Privacy Policy

1. Data Controller & Contact

The data controller responsible for your personal data is:

LuminaByte GmbH

Julius-Hatry-Straße 1

68163 Mannheim

Germany

Privacy Contact: privacy@vibrae.ai

Security Contact: security@vibrae.ai

Data Protection Officer (DPO)

As required by GDPR Article 37(1)(c) and BDSG Section 38, LuminaByte GmbH has appointed a Data Protection Officer due to the nature and scale of our processing of special category data (psychological and wellness data):

Data Protection Officer

LuminaByte GmbH

Julius-Hatry-Straße 1

68163 Mannheim, Germany

Email: dpo@luminabyte.de

If you are located in the European Economic Area (EEA), our lead supervisory authority is the Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg (LfDI).

Website: https://www.baden-wuerttemberg.datenschutz.de

Address: Lautenschlagerstraße 20, 70173 Stuttgart, Germany

Phone: +49 711 615541-0

Email: poststelle@lfdi.bwl.de

UK Representative

If you are located in the United Kingdom, our Article 27 representative under the UK GDPR is:

LuminaByte GmbH

Julius-Hatry-Straße 1

68163 Mannheim, Germany

Email: privacy@vibrae.ai

Note: A dedicated UK representative will be appointed as our UK user base grows. Until then, privacy inquiries from UK residents may be directed to the email above.

2. Scope of This Policy

This Privacy Policy applies to the Vibrae mobile application ("App") for iOS and Android and the Vibrae website at vibrae.ai ("Website"), including all features accessible through the App or Website such as AI-generated audio tracks, expeditions, sharing features, and related services (collectively, "our Services"). It does not apply to third-party services linked from the App or Website.

Exclusions: This Privacy Policy does not apply to employees, job applicants, or contractors of LuminaByte GmbH. Employee and applicant data is processed under separate privacy notices in accordance with BDSG Section 26.

Third-Party Links: Our Services may contain links to third-party websites or services (including authentication providers like Google and Apple). This Privacy Policy does not apply to those third parties, and we are not responsible for their privacy practices. We encourage you to review the privacy policies of any third-party services you access through our Services.

3. Information We Collect

3.1 Information You Provide

Account Information

When you create an account, we collect:

• •Email address
• •Display name
• •Profile photo (if provided via Google or Apple OAuth)

Onboarding Profile

During onboarding, you may provide:

• •Age and sex
• •Personal growth goals (up to 3 selections)
• •Mindset confidence score (0-100 scale)
• •Life satisfaction rating (0-100 scale)
• •Life challenges (selected from predefined options)
• •Motivation reasons ("why reasons")
• •Target milestone with date (event goal)
• •Growth profile scores: ambition, confidence, discipline, clarity, resilience (each 0-100)
• •Identified superpower trait
• •Growth opportunity area
• •Daily time commitment preference
• •Preferred session time (morning, lunch, evening, bedtime)
• •Voice preference for generated content
• •Background sound preferences
• •Experience level with personal development

Voice Recordings

• •Audio recordings you create as voice prompts for AI-generated tracks
• •These recordings are uploaded to our servers for transcription and content generation

Voice Recording Lifecycle:

1. You record audio in the App (stored temporarily on-device)
2. The recording is uploaded to our secure voice-prompts storage bucket (private, accessible only to you)
3. For transcription, the audio is sent as encoded data to our server-side Edge Function, which forwards it to the OpenAI Whisper API
4. OpenAI processes the audio in real time and returns only the transcribed text. Per OpenAI's API data usage policy, audio submitted via the API is not retained by OpenAI and is not used to train OpenAI models
5. The transcribed text is used to generate your personalized track
6. The original recording remains in your voice-prompts storage bucket until you manually delete it or your account is deleted

Biometric data note: Voice recordings may be classified as biometric information under certain US state laws (e.g., the Illinois Biometric Information Privacy Act, the California Consumer Privacy Act). We do not use voice recordings for biometric identification purposes (such as voiceprint matching or speaker recognition). Voice recordings are used solely for transcription to understand your content requests. See Section 12.3 for additional information.

Text Prompts & Generated Content

• •Written prompts you provide for track generation
• •Custom track titles and descriptions

Expedition Content

• •Expedition reflections (free-text entries about your personal growth journey)
• •Expedition progress and completion data

Avatar Photos

• •Profile photos you upload directly to the App

3.2 Information Collected Automatically

Device & Platform Information

• •Device type and model
• •Operating system and version
• •Platform (iOS or Android)
• •App version and build number
• •Device name

Usage Analytics

We track over 40 event types to understand how you use the App. These include (but are not limited to):

• •Playback events: playback_started, playback_paused, playback_resumed, playback_completed, playback_seeked, playback_speed_changed, repeat_mode_changed, background_audio_changed
• •Creation events: track_creation_started, track_type_selected, track_prompt_entered, track_voice_selected, track_duration_selected, track_background_selected, track_generation_started, track_generation_completed, track_generation_failed, track_creation_cancelled
• •Library events: track_favorited, track_unfavorited, track_deleted
• •Expedition events: expedition_viewed, expedition_started, expedition_audio_completed, expedition_action_completed, expedition_reflection_saved, expedition_day_completed, expedition_milestone_reached, expedition_completed, expedition_paused, expedition_abandoned, expedition_resumed
• •Settings events: default_voice_changed, default_duration_changed, default_background_changed, ui_language_changed, generation_language_changed
• •Share events: track_shared, share_link_claimed
• •Reminder events: reminder_created, reminder_deleted, reminder_enabled, reminder_disabled
• •Onboarding events: onboarding_started, onboarding_step_viewed, onboarding_step_completed, onboarding_completed, onboarding_abandoned, and related selection events
• •Screen views: screen_viewed with screen name
• •Errors: error_occurred with context and error details

Each event may include associated metadata such as track IDs, durations, step numbers, and feature-specific properties.

Super Properties (attached to all events)

• •App version, build number, platform, OS version
• •Subscription tier, premium status, onboarding completion status
• •UI language, generation language, days since signup

Session Replay (when enabled with your consent)

• •UI interactions and screen navigation flows
• •Network request metadata (URLs, status codes, timing - not request/response bodies)
• •Console log output
• •Text inputs are masked; images are not masked

Push Notification Tokens

• •Device push tokens for delivering notifications (when you enable notifications)

Website-Specific Data

• •Browser information: Browser type and screen resolution, collected via standard HTTP headers when you visit the Website
• •localStorage: Onboarding quiz responses are stored client-side only (under the vibrae-onboarding key) and are never transmitted to our servers
• •Tracking technologies: The Website does not use cookies or tracking pixels. PostHog analytics uses browser localStorage for anonymous session identifiers (subject to your analytics opt-out). You can clear this data via your browser's "Site Data" settings

3.3 Information from Third Parties

Authentication Providers

• •Google OAuth: Email address, display name, profile photo
• •Apple Sign-In: Email address, display name (name may be hidden per your Apple ID settings)

App Store & Play Store

• •Subscription status (active, expired, trial)
• •Purchase receipts for subscription verification

Payment processing: LuminaByte GmbH does not directly process, store, or have access to your payment card details or banking information. All payment processing is handled by Apple (App Store) and Google (Play Store) through their respective in-app purchase systems. We use RevenueCat as an intermediary to validate purchase receipts and manage subscription status across devices. We never receive your credit card number, CVV, or bank account details.

3.4 Inferences and Derived Data

In addition to data you provide directly, Vibrae derives the following categories of information from your usage and inputs:

• •Growth profile scores: Calculated from your onboarding responses (ambition, confidence, discipline, clarity, resilience -- each scored 0-100)
• •Superpower and growth opportunity: Identified from your onboarding profile patterns
• •Coach context profiles: Including reflection themes, struggle patterns, and progress indicators derived from your expedition reflections and usage
• •Content recommendations: Preferences inferred from your listening history, completion rates, and feature usage

These inferences are generated by our AI systems and used solely to personalize your experience within the App. They constitute personal information under applicable privacy laws (including CCPA Section 1798.140(v)(16)) and are subject to all rights described in Section 12.

4. Sensitive Personal Data Notice

Under GDPR Article 9, certain categories of data receive additional protection. Vibrae collects data that may qualify as sensitive personal data:

• •Psychological and wellness data: Your onboarding profile includes mindset confidence scores, life satisfaction ratings, life challenges, and growth profile scores (ambition, confidence, discipline, clarity, resilience). These reflect your mental well-being and psychological state.
• •Mental health reflections: Expedition reflections may contain content about your mental well-being, personal struggles, and emotional state.
• •Behavioral pattern profiles: Our AI coach context system builds profiles including reflection themes and struggle patterns derived from your reflections and usage.

Legal Basis: We process this sensitive data based on your explicit consent under GDPR Article 9(2)(a). You provide this consent during onboarding and when using expedition reflection features. You may withdraw consent at any time (see Section 12).

Purpose: This sensitive data is used solely for personalizing your AI-generated content, coaching interactions, and growth recommendations. It is never used for advertising, sold to third parties, or shared for purposes unrelated to your personal growth experience.

Consent withdrawal and sensitive data: If you withdraw your consent for processing sensitive personal data (psychological/wellness data, reflections, and coach context profiles), we will cease processing this data and delete it within 7 days of your withdrawal request. This accelerated timeline reflects the elevated protection required for special category data under GDPR Article 9. Non-sensitive account data (email, display name) will be retained as necessary for contract performance unless you request full account deletion. See Section 10 for details.

Mental Health Disclaimer

Vibrae is a personal growth and wellness tool. It is not a medical device, therapeutic service, or substitute for professional mental health care. The AI-generated content (meditations, hypnosis scripts, coaching messages) is for general wellness purposes only and does not constitute medical advice, diagnosis, or treatment.

If you or someone you know is experiencing a mental health crisis, please contact emergency services or a crisis helpline immediately:

• •EU Emergency: 112
• •US Suicide & Crisis Lifeline: 988 (call or text) or 911
• •Germany (Telefonseelsorge): 0800 111 0 111 or 0800 111 0 222 (free, 24/7)
• •UK (Samaritans): 116 123

For additional crisis resources, please refer to our Terms of Use, Section 7 (Health Disclaimers & Emergency Information).

5. Legal Basis for Processing (GDPR)

If you are located in the EEA, UK, or Switzerland, we process your personal data under the following legal bases:

Legitimate interest assessment for analytics: We have a legitimate interest in understanding how users interact with our Services to improve them, fix bugs, and optimize the user experience. This processing is limited to aggregated usage patterns and does not involve sensitive data. You can opt out at any time via Settings > Privacy & Data.

Data minimization (GDPR Art. 5(1)(c)): We collect and process only the personal data necessary for the purposes described in this policy. Specifically, we do not collect location data, browsing history, contacts, or device advertising identifiers (IDFA/AAID). RevenueCat is configured without device identifier collection. Voice recordings are used solely for transcription.

German law references: In addition to the GDPR, processing of personal data is subject to the German Federal Data Protection Act (Bundesdatenschutzgesetz, "BDSG"), in particular Section 22 BDSG regarding processing of special categories of personal data, and the German Telecommunications-Telemedia Data Protection Act (Telekommunikation-Telemedien-Datenschutzgesetz, "TTDSG"), in particular Section 25 TTDSG regarding the storage of and access to information on end-user devices (including local databases such as WatermelonDB, AsyncStorage, and push notification tokens).

6. How We Use Your Information

6.1 Core Functionality

• •Create and manage your account
• •Authenticate you via Google or Apple Sign-In
• •Save and sync your tracks, preferences, and progress across devices
• •Provide audio playback with background audio mixing
• •Manage your track library (favorites, deletion, organization)

6.2 AI-Powered Features

• •Script Generation: Your prompts, onboarding profile, and preferences are sent to AI models (OpenAI GPT-4 or Google Gemini) via our server-side Edge Functions to generate personalized meditation, hypnosis, and personal growth scripts
• •Voice Synthesis: Generated scripts are sent to text-to-speech services (ElevenLabs or Google TTS) to produce audio tracks
• •Transcription: Voice recordings are transcribed using AI transcription services to understand your intentions
• •Coach Context: Your reflections and usage patterns may be analyzed to build coaching context (reflection themes, struggle patterns) for more personalized expedition content

6.3 Personalization

• •Tailor content based on your onboarding profile (growth goals, mindset score, growth profile)
• •Adapt content to your preferred language
• •Recommend experiences based on your growth area and superpower
• •Generate expedition content calibrated to your current progress

6.4 Communication

• •Send push notifications for session reminders (when enabled)
• •Create calendar events for scheduled practice (when calendar access is granted)
• •Respond to your support requests
• •Send important updates about our Services or your account

6.5 Analytics and Improvement

• •Understand feature usage patterns and user flows
• •Identify and fix bugs, crashes, and performance issues
• •Conduct A/B testing to optimize the onboarding experience and features
• •Measure the effectiveness of new features

6.6 Legal and Safety

• •Comply with legal obligations
• •Enforce our Terms of Service
• •Protect against fraudulent or illegal activity

6.7 Automated Decision-Making

Vibrae uses automated processing to generate personalized content. Specifically, AI models generate meditation scripts, coaching messages, and expedition content based on your onboarding profile, usage patterns, and reflections. See Section 13 for details and your rights regarding this processing.

6.8 Business Transfers

In the event that LuminaByte GmbH is involved in a merger, acquisition, reorganization, bankruptcy, dissolution, sale of all or a portion of its assets, or other business transfer, your personal data may be transferred as part of that transaction. In such circumstances:

• •We will notify you via in-app notification and/or email before your personal data is transferred and becomes subject to a different privacy policy
• •The acquiring entity will be bound by the same data protection obligations described in this policy, to the extent permitted by applicable law
• •You will have the opportunity to delete your account and data before any transfer is completed, upon reasonable notice
• •If the transaction involves a change of data controller, we will ensure compliance with GDPR Article 13/14 notification requirements

6.9 AI Training Guarantee

Your data is NOT used to train AI models. Vibrae uses AI services (OpenAI, Google Vertex AI/Gemini, ElevenLabs) exclusively through their enterprise/API interfaces, which contractually prohibit the use of customer data for model training. Specifically:

• •OpenAI: Per OpenAI's API data usage policy (effective March 1, 2023), data submitted through the API is not used to train OpenAI models and is retained for a maximum of 30 days for abuse monitoring, after which it is deleted
• •Google Vertex AI / Gemini: Per Google Cloud's data processing terms, customer data submitted to Vertex AI APIs is not used to train Google's foundation models
• •ElevenLabs: Per ElevenLabs' API terms, text submitted through the API for speech synthesis is not used to train their models

This guarantee is a core commitment to our users: your personal reflections, voice recordings, and growth data are used solely to deliver your personalized experience and are never used to improve or train third-party AI systems.

6.10 De-identification and Anonymization

Where possible, we use de-identified or aggregated data for analytics and service improvement purposes. When we de-identify data:

• •We remove or obscure all direct identifiers (name, email, user ID)
• •We apply technical safeguards to prevent re-identification
• •We commit to not attempting to re-identify de-identified data and contractually prohibit downstream recipients from doing so
• •De-identified data is no longer considered personal data under GDPR (Recital 26) or personal information under CCPA (Section 1798.140(h))

Aggregated analytics (e.g., feature usage statistics, average session durations, onboarding completion rates) are used internally for product improvement and may be referenced in aggregate form in communications with investors or partners, without any possibility of identifying individual users.

6.11 Law Enforcement and Legal Requests

We may disclose your personal data if required by law or in response to valid legal requests by public authorities (e.g., a court or law enforcement agency). Before disclosure, we will:

• •Verify the legal validity of the request
• •Notify you unless legally prohibited (e.g., court seal or gag order)
• •Provide only the minimum data necessary to comply
• •Object to overly broad or inappropriate requests where legally possible

7. Third-Party Data Processors

We do not sell your personal data. We share data with the following service providers who process it on our behalf:

RevenueCat: We use RevenueCat (revenuecat.com) to manage in-app subscriptions and validate purchase receipts. RevenueCat receives your pseudonymous user ID for cross-device subscription tracking, along with purchase receipts from Apple and Google. RevenueCat does not receive your email address, name, or other directly identifying information. RevenueCat's infrastructure is hosted on Amazon Web Services (AWS) in the United States and is bound by a Data Processing Agreement (DPA) compliant with GDPR Article 28, available at revenuecat.com/dpa/.

All processors are bound by data processing agreements (DPAs) in compliance with GDPR Article 28(3). Each DPA requires the processor to:

• •Process your data only on our documented instructions
• •Ensure that persons authorized to process personal data have committed to confidentiality
• •Implement appropriate technical and organizational security measures
• •Assist us in responding to data subject rights requests
• •Delete or return all personal data at the end of the service provision
• •Make available all information necessary to demonstrate compliance

Sub-processor changes: We will update this Privacy Policy to reflect any material changes to our processor landscape. If a new sub-processor is engaged that materially alters how your data is processed (e.g., a new AI provider or a change in data hosting location), we will provide at least 14 days' notice before the change takes effect, via in-app notification or update to this policy. You may object to such changes by contacting us, and if we cannot accommodate your objection, you may delete your account.

8. Session Replay & Analytics Disclosure

8.1 Analytics Tracking

Vibrae uses PostHog for product analytics. When analytics is enabled, we track the usage events described in Section 3.2. Analytics data includes:

• •Event names and associated properties (track IDs, durations, step numbers)
• •Device and platform information
• •User properties (subscription tier, language preferences, onboarding status)

PostHog analytics applies to both the App and the Website. Analytics tracking is enabled by default. You can opt out at any time via Settings > Privacy & Data > Analytics (App) or through PostHog's consent mechanisms (Website).

8.2 Session Replay

PostHog session replay captures your interactions with the App to help us understand user experience issues. When enabled, it records:

• •UI interactions (taps, swipes, scrolls, navigation)
• •Screen flows and transitions
• •Network request metadata (URLs, status codes, response times - not request or response bodies)
• •Console log output

Privacy protections in session replay:

• •All text inputs are masked (you will appear to type placeholder characters)
• •Images (such as profile photos) are not masked
• •iOS system views (keyboards, alerts) are masked

Session replay is off by default. It requires your separate, explicit opt-in consent. You can enable or disable it at any time via Settings > Privacy & Data > Session Replay.

8.3 IP Address Handling

PostHog receives your IP address as part of standard HTTP communication. We have configured PostHog to anonymize IP addresses by discarding the last octet of IPv4 addresses (and the last 80 bits of IPv6 addresses) before storage. This means your full IP address is not stored in our analytics system. This approach follows guidance from German data protection authorities regarding IP address processing (in line with the principles established in CJEU Case C-582/14 -- Breyer v. Germany).

9. Data Storage & Security

9.1 Server-Side Storage

• •Database: Supabase PostgreSQL hosted in the EU (Frankfurt, Germany)
• •Row-Level Security (RLS): All database tables enforce row-level security policies, ensuring users can only access their own data
• •Storage Buckets:
• •tracks - Generated audio tracks (public URLs for playback)
• •voice-prompts - Your voice recordings (private, accessible only to you)
• •avatars - Profile photos (public read access)

9.2 On-Device Storage

Data stored on your device remains under your control and is not transmitted to our servers unless you actively trigger a sync or use a feature that requires server communication. Specifically:

• •WatermelonDB: Local SQLite database for offline access and performance (stored unencrypted on device, protected by OS-level device encryption). This local database acts as a cache; LuminaByte GmbH is the data controller only for data that is synced to our servers.
• •AsyncStorage: Used for app preferences and onboarding state
• •Auth Tokens: Currently stored in AsyncStorage (migration to expo-secure-store for encrypted storage is planned)
• •Website localStorage: Used for onboarding quiz state (vibrae-onboarding key). Data remains on your device and is not synced to our servers. You can clear it via your browser settings.

Under TTDSG Section 25, accessing or storing information on your device (including local databases, preferences, and push notification tokens) requires your consent unless strictly necessary for providing the service you requested. We obtain this consent during the App's initial setup.

9.3 Encryption & Security Measures

• •In transit: All data transmitted between our Services and our servers is encrypted using TLS (Transport Layer Security)
• •At rest: Server-side data is encrypted at rest via Supabase infrastructure encryption
• •Authentication: Industry-standard OAuth 2.0 via Apple and Google
• •Access controls: Service role keys are stored as environment secrets on the server and are never exposed to the client. All AI and TTS API calls are routed through server-side Edge Functions.

Note: Vibrae does not provide end-to-end encryption. While data is encrypted in transit and at rest on our servers, it is processed in readable form by our Edge Functions and third-party AI providers to deliver our Services' functionality.

9.4 Data Breach Notification

In the event of a personal data breach, we will:

1. Notify the supervisory authority (LfDI Baden-Württemberg) within 72 hours of becoming aware of the breach, as required by GDPR Article 33, unless the breach is unlikely to result in a risk to your rights and freedoms
2. Notify affected users without undue delay if the breach is likely to result in a high risk to your rights and freedoms, as required by GDPR Article 34. Given that Vibrae processes special category data (Article 9), we apply a lower threshold for user notification
3. Document all breaches in an internal breach register, regardless of severity, including the facts of the breach, its effects, and the remedial actions taken
4. Comply with additional notification requirements under applicable laws, including BDSG Section 65, California Civil Code Section 1798.82, and other US state breach notification statutes

Security Contact: To report a security vulnerability or suspected data breach, contact security@vibrae.ai. For general privacy inquiries, contact privacy@vibrae.ai.

10. Data Retention

When you delete your account, we initiate deletion of your personal data within 30 days. Some data may persist in encrypted backups for a limited period as part of standard infrastructure operations, but will not be actively processed.

Sensitive data on consent withdrawal: If you withdraw consent for processing sensitive personal data (without deleting your account), we will delete your psychological/wellness data, expedition reflections, and coach context profiles within 7 days. See Section 4 for details.

Subscription cancellation: If you cancel your subscription but keep your account active, we retain all your data as described above. Your generated tracks and expedition progress remain accessible in a read-only or limited-feature capacity. We do not delete data solely because a subscription lapses, but we may reduce server-side storage allocations for inactive free-tier accounts after 12 months of inactivity, with prior notice.

11. International Data Transfers

Your primary data is stored in the EU (Frankfurt, Germany) via Supabase. However, to provide AI-powered features, some data is transferred to processors located in the United States:

• •OpenAI (US) - For AI script generation and transcription
• •Google Vertex AI / Gemini (US) - For AI script generation and text-to-speech
• •RevenueCat (US, AWS) - For subscription management and receipt validation
• •PostHog (US) - For analytics and session replay
• •Expo / EAS (US) - For push notification delivery and app updates
• •Cloudflare (Global) - For CDN and routing

Transfer mechanism: These transfers are protected by Standard Contractual Clauses (SCCs) as approved by the European Commission, and/or the processor's participation in recognized data protection frameworks. Each processor has entered into a Data Processing Agreement (DPA) with us.

You can review the specific safeguards by contacting us at privacy@vibrae.ai.

12. Your Rights

12.1 All Users

Regardless of your location, you have the right to:

• •Access your personal data held by us
• •Correct inaccurate or incomplete data
• •Delete your account and associated data
• •Export your data in a portable format

12.2 EEA, UK, and Switzerland Residents

Under the General Data Protection Regulation (GDPR), you additionally have the right to:

• •Right of access (Art. 15) - Obtain a copy of your personal data and information about how it is processed
• •Right to rectification (Art. 16) - Have inaccurate data corrected
• •Right to erasure (Art. 17) - Request deletion of your personal data ("right to be forgotten")
• •Right to restriction of processing (Art. 18) - Request that we limit how we use your data
• •Right to data portability (Art. 20) - Receive your data in a structured, commonly used, machine-readable format. Where technically feasible, you may also request that we transmit your data directly to another controller (Art. 20(2))
• •Right to object (Art. 21) - Object to processing based on legitimate interests, including analytics
• •Right to withdraw consent (Art. 7(3)) - Withdraw consent at any time without affecting the lawfulness of processing before withdrawal
• •Rights related to automated decision-making (Art. 22) - See Section 13

Supervisory Authority: You have the right to lodge a complaint with your local data protection authority. Our lead supervisory authority is the Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg (LfDI):

• •Address: Lautenschlagerstraße 20, 70173 Stuttgart, Germany
• •Phone: +49 711 615541-0
• •Email: poststelle@lfdi.bwl.de
• •Website: https://www.baden-wuerttemberg.datenschutz.de

Response time: We will respond to all rights requests within 30 days. If a request is particularly complex, we may extend this period by an additional 60 days and will inform you of any extension.

12.3 California Residents (CCPA/CPRA)

Under the California Consumer Privacy Act and the California Privacy Rights Act, you have the right to:

• •Right to know - What personal information we collect, use, disclose, and sell
• •Right to delete - Request deletion of your personal information
• •Right to correct - Request correction of inaccurate personal information
• •Right to opt out of sale - We do not sell your personal information
• •Right to limit use of sensitive personal information - Request that we limit the use of sensitive personal information to what is necessary for providing the services
• •Right to non-discrimination - We will not discriminate against you for exercising your privacy rights. Specifically, we will not:
• •Deny you access to the App
• •Charge you different prices or rates
• •Provide you a different level or quality of service
• •Suggest you will receive a different price, rate, or quality of service

Categories of personal information collected (per CCPA Section 1798.140):

We do not sell or share personal information for cross-context behavioral advertising.

Sensitive personal information: We collect sensitive personal information as described in category L above. This sensitive personal information is used only for the purposes of providing the Vibrae service (personalized content generation and coaching). It is not used for advertising, profiling for advertising, or any purpose other than delivering the core service. You have the right to limit the use of your sensitive personal information to what is necessary for performing the services under CCPA Section 1798.121.

California "Shine the Light" (Cal. Civ. Code Section 1798.83): LuminaByte GmbH does not disclose personal information to third parties for their direct marketing purposes.

12.4 Other US State Residents

If you reside in Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Oregon (OCPA), or other US states with comprehensive privacy legislation, you may have similar rights including:

• •Right to access, correct, and delete your data
• •Right to data portability
• •Right to opt out of targeted advertising (we do not engage in targeted advertising)
• •Right to opt out of sale of personal data (we do not sell personal data)
• •Right to appeal our decision regarding your privacy request

We honor Global Privacy Control (GPC) signals as a valid opt-out request.

Do Not Track (DNT): Some browsers transmit "Do Not Track" signals. Because there is no industry consensus on interpreting DNT, we do not currently respond to DNT signals. However, we honor Global Privacy Control (GPC) signals as described above, which provide a standardized opt-out mechanism recognized under California and other US state laws.

To appeal a decision we have made regarding your privacy rights, contact privacy@vibrae.ai with "Privacy Rights Appeal" in the subject line. We will respond within 45 days.

12.5 Washington and Nevada Residents

Washington "My Health My Data" Act (RCW 19.373): Vibrae collects "consumer health data" as defined under Washington law, including data related to your mental and behavioral health (mindset scores, life satisfaction ratings, growth profiles, expedition reflections). Under this law, you have the right to:

• •Know whether we are collecting, sharing, or selling your consumer health data
• •Withdraw consent for the collection and sharing of your consumer health data
• •Request deletion of your consumer health data

We do not sell consumer health data. We obtain your consent before collecting consumer health data during onboarding. To exercise your rights under this law, contact privacy@vibrae.ai or use the in-app privacy controls.

Nevada SB 220: We do not sell your personal information as defined under Nevada Revised Statutes Chapter 603A. Nevada residents may submit opt-out requests to privacy@vibrae.ai.

12.6 Authorized Agents

California residents and residents of other applicable US states may designate an authorized agent to submit privacy rights requests on their behalf. To submit a request through an authorized agent:

1. The authorized agent must provide written authorization signed by you, or a power of attorney
2. We may require you to verify your own identity directly with us
3. Submit authorized agent requests to privacy@vibrae.ai with "Authorized Agent Request" in the subject line

12.7 How to Exercise Your Rights

You can exercise your privacy rights through:

• •In-App: Settings > Privacy & Data (consent management, analytics opt-out, session replay toggle)
• •Account Deletion: Settings > Privacy & Data > Delete My Account
• •Data Export: Settings > Privacy & Data > Export My Data
• •Email: privacy@vibrae.ai (for access requests, corrections, objections, or complaints)
• •DPO: dpo@luminabyte.de (for data protection inquiries within the EEA)

We may need to verify your identity before processing your request.

Excessive or manifestly unfounded requests: Under GDPR Article 12(5), if requests from a data subject are manifestly unfounded or excessive (in particular because of their repetitive character), we may charge a reasonable fee taking into account the administrative costs of providing the information, or refuse to act on the request. We will inform you of the reasons for any refusal and of your right to lodge a complaint with the supervisory authority.

12.8 Dispute Resolution

If you are not satisfied with our response to a privacy complaint, you may:

• •EEA/UK residents: Lodge a complaint with your local data protection authority (see supervisory authority contact details in Section 12.2)
• •EU residents: Submit a complaint to the European Commission's Online Dispute Resolution (ODR) platform at https://ec.europa.eu/consumers/odr/
• •US residents: Contact us via the appeal process described in Section 12.4
• •All users: Contact our Data Protection Officer at dpo@luminabyte.de

For disputes related to the Terms of Use (including arbitration provisions), see our Terms of Use, Section 21.

12.9 Other International Jurisdictions

Brazil (LGPD): You have rights under the Lei Geral de Proteção de Dados including access, correction, deletion, portability, and consent revocation. Contact privacy@vibrae.ai.

Australia (Privacy Act 1988): You have the right to access and correct your personal information. Complaints may be lodged with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

Canada (PIPEDA): You have the right to access, correct, and challenge the accuracy of your personal information. Complaints may be filed with the Office of the Privacy Commissioner of Canada at priv.gc.ca.

13. Automated Decision-Making & Profiling

13.1 How We Use Automated Processing

Vibrae uses AI and automated processing to personalize your experience:

• •Script generation: AI models generate meditation, hypnosis, and personal growth scripts based on your prompts, onboarding profile, and preferences
• •Coach messages: Expedition coaching content is adapted based on your reflections and progress
• •Expedition content: Daily expedition audio is tailored to your growth profile and current progress

13.2 What Data Informs Automated Decisions

Automated content generation takes into account:

• •Your onboarding profile (goals, mindset score, life satisfaction, growth profile scores)
• •Your usage patterns (track types, listening habits, session frequency)
• •Your expedition reflections and responses
• •Derived profiling data: growth profile scoring (ambition, confidence, discipline, clarity, resilience), reflection theme extraction, and struggle pattern detection

13.3 Impact and Your Rights

• •No automated decisions produce legal effects or similarly significant effects on you. All automated processing is limited to content personalization within our Services.
• •You have the right to human intervention regarding automated processing decisions
• •You can request an explanation of how your profile data influences the content generated for you
• •You can object to profiling by contacting privacy@vibrae.ai

To exercise these rights, contact us at privacy@vibrae.ai.

14. Publicly Shared Data

When you share a track using the share link feature, the following information is included in the share link and visible to anyone who opens it:

• •Track title
• •Track description
• •Track type (e.g., meditation, hypnosis)
• •Track duration
• •Your display name (as the sharer)

Share links are accessible via a public URL. You can control sharing by choosing not to use the share feature. Share links expire based on the configured expiration period or when you delete your account.

15. Children's Privacy

Vibrae is not intended for children under the age of 13 (United States) or 16 (European Economic Area).

We do not knowingly collect personal information from children under these ages. We rely on App Store and Play Store age ratings to limit access, but we do not independently verify user age.

If we become aware that we have inadvertently collected personal information from a child under the applicable age, we will take steps to delete that information promptly. If you believe a child under the applicable age has provided us with personal information, please contact us at privacy@vibrae.ai.

16. Device Permissions

The App may request the following device permissions. Each permission is requested only when the related feature is first used:

Website: The Website does not request any special browser permissions (no camera, microphone, geolocation, or notifications).

You can revoke any App permission at any time through your device's system settings. Revoking a permission will disable the associated feature but will not affect other functionality.

17. Changes to This Policy

We may update this Privacy Policy from time to time. When we make changes:

• •Material changes: We will provide at least 30 days' notice before changes take effect, via in-app notification and/or email
• •Re-consent: Where consent is the legal basis for processing, we will request renewed consent for material changes that affect the scope of processing
• •Version history: All previous versions of this policy are documented in Section 18

Accessibility: If you have difficulty accessing this Privacy Policy due to a visual or other impairment, contact privacy@vibrae.ai and we will provide it in an alternative format (plain text, large print, or audio) upon request.

Your continued use of our Services after the effective date of a revised policy constitutes acceptance of the changes. If you do not agree with a revised policy, you should stop using our Services and may request account deletion.

18. Contact & Version History

Contact

LuminaByte GmbH

Julius-Hatry-Straße 1

68163 Mannheim, Germany

Privacy Contact: privacy@vibrae.ai

Security Contact: security@vibrae.ai

Data Protection Officer: dpo@luminabyte.de

Supervisory Authority:

Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg (LfDI)

Lautenschlagerstraße 20

70173 Stuttgart, Germany

Phone: +49 711 615541-0

Email: poststelle@lfdi.bwl.de

Website: https://www.baden-wuerttemberg.datenschutz.de

Version History

This Privacy Policy is provided in English. A German-language version will be made available at vibrae.ai/datenschutz. If translations are made available, the English version shall prevail in case of any discrepancy.