Information on the Processing of Personal Data
pursuant to articles 13–14 of EU Regulation 2016/679 (GDPR)
Version 1.1 — June 9, 2026
1. Data Controller
The Controller of the processing of personal data of the users of the VibesOut application is:
Danilo Mastropaolo
Natural person — Developer and manager of the VibesOut service
Support Email: info@vibesout.com
PEC (legal communications): danilomastropaolo@pec.it
Phone: +39 391 101 6506
For general inquiries, support, and questions about the application: info@vibesout.com
For the exercise of GDPR rights, formal complaints, and any communication with legal value: danilomastropaolo@pec.it (specify in the subject: "GDPR Request — VibesOut").
2. Definitions
For the purposes of this privacy policy, the following definitions apply:
- Personal data: any information relating to an identified or identifiable natural person (Art. 4 No. 1 GDPR).
- Processing: any operation performed on personal data (collection, recording, storage, consultation, communication, erasure, etc.) — Art. 4 No. 2 GDPR.
- Data subject: the natural person to whom the personal data refers, namely the user of the VibesOut application.
- Data processor: a third party who processes data on behalf of the Controller based on a written contract (Art. 28 GDPR).
- Third Country: a country not belonging to the European Union or the European Economic Area.
3. Consent Collection and Acceptance Methods
3.0 Consent mechanism — Sign-in Wrap
Acceptance of this privacy policy and the Terms of Service occurs through the sign-in wrap (or clickwrap) mechanism: by proceeding with registration (whether manual by entering name, surname, and email, or via access with external providers such as Google or Apple), the user declares that they have read and fully accepted the Privacy Policy and the Terms of Service, as published and accessible in the application at the time of the action.
This mechanism constitutes a valid and binding manifestation of will under Art. 7 GDPR and Art. 1326 of the Italian Civil Code. The Controller retains technical evidence of the acceptance (timestamp, version of the accepted documents) for the accountability requirements referred to in Art. 5.2 GDPR.
4. Types of Data Collected and Purposes of Processing
4.1 Data provided directly by the user
a) Registration and authentication data
- First and last name or display name
- Unique username
- Email address
- Password (stored in encrypted form with the bcrypt algorithm — not accessible to the Controller)
- Phone number (for identity verification and safety features)
- Date of birth (to verify the minimum age requirement of 16 years)
Legal basis: Art. 6.1.b GDPR — execution of the service contract. This data is necessary to create and manage the user account. In the absence of such data, it is not possible to use the service.
b) Public profile data
- Profile photo
- Biography (free text field, optional)
- Interests and preferences (optional)
Legal basis: Art. 6.1.b GDPR — service functionality. The profile photo and biography are optional but necessary to fully benefit from the social features of the application.
c) Gender
The gender field is optional: the user is in no way obliged to provide this information to access the service or any of its features. Filling in the field occurs exclusively on the voluntary initiative of the user.
Legal basis: Art. 9.2.a GDPR — explicit consent manifested by a voluntary positive act. In compliance with the WP29 Opinion 15/2011 and the EDPB guidelines, the deliberate filling in of an optional field clearly described in this policy constitutes an unequivocal positive act of explicit consent to the processing of the data under Art. 9 GDPR. The user can delete the data from their profile in the application settings at any time, without any consequences for accessing the service. Deleting the data is equivalent to revoking consent under Art. 7.3 GDPR.
d) Published content
- Photographs and videos uploaded within events and stories
- Texts and descriptions of the created events
- Private messages exchanged with other users in direct chat
Legal basis: Art. 6.1.b GDPR — provision of the functionality requested by the user. Private messages are processed exclusively for delivery to the recipient and are not read, analyzed, or processed by the Controller, except in cases strictly necessary to ensure platform security (e.g., abuse reports).
4.2 Data collected automatically
e) Geolocation data
The application collects the GPS coordinates of the user's device to enable proximity features. In particular:
- Spotlight: a feature that allows the user to view and interact with other users physically present in the immediate vicinity, sharing the same geographical area (e.g., same event, same place). Spotlight is not a content or event recommendation system: it is a real-time social interaction tool based exclusively on the physical co-presence of users.
- Geolocated content: publication of events and stories associated with a geographical position.
Access to the device's location is managed exclusively by the operating system (iOS/Android). The user can revoke geolocation permission at any time through their device settings (Settings → Privacy → Location Services on iOS; Settings → Apps → VibesOut → Permissions on Android). Revocation automatically disables all features that require location, without the possibility of partial use.
Legal basis: Art. 6.1.b GDPR — proximity features constitute the core function of the service; in the absence of location access, Spotlight and the publication of geolocated content are technically unusable.
f) Device token for push notifications
Upon consent to notifications by the operating system (iOS/Android), the application collects the unique token of the device to send push notifications (app updates, messages, nearby events).
Legal basis: Art. 6.1.b GDPR — provision of the notification service. Collection of the token is conditional on the user's consent to notifications expressed at the operating system level.
g) Technical and session data
- Session tokens (JWT) stored in encrypted form, with automatic expiration
- Refresh tokens to maintain the session (with defined TTL)
- Technical device data necessary for the proper functioning of the app (not associated with advertising identifiers)
Legal basis: Art. 6.1.b GDPR — necessary for authentication and session security.
4.3 Data not collected and processing not carried out
VibesOut does not collect and does not carry out the following processing:
Data not collected:
- Identifying biometric data (fingerprints, iris scan)
- Health or medical data
- Genetic data
- Information on political opinions, religious beliefs, or trade union affiliations
- Device advertising identifiers (IDFA on iOS, GAID on Android)
- Data for profiled or behavioral advertising purposes
Facial recognition — explicit declaration (Art. 9 GDPR)
VibesOut does not use and has never used facial recognition, biometric identification, or physical characteristic analysis technologies on photographs uploaded by users. Images are processed exclusively as media files to be displayed and are not processed by biometric analysis systems. Should biometric processing features be integrated in the future, the Controller will update this policy with appropriate notice and collect the explicit consent required by Art. 9.2.a GDPR.
Behavioral advertising — explicit declaration
VibesOut does not display advertising of any kind to users, whether profiled or contextual. The platform does not transmit user data to advertising networks, data brokers, or advertising platforms (e.g., Google Ads, Meta Ads, TikTok Ads). No personal data is used for marketing purposes toward third parties. Should advertising be introduced in the future, the Controller will update this policy and collect the specific consent required by applicable legislation (GDPR + ePrivacy).
Behavioral profiling from geolocation — explicit declaration (EDPB Guidelines 4/2019)
VibesOut does not build behavioral profiles from users' geographical movements. GPS coordinates are used exclusively for real-time features (Spotlight — real-time social proximity; searching for nearby events) and are not stored historically or analyzed to infer habits, places of residence, workplaces, medical facilities visited, places of worship, or any other behavioral pattern. The Controller is aware that such profiling would constitute high-risk processing under Art. 35 GDPR and the EDPB Guidelines 4/2019, and undertakes not to introduce it without a prior Data Protection Impact Assessment (DPIA) and update of this policy.
5. Registration and Authentication Methods
The user can register or access VibesOut through the following methods:
a) Manual registration
The user can create an account by providing their data directly to the application (name, surname, email address, and password). This data is processed directly and only by the Controller for the purposes described in section 4.1.
b) Google (Sign in with Google)
Google LLC acts as an independent Data Controller for the user's Google account data. The application receives only the data that the user has expressly authorized (email, name, Google identifier). The user is invited to consult Google's privacy policy: https://policies.google.com/privacy
c) Apple (Sign in with Apple)
Apple Inc. acts as an independent Data Controller for the user's Apple account data. Apple offers the possibility to hide the real email with a relay address. The application receives only the authentication token and, if authorized, the email. The user is invited to consult Apple's privacy policy: https://www.apple.com/legal/privacy/
The data received from these services is processed by VibesOut exclusively for the creation and management of the user account.
6. Recipients of Data — Data Processors
Personal data of users is shared with the following third parties, as Data Processors under Art. 28 GDPR, based on specific data processing agreements (DPA):
| Provider | Service | Location | DPA | Extra-EU Transfer |
|---|---|---|---|---|
| Hetzner GmbH | Hosting servers and database | Germany 🇩🇪 | Signed | None — data in EU |
| Google LLC (Firebase Auth) | User authentication | USA 🇺🇸 | Google Cloud DPA | SCCs + EU-U.S. DPF |
| Google LLC (Maps Platform) | Geocoding and maps | USA 🇺🇸 | Google Cloud DPA | SCCs + EU-U.S. DPF |
| Google LLC (Vertex AI / Cloud AI) | Content processing with AI | USA/EU 🇺🇸/🇪🇺 | Google Cloud DPA | Vertex AI on EU region |
| Cloudflare Inc. | Media file storage | USA / Storage EU 🇺🇸/🇪🇺 | Cloudflare DPA | SCCs + EU-U.S. DPF — EU storage |
| Functional Software Inc. (Sentry) | Technical error monitoring (mobile app & website) | USA / EU Region 🇺🇸/🇩🇪 | Sentry DPA | SCCs + DPF — EU region active |
| Amplitude Inc. | User behavior analysis on website (product analytics) | USA 🇺🇸 | Amplitude DPA | SCCs + EU-U.S. DPF |
| Google LLC (Google Analytics 4) | Traffic measurement and acquisition sources on vibesout.com | USA 🇺🇸 | Google Cloud DPA | SCCs + EU-U.S. DPF |
No personal data is sold to third parties. No personal data is shared with commercial partners for advertising purposes.
6-bis. Cookies and Analytics of the Website (vibesout.com)
Types of cookies used
The website vibesout.com uses cookies and similar tracking technologies. Upon the first visit, an informative banner is shown, allowing the user to provide or refuse consent to the use of analytical cookies. The expressed preference is stored locally in the browser (localStorage) and respected on subsequent visits.
The cookies used are divided into the following categories:
| Category | Provider | Purpose | Duration |
|---|---|---|---|
| Technical / Necessary | VibesOut | Storing cookie consent preferences (cookie-consent) | Persistent (localStorage) |
| Analytics | Google Analytics 4 (Google LLC) | Measuring traffic, acquisition sources, visited pages, interaction events (e.g., clicks on "Download App"). Pseudonymized and aggregated data. | Up to 2 years |
| Product Analytics | Amplitude Inc. | Analyzing visitor behavior (page views, clicks, sessions, traffic sources). Includes Session Replay for anonymous reproduction of sessions to identify usability issues. Pseudonymized data. | Up to 1 year |
| Error Monitoring | Functional Software Inc. (Sentry) | Automatic detection of JavaScript errors and technical issues. Collected data (stack trace, URL, browser) is technical and contains no user identifying information. | 90 days |
Legal basis for analytical cookies
Technical and necessary cookies: Art. 6.1.b GDPR — necessary for the operation of the consent banner. No consent is required under Art. 5.3 of the ePrivacy Directive.
Analytics and product cookies (Google Analytics 4 and Amplitude): Art. 6.1.a GDPR — user consent expressed through the cookie banner. The user can refuse consent without any limitation in accessing the site. Consent can be revoked at any time by clearing browser data or contacting the Controller.
Error monitoring cookies (Sentry): Art. 6.1.f GDPR — legitimate interest of the Controller to ensure the proper technical operation of the website. The data is exclusively technical and does not allow user identification.
How to disable cookies
In addition to the banner on the site, the user can manage or disable cookies directly from their browser settings. Please note that disabling certain cookies could affect the correct display of some features of the site. For more information, consult your browser's guide.
7. Transfers to Third Countries (Art. 44–49 GDPR)
Some of the Data Processors listed above are based in the United States of America, a country outside the European Economic Area. Transfers take place in compliance with the following guarantees:
- Standard Contractual Clauses (SCC) adopted by the European Commission with Implementing Decision (EU) 2021/914 of June 4, 2021 (Module 2 — Controller to Processor).
- EU-U.S. Data Privacy Framework (DPF), where providers are certified under the European Commission's Adequacy Decision of July 10, 2023.
Where technically possible, EU user data is preferentially processed on infrastructures based in the European Union (e.g., Hetzner DE, Vertex AI with EU region, Sentry with EU region — Frankfurt GCP, Cloudflare R2 with EU bucket).
8. Transfer of Service to a Third-Party Company
Users' personal data may be transferred to a subsidiary or affiliate of the Controller, or to a company that will succeed in managing the VibesOut service, maintaining the same processing purposes indicated in this policy.
In this case, the acquiring company will become the new Data Controller and succeed in the contractual relationships with data subjects. At the time of the transfer, the company will provide data subjects with an updated information notice with its contact details and methods for exercising rights, in compliance with Art. 13 GDPR.
The Controller guarantees that any transfer will occur exclusively to subjects that offer adequate guarantees regarding personal data protection and maintain the same level of protection provided by this policy and the GDPR.
9. Data Retention Period (Art. 5.1.e GDPR)
Personal data is stored for the time strictly necessary for the purposes for which it was collected:
| Data category | Retention period |
|---|---|
| Account data (email, name, username) | For the entire duration of the account. After deletion: anonymized within 30 days, except for legal obligations |
| Password (hash) | For the entire duration of the account; deleted upon account deletion |
| Phone number | For the entire duration of the account |
| Date of birth | For the entire duration of the account |
| Gender (if provided with consent) | Until consent is revoked or account is deleted |
| Profile photo and published media | Until deleted by the user or account deletion |
| Private messages | Stored in encrypted form in the database for the entire duration of the conversation. Permanently deleted upon user request through deletion from their in-app interface. There is no automatic expiration term: storage ceases exclusively by voluntary act of the user or following account deletion. |
| GPS Coordinates | Not stored permanently — updated in real-time and not archived historically |
| Session token (JWT) | Automatic expiration after [X hours] of inactivity |
| Refresh token | 30 days from creation, renewable with use |
| Phone verification token | 10 minutes from generation |
| Password reset token | 1 hour from generation |
| Technical error logs (Sentry — mobile app & website) | 90 days |
| Website analytics data (Google Analytics 4) | Up to 2 years (standard GA4 configuration) |
| Website product analytics data (Amplitude) | Up to 1 year |
| Technical session data | 30 days |
Upon expiry of the retention periods, the data is securely deleted or irreversibly anonymized.
10. Rights of the Data Subject (Art. 15–22 GDPR)
The user has the right to exercise, at any time, the following rights:
Art. 15 — Right of access: obtain confirmation of whether data concerning them is processed and receive a copy in a structured format, via the "Download my data" function available in the application settings.
Art. 16 — Right to rectification: request the correction of inaccurate or incomplete personal data, directly from the profile settings or by contacting the Controller.
Art. 17 — Right to erasure ("right to be forgotten"): request the deletion of all personal data via the "Delete account" function in the application settings. Deletion occurs in cascade on all associated data (messages, content, tokens, logs). Data is anonymized within 30 days of the request.
Art. 18 — Right to restriction of processing: request that the processing of their data be restricted in the cases provided for by the rule (e.g., dispute of data accuracy, opposition to processing during verification of legitimate interest).
Art. 20 — Right to data portability: receive their personal data in a structured, commonly used, and machine-readable format (JSON), via the "Download my data" function in the settings.
Art. 21 — Right to object: object to the processing of their data in cases where the legal basis is the legitimate interest of the Controller.
Art. 7.3 — Withdrawal of consent: withdraw consent given at any time (e.g., for the gender field, for push notifications) without affecting the lawfulness of processing based on consent before its withdrawal.
To exercise their rights, the user can:
- Use the integrated functions in the application (Settings → Privacy)
- Send a formal request to the Controller's PEC: danilomastropaolo@pec.it (certified legal value channel, recommended for formal requests)
- Send a request via ordinary email: info@vibesout.com (for informal requests or support — without certified legal evidentiary value)
The Controller responds to requests within 30 days of receipt. In case of particularly complex or numerous requests, the deadline may be extended by a further 60 days, subject to notifying the data subject.
Right to lodge a complaint: the user has the right to lodge a complaint with the competent supervisory authority. For Italian users: Garante per la Protezione dei Dati Personali, Piazza Venezia 11, 00187 Rome — www.garanteprivacy.it
11. Profiling, Algorithms, and Automated Decisions (Art. 22 GDPR — Reg. EU 2024/1689)
11.1 Automated systems in use
The VibesOut application uses automated systems for the following purposes:
- Spotlight — real-time social proximity: a feature that allows the user to view other users physically present in the same geographical area and interact with them. The system does not make content recommendations or suggest events: it exclusively shows users co-present in the immediate physical vicinity, sorted by real-time geographical distance. The sorting parameter is unique: the geographical distance between the user and other users present. This system does not produce legal effects or significantly affect the user — it is a proximity view that the user is free to ignore.
- AI Analysis for organizers: processing of aggregated data related to events to generate statistical insights intended for the organizer. Individual user data is aggregated and anonymized before AI processing where possible.
- Assisted moderation: automatic detection of content potentially violating community guidelines. The final decision is always subject to human review before any action is taken on the user's account.
11.2 Absence of binding automated decisions
VibesOut does not adopt automated decisions that produce legally binding or significant effects on the user without human intervention, under Art. 22 GDPR. The user is not subject to decisions based solely on automated processing that produce effects on their person.
11.3 Right to contest
Should the user believe they have been subject to an automated decision that produced significant effects on their account (e.g., suspension, content removal), they have the right to request a human review of the decision by writing to danilomastropaolo@pec.it with the subject "Review automated decision — [username]". The Controller responds within 30 days.
12. Data Security and Accountability (Art. 32 and Art. 5.2 GDPR)
12.1 Technical and organizational measures (Art. 32)
The Controller adopts appropriate technical and organizational measures to ensure personal data security, including:
- Encryption of communications in transit (TLS/HTTPS)
- Hashing of passwords with the bcrypt algorithm
- Hashing of sensitive tokens before database storage
- Automatic expiration (TTL) of all session and verification tokens
- Database access limited to authorized personnel
- Technical monitoring of errors via a dedicated system (Sentry, with EU region and active PII filters)
- Database servers hosted on ISO 27001 certified infrastructure (Hetzner, Germany)
In the event of a personal data breach that poses a risk to users' rights and freedoms, the Controller will notify the Garante within 72 hours of discovery (Art. 33 GDPR) and, if the breach is of high severity, will promptly inform the affected users (Art. 34 GDPR).
12.2 Accountability documentation (Art. 5.2 and Art. 30 GDPR)
In compliance with the principle of accountability (Art. 5.2 GDPR), the Controller maintains and updates a Register of Processing Activities (Art. 30 GDPR), an internal document listing all processing activities, their purposes, legal bases, categories of data, and security measures adopted. This register is not public, but the Controller undertakes to present it to the supervisory authority upon request, in compliance with Art. 31 GDPR.
13. App Store — Declarations of Conformity
This information notice constitutes the official documentation on data processing for the purposes of the declarations required by application distribution stores:
- Apple App Store (Privacy Nutrition Labels): the data categories declared in the application page on the App Store reflect what is described in this privacy policy. In the event of a discrepancy between the App Store page and this policy, the latter prevails as a legally binding document.
- Google Play Store (Data Safety Section): the information provided in the "Data Safety" section of the Google Play page reflects what is described in this privacy policy. The user is invited to consult both sources for a complete view.
The Controller undertakes to update the declarations on the stores concurrently with any substantial modification to this privacy policy.
14. Changes to This Privacy Policy
The Controller reserves the right to update this privacy policy at any time, in particular in the event of:
- Regulatory changes or new guidelines of the Garante or the EDPB
- Introduction of new features, new providers, or new processing purposes
- Introduction of paid services (which involve new processing for payment management)
- Transfer of the service to a new company
Substantial changes will be communicated to users via in-app notification or email with a notice of atleast 15 days before entering into force. Continued use of the service following notification implies acceptance of the updated privacy policy.
The current version is always available in the application at the section Settings → Privacy and Terms.
Privacy Policy VibesOut — Version 1.1 — June 9, 2026
Update: added website cookie section (Amplitude, Google Analytics 4, Sentry web), updated providers table.
Controller: Danilo Mastropaolo — info@vibesout.com | PEC: danilomastropaolo@pec.it