Privacy policy.

Last updated · April 2026

In one paragraph

We collect the songs you send and receive (because the recipients have to be able to play them back), your account profile (display name, username, optionally a photo), the friends you follow, and the basic device info Apple gives every app. We do not collect your private listening history. We do not sell your data. Phone numbers used for friend-matching are SHA-256 hashed on your device before they leave your phone — we never see the original numbers, and we cannot reverse the hashes.

What we collect

Account information

When you create an account, we store your display name, username, profile photo (if you set one), and the authentication identifier from your sign-in method (Apple Sign In, Google Sign In, or anonymous). We use Firebase Authentication for this; their privacy policy is at firebase.google.com/support/privacy.

Songs you send and receive

Every song you share — the track ID, the recipient, the timestamp, and any note you wrote — is stored in our database so the recipient can read it. Songs you receive are stored under your account so you can scroll through your inbox.

Friends and follows

The follow graph (who follows whom) is stored so we can render Following lists, the Find Friends results, and the people-you-care-about row on your home tab.

Phone hashes (NOT phone numbers)

If you opt into phone-based friend matching during onboarding, we store a SHA-256 hash of your phone number normalized to E.164 format. The plaintext number never leaves your device. We can match your hash against other users' hashes, but we cannot reverse a hash back to a number.

Reactions, comments, and engagement

If you react to a song or leave a comment, we store the reaction or comment, the song it's attached to, and the timestamp.

Device + technical information

Standard iOS app stuff: device model, iOS version, app version, locale, time zone. We use this for crash reporting (via Firebase Crashlytics) and to debug platform-specific issues.

Apple Music subscription status

If you opt in to Apple Music integration, we ask Apple for your subscription status (active or not). We don't see what you play in Apple Music — only whether you're a subscriber so we can offer full-track playback instead of 30-second previews.

Contact matching

To find your friends already on Vibes, we use a privacy-first contact matching protocol borrowed from Signal and WhatsApp:

1. When you tap "Find friends from contacts," the iOS Contacts API gives us your address book on your device only.
2. We normalize each phone number to E.164 format (e.g., +14155550142) on your device.
3. We compute a SHA-256 hash of each normalized number on your device.
4. We send only the hashes to our servers, where we check whether any of them match the hashes of other Vibes users.
5. We return the matched users' profiles. Hashes that don't match are immediately discarded.

Plaintext phone numbers, names, and addresses from your contacts never leave your device.

How we use what we collect

• To deliver the songs you send to the right recipients.
• To render your inbox, your follow lists, and your weekly recap.
• To match friends you have in common via on-device contact hashing.
• To send push notifications when a friend sends you a song or follows you (you can disable these in Settings).
• To debug crashes and fix bugs (via Firebase Crashlytics — anonymized).
• To contact you about the service when necessary (rarely — we don't send marketing emails).

What we never do

This is the half of the policy that matters most. We will not:

• Sell your data. Not to advertisers, not to data brokers, not in aggregate, not at all.
• Show you ads. Vibes does not have advertising. There is no plan to add it.
• Read your private listening history. What you play in Apple Music when no one's looking is none of our business and we don't ask for permission to see it.
• Upload your contacts. See the contact-matching section above. Hashes only.
• Track you across other apps or websites. No third-party SDK is allowed to fingerprint you for ad targeting. The App Tracking Transparency prompt is included for compliance, but we use it only for anonymous internal analytics.
• Train AI models on your songs, notes, or recaps. Your messages to friends are not corpus.

Third parties

We use the following third parties to run the service:

• Apple — for the App Store, Sign in with Apple, and the iTunes Search API (which provides the 30-second previews).
• Google Firebase — for our database (Firestore), authentication, push notifications (FCM), and crash reporting (Crashlytics).
• Google Sign-In — if you sign in with Google.

Each of these has its own privacy policy. We do not share your data with anyone else.

Your rights

You can:

• See your data — Settings → Account → Export my data. We email you a JSON of everything tied to your account within 14 days.
• Delete your account — Settings → Account → Delete account. Your account, all songs you sent, all songs sent to you, your follow graph, your weekly recaps, and your phone hash wipe within 30 days. Crash logs older than 30 days are anonymized.
• Disable push notifications — Settings → Notifications.
• Revoke contact access — iOS Settings → Vibes → Contacts.

If you're in the EU/UK, you have additional rights under GDPR (rectification, restriction, portability, objection). Email us and we'll honor them.

Children

Vibes is rated 12+. We do not knowingly collect data from children under 13. If you become aware that a child under 13 has signed up, contact us and we'll delete the account.

Changes

If we materially change this policy, we'll notify you in-app before the change takes effect. The "last updated" date at the top will reflect any update. We will not retroactively expand the data we collect or how we use it without your explicit consent.

Contact

For privacy questions, GDPR/CCPA requests, or anything else: hi@vibesmusic.app.