← Back to Vybra

Privacy Policy

Last updated: April 12, 2026

1. Who we are

Vybra is a music discovery application available on iOS and Android that helps you find new music by swiping through curated tracks and connecting your Spotify or Apple Music library. This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, and what rights you have over it.

For data-related requests, contact us at delete@vybra.co.

2. Data we collect

2.1 Account information

When you sign in with Google or Apple we receive and store:

  • Email address — used to identify your account and send transactional messages.
  • Full name — displayed on your profile.
  • Profile picture URL — your chosen avatar, hosted on AWS S3.
  • OAuth provider identifier — an opaque ID from Google or Apple that lets us recognise returning users without storing your password.
  • Username — a unique handle you choose, shown publicly on your profile page.

2.2 Music preferences and activity

  • Genre preferences — the music genres you select during onboarding, used to personalise your discovery feed.
  • Track reactions (likes and dislikes) — every swipe is stored with a timestamp. Liked tracks are visible on your public profile.
  • Streaming service tokens — when you connect Spotify or Apple Music we store OAuth access tokens and refresh tokens to read your library. Spotify scopes: user-read-email, playlist-read-private, user-library-read. Apple Music scope: user-library-read.

2.3 Optional profile information

You may voluntarily add links to your Instagram, TikTok, or personal website. These are shown publicly on your profile.

2.4 App preferences

  • Notification preferences (recommendations on/off).
  • Explicit content filter setting.

2.5 Technical and diagnostic data

  • Crash reports — collected via Firebase Crashlytics when the app crashes, to help us fix bugs. Includes app version, device model, and crash stack trace.
  • Performance data — collected via Firebase Performance Monitoring to detect slow network requests and rendering issues.
  • Firebase Analytics — disabled by default. Not collected.
  • Advertising identifiers — not collected.

2.6 Data we do NOT collect

We do not collect location, contacts, call logs, browsing history, camera or microphone data, or any biometric information.

3. How we use your data

  • Authentication — to create your account, verify your identity on each session, and keep it secure.
  • Music discovery — to build a personalised track feed based on your selected genres and past reactions, and to exclude tracks you have already seen.
  • Library sync — to import tracks from your Spotify or Apple Music library and use them as input for recommendations.
  • Public profile — your username, name, photo, social links, and liked tracks are shown publicly at vybra.co/[username].
  • Transactional email — sent via AWS SES for account-related communications only (e.g. deletion confirmations). We do not send marketing email.
  • Service reliability — crash and performance data are used exclusively to fix bugs and improve app stability.

4. Legal bases for processing

  • Contractual necessity — processing your email, name, and reactions to provide the core service you signed up for.
  • Consent — connecting Spotify or Apple Music. You can withdraw consent at any time by disconnecting the service.
  • Legitimate interests — crash reporting and performance monitoring to maintain service quality, balanced against minimal data collection and no advertising use.

5. Data sharing and third-party processors

We do not sell your personal data. We share it only with the processors listed below, under contractual data-protection obligations:

ProcessorPurposeData shared
MongoDB AtlasDatabase storageAll account and activity data
AWS S3Profile photo storagePhoto files
AWS SESTransactional emailEmail address
Google (OAuth)Sign-in verificationID token (one-time)
Apple (Sign-In & Music)Sign-in and library syncID token, music library
SpotifyPlaylist and library syncPlaylists, saved tracks
Firebase (Google)Crash and performance dataApp version, device model, crash traces

We do not share your data with advertisers, data brokers, or any other third parties.

6. Public profile data

The following information is publicly accessible to anyone who visits your profile at vybra.co/[username] or calls our public API:

  • Username, display name, and profile picture
  • Social links (Instagram, TikTok, website) if you added them
  • Tracks you have liked (not dislikes)

If you do not want this information to be public, do not add social links and consider using a non-identifying username. You may request account deletion to remove all public data.

7. Data retention

  • Account data — retained until you request deletion.
  • Track reactions — retained until you request deletion.
  • Streaming tokens — retained until you disconnect the service or request account deletion, at which point we revoke and delete them.
  • Crash and performance data — retained for up to 90 days by Firebase according to their default policy.
  • Transactional emails — AWS SES logs retained for up to 60 days.

8. Your rights and controls

Depending on your location you may have the right to:

  • Access — request a copy of the data we hold about you.
  • Correction — update your name, username, photo, or social links directly in the app.
  • Deletion — request full account deletion by emailing delete@vybra.co from your account email. We will process and confirm within 30 days.
  • Restriction / objection — object to specific processing by contacting us.
  • Withdraw consent — disconnect Spotify or Apple Music at any time through the app settings. We will immediately stop accessing your library data.
  • Data portability — request an export of your data in a machine-readable format.

California residents may exercise CCPA rights (opt-out of sale, deletion, disclosure) via the same contact. We do not sell personal data.

9. Account deletion

To delete your Vybra account and all associated data:

  1. Email delete@vybra.co from the address linked to your account.
  2. We will confirm deletion within 30 days.
  3. Upon deletion we revoke Spotify and Apple Music tokens, remove your profile, reactions, and preferences from our database, and delete your photo from S3.

10. Children

Vybra is not intended for children under 13 (or the minimum age required by Spotify and Apple Music in your country, whichever is higher). We do not knowingly collect data from minors. If you believe a minor has created an account, contact us and we will delete it promptly.

11. International data transfers

Your data is processed on servers located in the United States (AWS, MongoDB Atlas). If you are in the European Economic Area, United Kingdom, or Switzerland, these transfers are conducted under appropriate safeguards including Standard Contractual Clauses where required.

12. Security

  • All API communication is encrypted via HTTPS/TLS.
  • Authentication tokens are signed with RSA-256 keys.
  • OAuth tokens are stored server-side; only a short-lived JWT is issued to the client.
  • On-device data (Android) is stored in encrypted DataStore.
  • Audio preview proxying uses allowlist-only domain validation to prevent SSRF attacks.

No system is completely secure. If you discover a vulnerability, please report it to delete@vybra.co.

13. Third-party services

Connecting Spotify or Apple Music is governed by their respective privacy policies:

14. Changes to this policy

We may update this policy to reflect changes in our features or legal requirements. Material changes will be communicated in-app. The "Last updated" date at the top indicates the latest revision.

15. Contact

For privacy questions, data requests, or to report a concern:

delete@vybra.co