PRIVACY POLICY
Effective date: April 27, 2026
WHO WE ARE
Vibe Card is an AI-powered pet personality card app developed by Anton Usov (individual developer, Austria).
Contact: support@vibe-card.app
WHAT DATA WE COLLECT
AUTHENTICATION
You can use Vibe Card anonymously (guest account) or sign in with Apple. Authentication is handled by Supabase Auth. We store the minimum needed to authenticate you (anonymous user ID, or Apple ID-derived email if signed in).
PET PHOTOS
To generate a card, you upload a photo of your pet. The photo is:
- Sent to Anthropic via the Claude API for one-shot personality analysis. Anthropic does not use API inputs to train models (per Anthropic\u2019s commercial terms).
- Pre-filtered for non-pet, minor, and adult content via Sightengine.
- Stored in your private Supabase row + your card\u2019s rendered image is stored in Cloudflare R2.
We never share your raw photo publicly. Public share pages display the rendered card, not the source photo.
CARD DATA
Your generated cards (archetype, motto, fatal flaw, stats, rarity, element type) live in our Supabase database. Cards are private by default. When you tap "Share", the specific card you share becomes accessible at a public permalink (vibe-card.app/share/<card-id>) so anyone with the link can view it.
BATTLE MODE
When you start a battle, we pair you against another user\u2019s card. The opponent\u2019s pet name and card are visible to you, but their account identity is not — battles are pseudonymous. Likewise, your card may appear as an anonymous opponent to other players.
PURCHASES
Subscription purchases are processed by RevenueCat through Apple\u2019s App Store. We never see or store your payment details. RevenueCat receives a pseudonymous user ID to track your subscription state.
PUSH NOTIFICATIONS
If you grant notification permission, we store an Expo Push token to send re-engagement notifications (e.g., "your battle opponent took a swing"). You can revoke this any time in your device settings.
CRASH REPORTING
We use Sentry for crash and error reports. Sentry receives stack traces and anonymous device metadata. No photos, no card text, no PII.
PRODUCT ANALYTICS
We use PostHog for product analytics, proxied through our own domain at m.vibe-card.app so the traffic stays on our root domain. PostHog collects:
- Action events — e.g., "card_revealed", "battle_completed", "share_tapped". Properties are limited to enums (rarity, element type, archetype id) — never pet names, photos, or anything user-typed.
- Device metadata — OS, app version, device model, screen size, locale.
- Pseudonymous profile properties — Pro status, card count bucket, account type. Linked to your Supabase user ID, not your email.
BOT PROTECTION
The card-generation endpoint uses Cloudflare Turnstile to block automated abuse. Turnstile receives a token from your device and a fingerprint of the request. No PII.
WHAT WE DO NOT DO
- We do not sell your data.
- We do not use ad SDKs, tracking pixels, or attribution networks (no Google Analytics, no Facebook Pixel, no AppsFlyer).
- We do not share your data with third parties beyond the service providers listed above, which are strictly necessary to operate the app.
- We do not use your photos or generated cards to train AI models.
LEGAL BASIS FOR PROCESSING (GDPR)
We process your data under the following legal bases:
- Contract performance (Art. 6(1)(b) GDPR) — for the app\u2019s core functionality: generating cards, storing your account, processing subscriptions.
- Legitimate interest (Art. 6(1)(f) GDPR) — for product analytics (PostHog), crash reporting (Sentry), and bot protection (Turnstile). Our legitimate interest is to improve app quality, fix bugs, and prevent abuse. We minimize the data collected and never track personal content.
SERVICE PROVIDERS
We use the following third-party services. Most are EU-hosted; the Anthropic Claude API is US-based, with traffic routed only when you generate a card.
| Provider | Purpose | Data received |
|---|---|---|
| Supabase (EU) | Database, auth, file storage | Account, cards, push token |
| Cloudflare Workers + R2 (global edge) | API + image hosting | Card images, public share pages |
| Anthropic (US) | Claude API for card generation | Pet photo + descriptors (per-request only) |
| Sightengine (FR) | Pre-classifier for unsafe images | Pet photo (per-request only) |
| Cloudflare Turnstile (global) | Bot protection on /generate | Anonymous device challenge token |
| PostHog (EU, proxied) | Product analytics | Anonymous events, device metadata, pseudonymous ID |
| Sentry (EU) | Crash reporting | Stack traces, device info, pseudonymous ID |
| RevenueCat (US) | Subscription management | Pseudonymous user ID, App Store receipts |
| Expo Push (US) | Push notification delivery | Push token, notification payload |
DATA STORAGE AND SECURITY
Account and card data is stored in Supabase (EU). Card images are stored in Cloudflare R2 with public-read access only via the public share permalink path. All app↔server communication is encrypted via TLS. Database access is protected by Row-Level Security (RLS) — each user can only read or modify their own rows.
DATA RETENTION
Your card data, photos, and account are retained for as long as your account exists. When you delete your account (Settings → Account → Delete Account), all rows in our database are removed and the corresponding card images in R2 are best-effort deleted.
Analytics data in PostHog is retained for up to 12 months for aggregate insights, then automatically deleted. Crash reports in Sentry are retained for 90 days.
YOUR RIGHTS
You have the right to:
- Delete your account — available in Settings → Account → Delete Account. Removes your account and all associated data from our servers.
- Access or export your data — email support@vibe-card.app and we will provide a JSON export within 30 days.
- Object to analytics processing — email us and we will exclude your user ID from aggregate analytics.
- Lodge a complaint — with your local data protection authority. For EU users, this is typically the DPA in your country of residence.
CHILDREN\U2019S PRIVACY
Vibe Card is not directed at children under 13. The app shows an age confirmation on first launch and refuses access to users under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us data, please contact support@vibe-card.app and we will delete it.
CHANGES TO THIS POLICY
We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated effective date. For material changes, we will notify users in-app on next launch.
CONTACT
Anton Usov
Email: support@vibe-card.app
Website: vibe-card.app