Privacy Policy

Last updated: April 23, 2026

This Privacy Policy explains what information vibewtf ("we", "us") collects when you use our website or iOS app, how we use it, who we share it with, how long we keep it, and how you can delete it.

If you only read one section, read "How to delete your account". Everything else is explanatory.

1. Who we are

vibewtf is a visual wall and digital bulletin board service. The service is operated by Kushagra Agarwal, an individual based in the United Arab Emirates. Contact: hello@vibewtf.com.

For privacy questions, email privacy@vibewtf.com.

2. What we collect

From your sign-in provider (Clerk via Google or Apple)

• Email address
• Name (if your provider returns one)
• Profile picture URL (if your provider returns one)
• A provider-issued user ID we use to recognize you on return visits

If you sign in with Apple, Apple may give us a private relay email instead of your real address. We treat that as your email and will not try to match it to your real one.

From you directly

• A username you choose
• Images you upload to your wall or to shared boards
• Image decoration choices (frame, tilt, background color) you apply
• Spotify track URLs you link to your wall (we fetch public metadata only, not your Spotify account data)
• Wall background color preference
• Reports you submit through the "Report" feature
• Messages you send when you email us (saved in our support inbox until the issue is resolved)

Automatically, when you use the service

• IP address and user agent (captured at the web/CDN layer)
• Timestamps of requests you make
• iOS app version (sent as an X-App-Version header so we can support older versions)
• Image metadata we derive on upload: dimensions, file size, MIME type, content hash
• Analytics events and session recordings via PostHog (see §5.6 below for what that means)
• An attribution source if you arrived via a tagged link (e.g. a TikTok campaign URL with ?ref=), stored once at signup

From devices

• APNs device tokens, if you enable push notifications on iOS. A device token is a device-scoped identifier issued by Apple; it lets us send push notifications to your device and does not identify you outside of our service.
• Web Push subscriptions (endpoint, public key, auth key), if you enable push notifications in the browser
• Per-notification-type preferences you set on the device (on/off for new images, queued uploads, weekly recap, board activity)

What we do NOT collect

• We do not collect your location
• We do not access your contacts, microphone, or camera roll beyond the images you explicitly upload
• We do not use advertising identifiers (IDFA)
• We do not track you across other apps or websites
• We do not use your images to train AI models
• We do not sell your personal information

3. How we use your information

• To run the service. Store your images, render your public gallery at vibewtf.com/your-username, let you edit and delete your content, send push notifications you've opted into.
• To keep the service safe. Investigate abuse reports, enforce our Terms of Service, detect and prevent attacks against the service.
• To improve the product. Analyze which features are used, find bugs, understand where users drop off. We use PostHog for this.
• To communicate with you. Send you the occasional transactional email (welcome message, account changes). We don't send marketing email.

4. Legal basis (for users in the EU/UK)

We rely on the following legal bases under GDPR:

• Contract performance (Art. 6(1)(b)) — for everything required to run the service (storing your images, serving your public gallery, auth, push notifications you enabled).
• Legitimate interests (Art. 6(1)(f)) — for product analytics, security, and abuse investigation. You can object to this at any time by emailing privacy@vibewtf.com.
• Consent (Art. 6(1)(a)) — for any optional feature you explicitly opt into (e.g. enabling push notifications, opting in to be featured on our social media channels).
• Legal obligation (Art. 6(1)(c)) — for reporting unlawful content we become aware of (e.g. child sexual abuse material to NCMEC, as required by 18 U.S.C. § 2258A).

5. Who we share your information with

We share data with the service providers below. We do not sell your personal information, and we do not share it for advertising.

5.1 Clerk (authentication)

We use Clerk to handle sign-in with Google or Apple. Clerk receives your OAuth tokens and returns the profile information listed in §2.

5.2 Cloudflare (content delivery + security)

Cloudflare sits in front of our servers. They process IP addresses, request metadata, and TLS certificates. They also help us block denial-of-service attacks.

5.3 DigitalOcean (hosting)

Our servers run on DigitalOcean in the United States. All personal data you give us is stored there.

5.4 Apple Push Notification service (iOS push)

If you enable iOS push notifications, we send notification payloads through Apple's APNs. Apple receives a device token and the notification content at send time.

5.5 Resend (transactional email)

We use Resend to send transactional emails (welcome messages, account notifications). Resend receives your email address and the email body.

5.6 PostHog (analytics and session replay)

We use PostHog to understand how people use the product. PostHog records:

• Events — named actions you take (page views, clicks on specific buttons, uploads, etc.)
• Session recordings — playbacks of your interactions with the site (mouse moves, clicks, scrolls, visible on-screen text). Text input fields are masked by default, so we can't see what you type into forms. Passwords are never recorded.
• Crash reports — if the iOS app crashes, PostHog (via PLCrashReporter, bundled with the PostHog SDK) captures a stack trace and device state so we can diagnose the bug. This matches the crash data type declared in the app's iOS privacy manifest.

Session recordings and crash reports are stored by PostHog in the United States. We do not use this data for advertising.

5.7 Apple & Google (sign-in)

When you sign in with Apple or Google, the provider authenticates you and tells Clerk (see §5.1) who you are. We do not directly receive anything from Apple or Google other than what Clerk passes to us.

Legal disclosures

We may disclose your information if we receive a valid legal request (subpoena, court order, or binding law) or if we reasonably believe disclosure is necessary to protect life, prevent fraud, or defend our legal rights.

6. How long we keep it

• Account data — kept while your account exists. When you delete your account (see §7), we delete your account record, images, boards you own, push subscriptions, API keys, Spotify links, and related rows from our database immediately. Reports you filed are also deleted. Reports filed about you are kept for moderation history but are anonymized to remove your username.
• Operational logs — we keep a rolling ~50 MB of server logs for debugging and abuse investigation. Older logs are overwritten automatically.
• Operational backups — database backups are retained for up to 30 days to support disaster recovery, then deleted.
• Support emails — kept in our inbox until the issue is resolved; long-lived threads may remain for up to 2 years before archival.
• Analytics — PostHog retention follows our PostHog plan (currently ~12 months for events and session recordings). We do not personally attribute event data beyond your Clerk ID.

7. Your rights

You can, at any time:

• Access and download your uploaded images from your public gallery page
• Correct your username and profile by editing them in your account settings
• Delete individual images from your wall or shared boards
• Delete your entire account from inside the iOS app — Settings → Delete Account. This wipes your images, boards you own, push registrations, API keys, and all related data from our servers immediately. (See §7.1.)
• Object to or restrict processing we do under legitimate interests — email privacy@vibewtf.com
• Request a data export (portability) — email privacy@vibewtf.com and we'll send you your account record and image metadata within 30 days
• Withdraw consent for any processing based on consent, without affecting prior processing
• Lodge a complaint with your local data protection authority if you believe we've mishandled your data. In the EU, find yours at edpb.europa.eu.

7.1 How to delete your account

Open the iOS app → Settings → Delete Account. Confirm twice. The app tells our server to delete everything and then tells Clerk to delete your sign-in credentials. You won't receive any further emails or push notifications from us, and your gallery URL at vibewtf.com/your-username will stop resolving.

If you don't have the iOS app, email privacy@vibewtf.com from the address associated with your account and we'll delete it manually within 30 days.

8. California residents (CCPA / CPRA)

If you live in California, you have the right under the CCPA/CPRA to know what personal information we collect, to request deletion, to correct inaccuracies, and to opt out of the sale or sharing of your personal information.

We do not sell or share your personal information as defined under California law. We also don't share it for cross-context behavioral advertising.

To exercise your rights, follow the same process as in §7. Email privacy@vibewtf.com.

9. Children under 17

The vibewtf service is intended for users 17 and older. The iOS app shows an age gate the first time you open it. If you are under 17, please do not use the service. If you believe a child under 17 has created an account, email privacy@vibewtf.com and we will delete it promptly.

10. International transfers

Our servers and most of our processors are in the United States. If you access the service from outside the US, your information will be transferred to and processed in the US.

For transfers from the EU/UK, we rely on the service providers' Standard Contractual Clauses or equivalent lawful transfer mechanisms (see each processor's privacy policy in §5).

11. Public galleries

Your gallery page at vibewtf.com/your-username is public by default. Anyone with the URL can see your images. You can opt out of the Explore page in your account settings, but the gallery URL itself stays public. Don't upload anything you wouldn't want associated with your username.

12. Security

We use HTTPS for all traffic, authenticated sessions via Clerk, server-side access controls, and standard operational hardening (SSH keys only, firewalled ports, etc.). No system is perfectly secure; if you discover a vulnerability, please report it to security@vibewtf.com.

13. Cookies

We use:

• A session cookie issued by Clerk, to keep you logged in
• A signed vw_ref cookie, to attribute your signup to a marketing link if you arrived via one. Expires after 30 days.
• PostHog analytics cookies, to correlate your events into a session (see §5.6)

We do not use advertising cookies or cross-site tracking pixels.

14. Changes to this policy

If we make material changes, we'll update the "Last updated" date and, if the change meaningfully affects you, notify you by email or in the app. Your continued use after changes take effect means you accept the new policy.

15. Contact

Email us at one of these addresses:

• privacy@vibewtf.com — privacy questions, data requests, GDPR/CCPA requests
• reports@vibewtf.com — report illegal or abusive content
• security@vibewtf.com — responsible security disclosure
• hello@vibewtf.com — everything else