses on collecting your personal information. We built ours on not needing it. Could we make a few extra dollars if we did? Probably. But how you feel about us matters more than a quick buck. Now, here's the full legal version:

Note: This privacy policy is a development draft and has not yet been reviewed by legal counsel. A full legal review is planned before public launch. See our product roadmap for compliance milestones.

1. Introduction

Vibbrancy ("we," "our," or "us") is operated from Level 3/162 Collins St, Melbourne VIC 3000, Australia. We are committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and safeguard your information when you use our mobile application, website, and related services (collectively, the "Service").

By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Service.

2. Our Privacy Promise

We care about your data. That's exactly why we don't want it. Your data belongs to you — not to us, not to advertisers, not to anyone else. We've designed every part of this app to keep it that way, and we'll bend over backwards to make sure no one can access it.

  • On-device processing: All analysis of your journal entries (sentiment, entities) happens entirely on your device using on-device machine learning. Your words are never sent to external servers for processing.
  • No advertising — ever: We will never show you ads or use your data for advertising purposes. The biggest tech companies in the world built their businesses on your data. We built ours on not needing it.
  • We never sell your data: Your personal data is never sold, rented, or shared with third parties for their marketing purposes. Could we make extra money if we did? Sure. But your trust matters more.
  • Subscription-funded: We are funded exclusively through optional paid subscriptions, aligning our interests with yours.

3. Data We Collect

3.1 Account Information

When you create an account, we collect your email address (for authentication and account recovery), an optional display name, and a securely hashed password. If you sign in via Google or Apple, we receive your name and email from the identity provider.

3.2 Mood & Wellness Data

By default, all mood entries are stored locally on your device only using IndexedDB and are never transmitted to our servers. If you enable Cloud Backup, your mood ratings, notes, activities, emotions, and physical symptoms are synced to our encrypted servers. You can disable Cloud Backup at any time in Settings.

3.3 Health Data (Optional)

If you enable Apple Health or Google Health Connect integrations, we access steps, sleep, and heart rate data read-only, processed entirely on your device. We do not store health data on our servers.

3.4 Crash Reports & Technical Data

When the app crashes or hits an error, our crash-reporting tool (Sentry) gets a report. Before that report leaves your device, we strip your email, user ID, and any authentication tokens. What Sentry actually receives: the error message, which line of code broke, your device type (e.g. iPhone, Android), and the app version. What Sentry never receives: your mood scores, journal text, emotions, activities, health data, or anything that identifies you. We use these reports to find and fix bugs. That's it — not for analytics, not for profiling, not for recommendations.

Your IP address is visible to our servers during normal HTTPS connections but is not logged or stored by us. Sentry may temporarily process IP addresses under their data processing terms but we have configured Sentry to not store them.

4. How We Use Your Data

  • Account management: To authenticate you, manage your account, and send account-related emails (password resets, security alerts).
  • Service delivery: To provide mood tracking features and sync data across your devices (if enabled).
  • Subscription management: To process payments and manage your subscription through our payment processors.
  • Customer support: To identify you and resolve issues when you contact support.
  • Service improvement: To analyse anonymised, aggregated usage patterns to improve the Service.
  • Marketing (opt-in only): To send product updates and tips only if you explicitly opt in. You can unsubscribe at any time.

5. Third-Party Data Processors

We do not sell your personal data. We share data with the following categories of processors, each bound by data processing agreements:

  • Subscription & billing (RevenueCat): Your email address and display name are shared with RevenueCat, our subscription management processor, to manage billing and provide customer support. RevenueCat processes this data under their Data Processing Addendum. No mood or health data is shared.
  • Cloud hosting (Railway, PostgreSQL): Encrypted account and mood data (if Cloud Backup is enabled) is stored on our hosting infrastructure.
  • Email delivery: Transactional email services for account-related notifications.
  • Error monitoring (Sentry): Crash reports that are stripped of your identity before leaving your device. Sentry receives: error messages, stack traces, device type, app version. Sentry does not receive: your email, user ID, mood data, journal entries, emotions, or activities. We use these reports to find and fix bugs.
  • App stores (Apple App Store, Google Play): Subscription purchases are processed by the respective app store. We do not handle payment card details directly.

6. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your data under the following legal bases:

  • Contract (Art. 6(1)(b)): Account data, mood data sync, and subscription management — necessary to provide the Service you signed up for.
  • Legitimate interest (Art. 6(1)(f)): Sharing email/display name with our subscription processor for customer support; anonymous analytics; security monitoring.
  • Consent (Art. 6(1)(a)): Marketing communications (opt-in); optional health data integrations.

7. Your Rights

Regardless of your location, you have the following rights:

  • Access: Request a copy of all data we hold about you.
  • Rectification: Update incorrect personal information via Settings or by contacting us.
  • Erasure: Delete your account and all associated data. Local data is deleted immediately; cloud data is permanently purged within 30 days.
  • Data portability: Export your mood data in JSON or CSV format from Settings.
  • Withdraw consent: Disable Cloud Backup, health integrations, or marketing emails at any time.
  • Restriction / Objection: Request restriction of processing or object to processing based on legitimate interest.
  • Lodge a complaint: You may lodge a complaint with a supervisory authority in your jurisdiction (for Australian residents: the OAIC).

To exercise these rights, use the in-app Settings or email us. We will respond within 30 days.

8. Data Security

We employ industry-standard security measures including HTTPS for all data in transit, bcrypt password hashing, JWT-based authentication, and encrypted database storage. While no system is 100% secure, we regularly review and improve our security practices.

9. Data Retention

  • Account data: Retained until you delete your account.
  • Mood data (cloud): Retained until you delete individual entries or your account.
  • Mood data (local): Remains on your device until you clear app data or uninstall.
  • Deleted accounts: All cloud data permanently purged within 30 days of deletion request.
  • RevenueCat attributes: Cleared from RevenueCat upon account deletion.
  • Crash reports: Retained by Sentry for 90 days, then automatically deleted. Reports contain no personal identifiers.

10. International Data Transfers

Our servers and some processors are located outside Australia and the EEA. Where data is transferred internationally, we ensure appropriate safeguards are in place, including standard contractual clauses and processor data processing agreements.

11. Children's Privacy

The Service is not intended for children under 13 (or 16 in the EEA). We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately and we will delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the application and update the "Last updated" date. Continued use of the Service after changes constitutes acceptance of the revised policy.

13. Contact Us

If you have questions about this Privacy Policy or wish to exercise your rights, contact us at:

Vibbrancy
Level 3/162 Collins St
Melbourne VIC 3000, Australia
Email: privacy@vibbrancy.app
Response time: Within 30 days