Privacy Policy

1. Introduction

Welcome to Synceria, a Vibin LLC company ("Synceria," "we," "us," or "our"). Synceria is a US-only, 18+ dating service available on iOS and Android. This Privacy Policy explains how we collect, use, share, and protect information when you use our mobile application and related services (collectively, the "Service").

By using Synceria, you agree to this Privacy Policy. If you do not agree, do not use the Service.

2. Information We Collect

We collect the following categories of information:

• Account identifiers: Email address, user ID, login metadata
• Profile and photos: Name, bio, age/DOB, pronouns, gender, relationship preferences, and profile photos. Optional profile details may include work, education, hometown, zodiac sign, height, exercise frequency, pets, family plans, and music artist selections.
• Sensitive data: Precise location (lat/lng), gender identity, sexual orientation, ethnicity, religious preferences, political preferences, substance use preferences (drinking, smoking, vaping, cannabis), sex drive, and other optional profile attributes
• Matching and activity data: Swipes, likes, matches, passes, blocks, and interaction history
• Communications: Chat messages, your display name, and a link to your profile photo are transmitted to Stream (GetStream) to enable in-app messaging between matched users. Reports, support messages, and screenshot attachments submitted through the feedback form are stored by us.
• Device and app data: Device identifiers, device model name (e.g., "iPhone 16 Pro"), user agent, OS/app version, IP address, email domain (for account security monitoring), push tokens, and diagnostic logs
• Age verification status: In states where age verification is required by law (currently Utah and Louisiana), we record a boolean verification decision (pass or fail), your US state name, and the device platform. No age values (such as age ranges or dates of birth from the verification API) are stored anywhere. These records are retained in our database for regulatory compliance.
• Subscription data: Subscription status and entitlements via RevenueCat, Apple, and Google
• Analytics and telemetry: Usage analytics, screen navigation tracking, app lifecycle events (app open, background, and foreground), email domain (for abuse detection), and error/exception data via PostHog; native crash reports and stack traces via Sentry
• Safety and moderation: Reports, moderation actions, and automated photo content analysis. When you upload a profile photo, the image is transmitted to Google Cloud Vision, a third-party AI service operated by Google, for automated content safety analysis. Google analyzes the photo to detect potentially unsafe content (such as explicit or violent imagery) and returns safety scores to us. Google processes photos transiently and does not retain your images after analysis. No identifying information (such as your name or user ID) is sent to Google with the photo.
• Third-party authentication: If you choose to sign up or log in using "Sign in with Apple" or "Sign in with Google," we receive certain basic profile information from the respective provider. This may include your name, verified email address, and a unique identifier. We do not obtain your password from Apple or Google. We use this information to create and authenticate your Synceria account. You can control the personal data shared with us through your Google or Apple account settings.
• NCII removal data: If you submit a Nonconsensual Intimate Image (NCII) removal request — through the in-app reporting mechanism or the public web form at synceriaapp.com/ncii-removal — we collect: (i) your name and email address, (ii) the descriptions and identifiers (URLs, in-app references) you provide for the content, (iii) your good-faith attestation and electronic signature, (iv) for web-form submissions, the IP address used to submit (for abuse monitoring only), and (v) for in-app submissions, your Synceria account ID. If you submit anonymously through the web form, we do not link the request to any Synceria account. We also generate perceptual hashes (digital fingerprints) and SHA-256 hashes of the reported content; these hashes do not contain or reveal the original image and cannot be used to reconstruct it.

Marketing emails are on hold; we do not send marketing emails at launch. We do not run ad networks or targeted advertising at launch.

3. Sources of Information

We collect information from:

• You: Information you provide during onboarding or in your profile
• Your device: App usage, device data, and location (with permission)
• Third parties: Apple Music (public catalog search API only - we do not authenticate your Apple Music account or receive any Apple Music user data; your selected artist preferences are stored as part of your profile), Apple/Google (subscriptions), RevenueCat (subscription status), Stream (chat), PostHog (product analytics), Sentry (crash reporting and error diagnostics)
• Authentication providers: We obtain information from Apple and Google when you authorize us to authenticate using their identity services. The information we receive is limited to what is necessary to verify your identity and log you into Synceria. We do not collect additional data from these providers without your permission.

4. How We Use Your Information

We use your information to:

• Provide and maintain the Service, including automated profile ranking for matching and discovery (see Section 12)
• Enable communication between matched users
• Personalize your experience and improve the Service
• Operate subscriptions and account billing
• Send transactional notifications (matches, messages, account updates)
• Detect, prevent, and respond to fraud, abuse, and safety issues
• Provide customer support and respond to requests
• Measure performance and improve reliability (analytics/telemetry)
• Comply with legal obligations and enforce our Terms

AI and machine learning: Synceria does not use your personal data to train machine learning, artificial intelligence, large language, or generative AI models. Photo moderation via Google Cloud Vision is transient, real-time processing and does not involve training on your data.

5. How We Share Information

We share information in the following circumstances:

• With other users: Your profile and content appear to potential matches
• With authentication providers: When you choose to sign in with Apple or Google, those providers may know that you are signing into Synceria. We do not share your Synceria profile details back to Apple or Google except as required to facilitate authentication and comply with their developer terms.
• Service providers: Vendors who help us operate the Service, including:

• Supabase (auth, database, storage, Edge Functions)
• Stream (GetStream) for real-time chat - receives your display name, profile photo, and chat messages to enable messaging between matched users
• RevenueCat plus Apple/Google for subscription management and billing
• Apple Music for music integration (public catalog search API only - no Apple Music user authentication, no Apple Music account data or PII is collected or shared; artist data is cached for up to 14 days)
• PostHog for analytics, screen navigation tracking, and error logging
• Sentry for native crash reporting and error diagnostics (anonymous device and error data only; IP addresses are inherently transmitted as part of the connection but no email addresses or other personal identifiers are intentionally sent)
• Expo for push notification routing; Apple Push Notification service (APNs) and Google Firebase Cloud Messaging (FCM) as the final-delivery endpoints (these services receive your device push token and notification content to deliver notifications to your device)
• Google Cloud Vision (Google LLC) for automated AI-based photo content moderation - profile photos are transmitted to Google's servers for real-time safety analysis; photos are processed transiently and not retained by Google after analysis
• Google Play Age Signals API (Android only) for on-device age verification in states where required by law (currently Utah and Louisiana). The API runs entirely on-device via Google Play services. No age data is transmitted to our servers or to Google. Only a boolean pass/fail decision is stored server-side. Age verification data is not used for advertising, marketing, profiling, or analytics.
• Upstash Redis for rate limiting and caching (ephemeral operational data such as request counters; rate-limit keys may include IP addresses or email addresses with short-lived retention of approximately 1 hour)
• Resend for transactional email delivery (account deletion confirmations)

We may also share information to comply with law, protect safety, or as part of a business transaction. We do not sell your personal information.

Data location: Your data is stored and processed in the United States. Our primary infrastructure provider (Supabase) hosts data on AWS us-east-1 in Virginia. All other service providers listed above also process data in the United States. Our service providers may engage their own sub-processors to assist in providing their services; their current sub-processor lists are available on their respective websites.

6. Sale/Share for Targeted Advertising

Synceria does not sell or share personal information for targeted advertising, and we do not run ad networks at launch. If this changes, we will update this policy and provide required opt-out options.

7. Sensitive Data

We collect the following categories of sensitive personal information, depending on what you choose to share:

• Gender identity and sexual orientation - required for matching. You select these during onboarding to help us show you relevant profiles.
• Precise location - required for distance-based matching (with your device permission).
• Ethnicity - optional. You may choose "Prefer not to say."
• Religious preferences - optional. You may choose "Do Not Display."
• Political preferences - optional. You may choose "Do Not Display."
• Substance use preferences (drinking, smoking, vaping, cannabis) - optional. You may choose "Do Not Display."
• Sex drive - optional. You may choose "Do Not Display."

All optional sensitive fields can be skipped entirely during onboarding or changed at any time in your profile settings. By choosing to provide optional sensitive information, you consent to its processing for profile display and matching personalization. You may withdraw this consent at any time by removing the information from your profile or selecting "Prefer not to say" or "Do Not Display."

8. Data Retention

We retain information only as long as needed for the purposes described.

• Account deletion: Profiles are hidden immediately; most data is deleted within 30 days, subject to retention exceptions
• Safety retention: Limited data may be retained for up to 90 days after account closure for safety, fraud, or legal defense
• Banned accounts: Minimal identifiers and evidence may be retained for up to 2 years for abuse prevention and appeals
• Chat: Chat messages are hosted by Stream (GetStream). When a match is dissolved (unmatch), the chat channel is no longer accessible to either user. When you delete your account, all your chat data, including messages, channels, and user metadata, is permanently deleted from Stream as part of our account deletion pipeline
• Unverified accounts: Deleted after 7 days
• Data export logs: Retained for 90 days
• Discovery views: Retained for 30 days
• Swipe history (non-matches): Retained for 90 days
• Unmatched matches: Deleted after 48 hours
• Artist cache: Up to 14 days (Apple Music catalog data)
• Analytics data (PostHog): Retained according to configured retention period (currently 90 days)
• Crash and error data (Sentry): Auto-expires within 30-90 days
• Age verification audit records: When your account is deleted, PII columns (user ID, state, error codes) are anonymized. Non-PII verification decisions (verified, meets age requirement, blocked) are retained indefinitely for regulatory safe harbor defense
• Purchase data: In-app purchase grants, consumption records, and transaction identifiers are deleted when your account is deleted. Purchase event logs are anonymized and retained for refund and billing dispute resolution

Support, feedback, and moderation records may be retained longer when necessary to resolve issues or meet legal obligations.

NCII removal records

Synceria retains NCII removal request records for 3 years from the date the request was submitted, after which the records are anonymized in place — your name, email, IP address, account link, content description, and electronic signature are removed, while the date of submission, request type, and resolution status are retained in aggregated form for compliance reporting. The 3-year period aligns with the federal civil-penalty statute of limitations applicable to TAKE IT DOWN Act enforcement actions. Hashes of removed content are retained indefinitely for as long as the content remains identified as NCII, because the federal "reasonable efforts to prevent re-upload" obligation requires hashes to outlast the original request. You may appeal a hash blocklist entry via the appeal process described in our Terms of Service §7; granted appeals deactivate the corresponding hash entry, but the row is preserved for audit purposes.

Anonymous web-form submissions (NCII)

Because anonymous NCII web-form submissions are not linked to any Synceria account, we cannot verify that a CCPA right-to-know or right-to-delete request from a third party corresponds to a particular submission. If you submitted anonymously and want to exercise CCPA rights over your submission, you may (i) include the request reference number you received and (ii) prove control over the email address used at submission by replying to a verification email. Without these, we cannot honor a deletion request, because doing so would let any third party erase NCII removal records by guessing reference numbers. The depicted individual whose content was the subject of the request retains their CCPA rights independently through any Synceria account they may have, even when the request was submitted by an anonymous third party on their behalf.

9. Data Security

We implement industry-standard security measures to protect your information, including:

• Encryption of data in transit and at rest
• Secure authentication and access controls
• Regular security audits and monitoring
• Employee training on data protection

On-device storage: To keep you signed in and reduce network requests, we store limited account data on your device using the platform's encrypted secure storage (iOS Keychain / Android Keystore). This includes authentication tokens and session data (including your email address), Stream Chat session tokens, push notification device tokens, and display preferences. This data remains on your device until you sign out or delete your account, at which point it is removed. We do not transmit on-device data to any third party beyond what is described in Section 5. A boolean age verification flag may be stored in device secure storage to enforce age restrictions across sessions in applicable states. This flag persists through sign-out and is cleared by app uninstall.

While we strive to protect your information, no method of transmission over the Internet is 100% secure. We cannot guarantee absolute security.

10. Your Rights and Choices

You may have the right to:

• Access: Request a copy of your personal data
• Correction: Update or correct inaccurate information
• Deletion: Request deletion of your account and associated data
• Portability: Export your data in a portable format
• Opt-out: Opt out of sale/share or targeted advertising (if applicable)
• Appeal: Appeal a denied privacy request

To exercise these rights, email admin@vibinllc.com with the subject line "Privacy Request," or submit a deletion request at synceriaapp.com/delete-account. We may verify your identity before responding. You can appeal decisions by emailing the same address with the subject line "Privacy Appeal."

We do not discriminate against users for exercising privacy rights. Authorized agents may submit requests on your behalf where permitted by law.

Revoking third-party sign-in: You may disconnect your Google or Apple account from Synceria at any time by accessing the account settings within the app or through the respective provider's account-management portal. If you disconnect your third-party login or delete your Synceria account, the authentication tokens we hold for Google or Apple will be deleted within 30 days.

11. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

• Right to know what personal information we collect and how it is used
• Right to delete your personal information
• Right to correct inaccurate personal information we hold about you
• Right to opt-out of the sale of personal information (we do not sell your data)
• Right to limit the use of sensitive personal information (such as gender identity and dating preferences) to purposes necessary for providing our services
• Right to non-discrimination for exercising your privacy rights
• Right to information about automated decision-making technology used to process your personal information (see Section 12)

Sensitive personal information & service delivery: Synceria is a dating application whose core functionality depends on certain sensitive personal information. We distinguish between two categories:

• Required for service delivery (CPRA §1798.121(b) exception): Precise location, gender identity, and sexual orientation are essential to our matching services and cannot be limited while maintaining an active account.
• Optional, consent-based: Ethnicity, religious preferences, political preferences, substance use preferences (drinking, smoking, vaping, cannabis), and sex drive are entirely optional. Your consent is given when you choose to provide this information during profile setup. You may withdraw consent at any time by removing these fields, choosing "Prefer not to say," or selecting "Do Not Display" in your profile settings.

If you wish to stop all use of your sensitive personal information, you may delete your account at any time through the app (Settings > Account > Delete Account) or at synceriaapp.com/delete-account.

How to submit a request: You may exercise any of these rights by contacting us at admin@vibinllc.com or by submitting a request through the app (Settings > Privacy). You may also submit a privacy or deletion request at synceriaapp.com/delete-account. Web-based privacy requests support email verification for faster processing.

Response timeline: We will acknowledge your request within 10 business days and provide a substantive response within 45 calendar days of receiving your verifiable request. If we need additional time, we will notify you of the reason and extension period, which will not exceed an additional 45 calendar days.

Categories of personal information collected: In the preceding 12 months, we have collected the following categories of personal information: identifiers (name, email, user ID); personal information categories listed in Cal. Civ. Code 1798.80(e) (name, address); characteristics of protected classifications (age, gender, sexual orientation); internet or other electronic network activity information (app usage data, interactions); geolocation data (precise location); audio, visual, or similar information (profile photos); inferences drawn from the above (matching preferences); and age verification audit records (boolean decisions, state name, and platform for users in applicable states). We disclose personal information to our service providers listed in Section 5 for business purposes. We do not sell personal information. Data exports (Settings > Account > Export My Data) include age verification audit records where applicable.

12. Automated Decision-Making Technology

Under the California Privacy Rights Act (CPRA), you have the right to know about automated decision-making technology (ADMT) used to process your personal information.

How we use ADMT: Synceria uses an automated matching algorithm to rank and order profiles in your discovery feed. The algorithm does not automatically match you with anyone. You must manually swipe to express interest, and a match is only created when both users have liked each other.

Algorithm inputs: The matching algorithm considers the following factors when ranking profiles:

• Music vibes: Shared music genre preferences (you must share at least one vibe with another user for their profile to appear)
• Artists: Shared artist selections from your profile
• Location: Geographic proximity (closer profiles receive a higher ranking)
• Lifestyle compatibility: Overlap in lifestyle preferences you have provided
• Relationship goals: Compatibility in what you and other users are looking for
• Profile recency: How recently a profile has been updated

The algorithm also applies eligibility filters based on your age range preferences, gender preferences, and dealbreaker settings. Profiles that do not meet these criteria are excluded from your feed entirely.

How it works: Each eligible profile receives a compatibility score based on the weighted combination of the factors above. Profiles are then presented in order from highest to lowest compatibility. You do not see the numerical score, only the ranked order of profiles. The scoring weights may be adjusted by our team to improve the quality of recommendations.

Sensitive data in matching: The algorithm uses certain sensitive personal information that is essential to the matching service, including your precise location, gender identity, and sexual orientation. These inputs are necessary to show you relevant profiles and cannot be excluded from the algorithm while maintaining core service functionality (consistent with CPRA §1798.121(b)).

Your rights: You have the right to be informed about our use of ADMT, as described in this section. You may influence your results at any time by updating your vibes, artists, location, and profile preferences. If you wish to stop all automated processing of your personal information, you may delete your account through the app (Settings > Account > Delete Account) or at synceriaapp.com/delete-account.

13. Additional State Privacy Rights

Washington and Nevada - Consumer Health Data: If you are a Washington or Nevada resident, you can review our Consumer Health Data Privacy Policy at synceriaapp.com/consumer-health-data.

Virginia, Colorado, Connecticut, Indiana, Kentucky, Rhode Island, and Utah: If you are a resident of Virginia, Colorado, Connecticut, Indiana, Kentucky, Rhode Island, or Utah, you may have additional privacy rights under your state's consumer data protection law, including the right to access, correct, delete, and obtain a portable copy of your personal data, and the right to opt out of the sale of personal data or targeted advertising. These rights are described in Section 10 of this Privacy Policy. To exercise any of these rights, contact us at admin@vibinllc.com or use the in-app privacy settings described in Section 10. We do not discriminate against users who exercise their state privacy rights.

14. Account Deletion & Data Export

You can delete your account in the app at any time. Deletion is scheduled within 30 days and your profile is hidden immediately. If you cannot access the app, submit a request at synceriaapp.com/delete-account.

We provide data exports in a machine-readable format through the app. We may use secure, time-limited download links. Chat history is hosted by Stream (GetStream) and is included in the account deletion pipeline. When your account is deleted, all your chat data is permanently deleted from Stream.

15. Children's Privacy

Synceria is not directed at children under 13 and is restricted to users who are 18 years of age or older. We do not knowingly collect personal information from children under 13 or any minor under 18. If we learn that we have collected personal information from a child under 13 or any minor, we will delete that information promptly.

16. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy in the app and updating the "Last updated" date. We may require re-acceptance for material changes.

17. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us: