Vaibli Privacy Policy

Effective date: 2 May 2026
Last updated: 2 May 2026

Vaibli (“Vaibli”, “we”, “us”, or “our”) is a mobile application that helps you see and share what is happening near your current location. This Privacy Policy describes how we collect, use, store, and share personal information when you use the Vaibli app (the Service) or our public marketing website (including if you join a launch waitlist there).

Vaibli is developed and maintained by Bircube. If you need to contact us about privacy, use the contact details at the end of this policy.

This policy is written for users, including people in Pakistan where the Service is initially focused. It is not legal advice. You should consult a qualified lawyer before publishing it in production, to confirm entity name, jurisdiction, and compliance with applicable law (including any sector-specific rules).

1. Who this policy applies to

This policy applies to anyone who installs, accesses, or uses the Vaibli mobile app on iOS or Android, and to visitors of our public marketing website where we mirror legal notices or collect a launch waitlist. Some mobile features are only available after you create an account or grant certain permissions.

2. Information we collect

2.1 Account and profile information

  • Authentication data: If you sign up with email, we process your email address and verification codes. If you use Apple or Google sign-in, we receive identifiers and profile elements that those providers share with us according to their own policies.
  • Display handle: A public handle you choose (subject to product rules) shown on posts you publish under your named identity.
  • Phone number (optional verification): If you complete phone verification to unlock certain features (for example, photo posting), we process your mobile number and SMS or verification messages through our telecommunications or verification provider.

2.2 Location information

Vaibli is built around place. When you grant while-in-use location access:

  • The app obtains location from your device (for example GPS and network-assisted fixes) so we can show you a feed of content near you and enforce location-based rules on the server.
  • Precise coordinates are processed on our systems to rank content, enforce radius rules, and perform safety checks (for example, server-side geometry checks so that “nearby” actions reflect where you actually are).
  • Other users do not receive your precise location. Content you see uses coarse signals only (for example, broad geohash cells and non-exact “proximity” labels such as “right here”, “nearby”, or “around”), not raw latitude/longitude shared with other clients. For anonymous posts, we apply extra limits so that fine-grained proximity is not exposed in ways that could be misused to deanonymize someone.

We do not use background location in version 1 of the product as specified; location is requested when you are using the app according to your operating system settings.

If you deny location access, core feed features may not work; the app may show an empty state until you grant permission.

2.3 Content you create

  • Posts: Text, polls, and (if you are verified for photos) images you publish. Each post is tied to the location at publish time and has a time-to-live; when it expires, it is removed from the product surface according to our data lifecycle.
  • Comments and reactions: Text comments, reactions on posts and comments, echoes (where allowed), and poll votes. Aggregate poll results may be shown; individual vote choices are not exposed to other users.
  • Identity mode: You may post under your handle or under an anonymous presentation. Anonymous labels (for example colour-and-animal style names) are generated on the server so that the mapping between your account and those labels is not exposed through the app APIs to other clients. Moderation and safety workflows may still associate content with your account internally where required.

2.4 Private saves (“Catch It”)

If you save a post privately, we store a private copy of that content for you so you can revisit it after the original expires, subject to product limits (for example maximum number of saves). Those saves are not visible to other users.

2.5 Zone subscriptions

You may subscribe to a limited number of predefined geographic zones to receive notifications about activity there. We process your subscription choices and related settings (for example mute).

2.6 Device, log, and diagnostic data

  • Device and app data: Device type, operating system version, app version, push notification tokens, and similar technical data needed to run the Service.
  • Crash and error reporting: If enabled, diagnostic reports (for example via Sentry or similar tools) may include stack traces, device metadata, and contextual information to fix bugs. We aim to minimise personal data in such logs.
  • Product analytics: We may use analytics tools (for example PostHog or similar) to understand feature usage, funnels, and reliability, using event data that is configured to align with our privacy design (for example not exposing precise coordinates to analytics in ways that would undermine this policy).

2.7 Payments and payouts (when offered)

Some features described in our roadmap—such as in-app purchases, tips, or wallet balances—are not all part of the initial launch. When we enable them:

  • App stores and payment partners (for example Apple, Google, RevenueCat, or regional processors such as Tap Payments) will process payment and fraud-prevention data under their terms and privacy policies.
  • Creator payouts may require know-your-customer information (for example national ID and bank or wallet details) collected only when needed to pay you, not at ordinary signup.

If a feature is not available in your build, we do not collect the associated payment or payout data for that feature.

2.8 Moderation and safety

When you report content or users, we collect the report reason and related context. Moderation staff and automated tools may review content (including media, where applicable) to enforce our rules and the law. Internal records may link reports and enforcement actions to account identifiers where necessary; that linkage is not shown to other users as part of anonymous identities.

2.9 Communications

We may send transactional messages (for example verification, security notices, or responses when you contact support). Marketing communications would only be sent where permitted by law and, where required, with your consent.

2.10 Marketing website waitlist

If you choose to join a waiting list on our marketing site (public pages hosted at domains such as vaibli.app or temporary project URLs we use during setup), we process:

  • Email address, so we can tell you when the app launches or reaches your rollout area.

Submitting your email does not create a Vaibli account. We deduplicate submissions by normalising the email (for example lowercasing); if you later sign up in the mobile app using the same address, flows connect only as ordinary account data under this policy.

We use waitlist contacts only for launch-related messages tied to Vaibli unless you separately agree to broader marketing later. You can contact us using the details at the end of this policy to ask for removal from the waitlist.

2.11 Marketing pricing page (approximate region)

The public pricing brochure uses coarse egress location solely to infer country so we can show one of five example currencies (Pakistani Rupees, Indian Rupees, US Dollars, Euro, pounds sterling). How we obtain country depends on hosting:

  • Cloudflare-hosted marketing pages: Cloudflare attaches a two-letter visitor country hint derived from routing at the edge. Our brochure reads this through our own /api/geo endpoint on the same site — we do not need to expose that hop to unrelated third-party scripts for that primary path.

  • Fallback when that path is unavailable (for example local development without Cloudflare Workers): our browser loads may call GeoJS (get.geojs.io) over HTTPS, which returns coarse fields including country. That call is scoped to tailoring that page — it does not create or update a Vaibli account and is not merged with analytics from the mobile apps on that flow.

Neither path is used to store a separate “pricing profile”; it is ephemeral browser-side choice of copy for the brochure.

3. How we use information

We use personal information to:

  • Provide, secure, and improve the Service (feed, posting, notifications, subscriptions, and related features).
  • Operate our marketing website waitlist, including sending proportionate notices when we open access or widen rollout.
  • Show marketing pricing anchors inferred from coarse IP location (five currency examples — see §2.11).
  • Enforce location-based rules and ephemeral content behaviour as designed.
  • Protect anonymity mechanics for anonymous posts and comments as described in product requirements.
  • Detect abuse, spam, and fraud; enforce our terms; comply with legal obligations.
  • Operate moderation and human review where automated means are insufficient.
  • Analyse aggregates and trends to improve performance and product quality.

We do not build a social graph based on following individual users. Relationships in the product are oriented around place and zones, not “follower” links between people.

4. Legal bases (where applicable)

Depending on your country, we may rely on one or more of the following:

  • Performance of a contract: Providing the Service you request.
  • Legitimate interests: Securing the Service, understanding usage in aggregate, preventing abuse, and improving reliability—balanced against your rights.
  • Consent: Where required for optional processing (for example certain marketing or optional analytics, if we configure them that way).
  • Legal obligation: Responding to lawful requests from authorities when we are required to.

5. How we share information

We share information only as needed to operate the Service:

  • Infrastructure and database: Hosted backend and database providers (for example Supabase) that store and process data on our behalf under appropriate contractual terms.
  • Push notifications: Notification delivery services (for example Expo push services together with Apple Push Notification service and Firebase Cloud Messaging on Android).
  • Authentication and messaging: Identity providers you choose (Apple, Google) and SMS or verification vendors for OTP.
  • Media and safety: Image hosting or processing (for example resizing or moderation-classification providers) where we use them.
  • Analytics and reliability: Analytics and error-reporting subprocessors as configured for the app.
  • Payments: App stores and payment processors when you make purchases, as described in section 2.7.
  • Professional advisers: Lawyers, accountants, or auditors under confidentiality obligations.
  • Legal and emergency requests: We may disclose information if we believe in good faith that disclosure is required by law, court order, or to protect the rights, safety, or property of users, us, or the public.

We do not sell your personal information in the traditional sense of “selling” lists of individuals to advertisers. Paid Boost-style surfacing in the product, if offered, is a paid distribution of your own content to nearby users—not sale of personal data dossiers to third-party advertisers. Paid features may still involve payment processors as described above.

6. Retention

  • Ephemeral content: Posts, comments, reactions, and related activity are designed to expire after their time-to-live. After expiry, they should no longer appear in the app; backend retention for backups, logs, or legal holds may continue for a limited period consistent with operations and law.
  • Account deletion: If you delete your account, we may use a grace period (for example several days) during which restoration is possible, then complete deletion or anonymisation steps. For anonymous historical content, our model may retain posts while detaching or anonymising internal ties to your account where specified in product policy.
  • Private saves: Retained until you delete them or delete your account, subject to product rules.
  • Logs and analytics: Retained for troubleshooting and insights on rolling schedules typical for such systems, then deleted or aggregated.

Exact retention windows can evolve; material changes should be reflected in updates to this policy.

7. Security

We use administrative, technical, and organisational measures appropriate to the risk, including access controls, encryption in transit for modern clients, and database policies (for example row-level security) designed to limit who can read or change data. No method of transmission or storage is perfectly secure; we encourage you to protect your device and accounts.

8. Your choices and rights

Depending on applicable law, you may have rights to access, correct, delete, or export certain personal data, or to object or restrict certain processing, and to withdraw consent where processing is consent-based.

  • Device permissions: You can revoke location or notification permissions in your device settings; some features will stop working as a result.
  • Account: Use in-app account tools where available, or contact us to exercise rights.

We may need to verify your identity before fulfilling requests. If you are unsatisfied with our response, you may have the right to complain to a data protection authority in your country, where one exists.

9. Children

The Service is not intended for children below the minimum age required by the app stores or applicable law (often 13, or higher where local rules require). We do not knowingly collect personal information from children in a targeted way. If you believe we have done so, contact us and we will take appropriate steps.

10. International transfers

Our service providers may process data in countries other than your own (including the United States, the European Union, and other regions where cloud providers operate). Where required, we rely on appropriate safeguards such as standard contractual clauses or equivalent mechanisms.

11. Automated decision-making

We may use automated systems for ranking feeds, detecting abuse, and similar functions. These systems do not make solely automated decisions with legal or similarly significant effects about you in the GDPR sense without human review where required by law. If that changes, we will update this policy.

12. Changes to this policy

We may update this policy from time to time. We will post the updated version with a new effective date and, where the law requires, provide additional notice (for example in-app or by email). Continued use of the Service after the effective date constitutes acceptance of the updated policy where permitted by law.

13. Contact

For privacy questions or requests, contact:

Bircube (Vaibli)
[Insert contact email — e.g. privacy@vaibli.app]
[Insert postal or registered address if required in your jurisdiction]

Replace the bracketed contact details before publication.

Document note (internal)

This draft aligns with the Vaibli MVP specification (docs/sdd/specs/001-vaibli-mvp/spec.md), constitution principles (location-centric product, anonymity, no user-to-user follower graph, ephemeral-by-default content, mobile-first), and referenced infrastructure (for example Supabase, Expo push, PostHog, Sentry) as of the effective date. Have qualified counsel review before distributing to end users or linking from app stores.

This page mirrors the Markdown source in docs/legal/privacy-policy.md at build time. Updating that file and redeploying refreshes this mirror.