VibeRoutine Privacy Policy
Effective: May 4, 2026 Last updated: June 1, 2026
VibeRoutine ("the Service") respects your privacy and complies with the Korean Personal Information Protection Act (PIPA), the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable data protection laws.
This policy explains what we collect, how we use and share it, how long we keep it, and what rights you have.
1. Information we collect
The Service does not require an account and collects the minimum data necessary.
1-1. Information you enter
| Item | When collected | Where stored |
|---|---|---|
| Display name | During onboarding | On-device (AsyncStorage) |
| Routine / memo text | When you enter it | On-device |
| Voice memos (transcribed text) | When you capture voice | On-device |
| Photos (food / medication classification) | When you capture a photo | On-device (thumbnail) |
| Mood scores, categories, nutrition info | When you record them | On-device |
| Country / region code (e.g. KR, US) | Auto-detected from device locale or manually changed | On-device |
| Notification settings, watch pairing | When you configure them | On-device |
1-2. Information collected automatically
The Service does not use analytics SDKs and does not collect advertising identifiers (ADID/IDFA). The following data is processed transiently:
- Input text and images temporarily sent to our AI server (see §3)
- Backend server logs: IP address and request timestamp (for rate-limiting and operations; auto-deleted after 7 days)
1-3. Information we do NOT collect
- Government IDs, passport numbers, or other unique identifiers
- Credit cards or bank accounts (payment is handled exclusively by Apple/Google In-App Purchase; we never see your card data)
- Location (GPS)
- Contacts / address book
- Medical diagnostic data (the Service is not a medical device)
2. How we use your information
We use collected information solely to:
- Provide the Service (routine/memo logging, automatic categorization, AI coaching)
- Classify voice and photo entries via a third-party AI model (transient processing)
- Send reminders at times you configure
- Sync data with paired Apple Watch / Galaxy Watch
- Manage Vibe+ subscription entitlements (purchase verification via RevenueCat)
- Detect crashes and errors to improve stability (via Sentry)
- Maintain the Service through anonymized, aggregated statistics
3. Sub-processors
The Service relies on the following sub-processors to operate:
| Sub-processor | Purpose | Data shared | Retention |
|---|---|---|---|
| OpenAI, L.L.C. (USA) | Text categorization and photo labeling via gpt-4o-mini | Voice transcripts, photo base64, user-entered text | Not used for training (API policy). Discarded immediately after the response; up to 30 days for abuse monitoring, then deleted automatically |
| Vercel Inc. (USA) | API server hosting | Request IP, timestamp | 7 days |
| RevenueCat, Inc. (USA) | Subscription receipt validation, entitlement management for Vibe+ | Anonymous App User ID (random UUID), purchase receipt from Apple/Google, country code | Per RevenueCat's policy |
| Sentry / Functional Software, Inc. (USA) | Crash and error diagnostics | Anonymous device model, OS version, stack trace, breadcrumbs (no user content) | 90 days |
| Apple Inc. / Google LLC | App distribution, In-App Purchase, push notifications | Per their respective policies | Per their respective policies |
OpenAI, Vercel, RevenueCat, and Sentry are located in the United States, so your data is transferred internationally. Before any photo, voice, or text is sent to OpenAI for AI features, the app asks for your explicit, in-app consent. AI features remain off until you agree — you can decline and continue using the Service with manual entry only. These sub-processors are contractually bound by their data-processing agreements to protect your data at a level equivalent to the protections described in this policy. OpenAI does not use API data to train its models. You may withdraw consent at any time by disabling AI features; doing so stops any further sharing.
- OpenAI's data processing policy: https://openai.com/policies/api-data-usage-policies
- RevenueCat's privacy policy: https://www.revenuecat.com/privacy
- Sentry's privacy policy: https://sentry.io/privacy/
4. Retention and deletion
- Local data: stored on your device until you uninstall the app or use "Reset all data" in-app. We never store your content on our servers.
- Server-processed data: discarded from memory immediately after the classification response is returned. The Service does not maintain a database of user content.
- Server operations logs (IP, timestamp): deleted after 7 days.
5. Your rights
You may exercise the following rights at any time:
- Access / correction / deletion: from Profile → "Export my data / Reset all" inside the app.
- Immediate deletion on uninstall: removing the app from iOS/Android deletes all local data simultaneously.
- GDPR rights (EU residents): access, rectification, erasure, restriction, portability, objection, automated decision-making, and the right to lodge a complaint with your supervisory authority.
- CCPA rights (California residents): know, delete, opt-out of sale (we do not sell personal information), and non-discrimination.
- Refusal: you may use the Service with manual entry only, skipping camera/microphone features.
To exercise any of these, email hlee@inhandplus.com. We respond within 30 days.
6. Children
The Service is not directed to children under 14 (or under 13 in the United States, per COPPA). If we learn we have collected information from a child without verifiable parental consent, we delete it promptly. If you believe a child has provided us with personal information, please contact us at hlee@inhandplus.com.
7. Security
- All API calls use TLS 1.2+ encryption.
- API keys are stored only as server-side environment variables and are not embedded in the app bundle.
- The backend rate-limits per IP to mitigate abuse.
- Local storage is protected by the operating system sandbox; other apps cannot access it.
8. Permissions
| Permission | Purpose | If denied |
|---|---|---|
| Camera | Capturing food/medication photos | Photo entry disabled only |
| Microphone | Recording voice memos | Voice entry disabled only |
| Notifications | Routine reminders | Reminders disabled only |
| Wear | Galaxy Watch sync | Watch features disabled only |
You can change permissions any time in your operating system settings.
9. Contact
- Data Protection Officer: Hwiwon Lee
- Email: hlee@inhandplus.com
For any privacy-related questions, requests, or complaints, please email us. We aim to respond promptly and thoroughly.
You may also contact the relevant supervisory authority:
- Korea: Personal Information Dispute Mediation Committee (kopico.go.kr / 1833-6972)
- EU: your local data protection authority
- USA: your state attorney general
10. Changes to this policy
If we change this policy, we will notify you in-app or update the "Last updated" date above. For material changes we will provide at least 7 days' advance notice.