Privacy Policy

Effective Date: 2026-05-20

VibeDispatcher Privacy Policy

Plain-language summary. VibeDispatcher is a paid voice + companion product for developers. We collect the minimum we need to run the service: your account info, the events and commands that flow between your Mac and your phone, and your voice usage counters. Direct text messages between your paired devices are end-to-end encrypted so we (and our servers) only ever see ciphertext. Watcher notifications (the assistant-turn alerts produced by the local Claude Code watcher) currently transit our Relay in readable form — we are migrating these to client-side encryption next; see §3.2 and §5 for the honest current state. Voice is different: when you use the cloud voice features, your audio goes to ElevenLabs, who can hear it. Illinois residents: cloud voice (the ElevenLabs ConvAI path) is not currently available to users whose IP resolves to Illinois — this is a deliberate compliance choice tied to the Illinois Biometric Information Privacy Act (BIPA). Local voice features (on-device speech, Atlas, the system say command) remain available everywhere, including Illinois; see §5.4. This summary is provided for convenience only; the full text below controls in the event of any conflict.

Effective Date: 2026-05-20 Last Updated: 2026-05-20 Version: 1.0 — published without counsel review per founder ratification 2026-05-17 (master tracking founder-os#1523, D3). Subject to revision as the Delaware LLC filing completes and as VD's commercial footprint evolves; any material change is communicated per §11 with at least 30 days' notice where the timing is within our control.

1. Overview

This Privacy Policy explains how VibeDispatcher LLC, a Delaware single-member limited liability company ("VibeDispatcher," "we," "us," or "our") collects, uses, discloses, and protects information when you use the VibeDispatcher macOS desktop application, the Beacon companion (currently a Progressive Web App; native iOS app in development), the VibeDispatcher VS Code extension, the relay service operated at vd-away-relay.fly.dev (or its successor), and the VibeDispatcher marketing website at vibedispatcher.com (collectively, the "Service").

Beacon availability: The native iOS Beacon app is in active development. Until it ships via the App Store, Beacon is available as a Progressive Web App (PWA) accessible via your phone's browser at beacon.vibedispatcher.com. Provisions in this Policy that reference "the Beacon iOS App," "App Store," "In-App Purchases," or "Apple" apply only when the native iOS app launches; the PWA version is governed by the same Privacy Policy but is not subject to App Store-specific provisions.

By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree, do not install or use the Service.

This policy is written to satisfy our obligations under the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA), the UK GDPR, and equivalent laws in other jurisdictions.

2. Who We Are and How to Contact Us

Controller: VibeDispatcher LLC (a Delaware single-member limited liability company; "VibeDispatcher LLC" is a working entity name pending Delaware filing — a different filed name may be substituted at launch) Postal Address: [TBD — finalize at Delaware LLC filing] Privacy Contact: privacy@vibedispatcher.com General Contact: support@vibedispatcher.com EU/UK Representative (if appointed): [TBD — required only if we have an "establishment" or systematic processing of EU/UK data subjects]

You may contact us about this policy or to exercise any of the rights described in Section 8 by emailing privacy@vibedispatcher.com or writing to the postal address above. We respond to verifiable rights requests within the timelines required by law (30 days under GDPR; 45 days under CCPA, extendable by 45 days when reasonably necessary).

3. What We Collect, When, and Why

We collect only what we need to operate the Service. Below is the full list, broken out by data category, the moment we collect it, the purpose, and our lawful basis under GDPR Article 6.

3.1 Account information

Item	When collected	Purpose	Lawful basis
Email address	At checkout (Stripe) or at first device pairing	Account anchor; verification overlay during cross-device pairing; service-critical communications (billing, security, deprecations)	Contract performance (Art. 6(1)(b))
Recovery-phrase salt / verification token (NOT the recovery phrase itself)	At first device pairing (where the user enables phrase recovery)	Verify a recovery-phrase challenge during cold-start account recovery without holding the phrase server-side	Contract performance (Art. 6(1)(b))
Display name (optional)	In-app	Personalize UI	Consent (Art. 6(1)(a))
Payment method (token, last-4, brand)	At checkout	Process subscription payments	Contract performance
Billing address (where required for tax)	At checkout	Tax compliance	Legal obligation (Art. 6(1)(c))
Device names (e.g., "William's MacBook")	At device pairing	Display in your "Paired Devices" list	Contract performance
Device public keys (libsodium)	At device pairing	Authenticate your device on the relay; deliver E2E-encrypted messages	Contract performance

We do not collect your full payment card number — that goes directly to Stripe. We never see it.

Account recovery — what we hold and what we don't. VibeDispatcher uses trusted-device cross-pairing as the primary recovery mechanism: any device you have already paired can authorize a new device, with no email round-trip required. As a cold-start safety net (in case all paired devices are lost), the desktop app generates a 24-word recovery phrase at first pairing using libsodium's crypto_box_seed_keypair primitive. The recovery phrase itself is never transmitted to or stored on our servers — it is shown to you once, on your device, and you are responsible for storing it (a password manager, a printed copy in a safe, etc.). The recovery phrase is mandatory for Founders Tier customers (because Founders entitlement is tied to your account and we cannot recover it without proof of control) and optional for other tiers. Email remains as a verification overlay layered on top of the device + phrase trust roots; it is not the recovery root-of-trust.

3.2 Service operation data

Item	When collected	Purpose	Lawful basis
Event metadata transiting the relay (event ID, type, source, workspace name, branch name, agent name, timestamp)	Each time a coding-agent event occurs on your Mac	Route the event to your paired devices; enable the alerts and trickle queue	Contract performance
Event summaries (the human-readable text such as "Claude Code waiting for input in project X")	Same	Same	Contract performance
Commands you submit from Beacon or the PWA	When you send a command	Route the command to the right Mac and execute it	Contract performance
Push subscription tokens (Web Push endpoint or Expo push token)	When you grant push permission	Deliver push notifications when away mode is on	Consent (Art. 6(1)(a)) for the underlying push permission; Contract performance for the routing
Pinned events archive	When you pin an event	Persist pins across sessions	Contract performance
Voice usage counters and session metadata (your user ID, session start/stop timestamp, billed duration, ElevenLabs session ID)	Each ConvAI session	Issue voice tokens; enforce per-user cost ceilings; bill correctly; defend against billing disputes	Contract performance + Legitimate interest (Art. 6(1)(f)) for cost-runaway prevention
Claude Code transcript signals read from `~/.claude/projects/` on your Mac	When the local `ClaudeProjectsWatcher` observes a new assistant end-of-turn line in a session transcript	Detect when a Claude Code session has finished a turn (or is looping) so the desktop app can route a notification to your paired devices. The extracted text from the assistant turn forms the body of the resulting in-product event/notification. Today, the body transits our Relay in readable form (TLS in transit, encrypted at rest); we are migrating to client-side libsodium encryption — see callout below.	Contract performance
Server-side logs (IP address, request path, status code, duration, workspace name from event context)	On every API request, except `/health` and SSE keepalive	Security, abuse detection, debugging	Legitimate interest (Art. 6(1)(f))

Workspace names are commercially sensitive. Workspace names map to project directory basenames on your Mac (e.g., client-acme-billing-rewrite). They may contain client names or otherwise sensitive identifiers. They are retained per the server-log retention period in Section 9 (30 days). If this is a concern, consider using a generic workspace name in ~/.vibedispatcher/config.yaml.

Claude Code transcript collection — what this means. The desktop app's ClaudeProjectsWatcher reads the JSONL transcript files Claude Code writes to ~/.claude/projects/ on your Mac. For each new assistant end-of-turn line, the watcher extracts (a) session identifiers, (b) the working directory, (c) the timestamp, and (d) the text content of the assistant's reply in that turn. The extracted text becomes the body of the resulting in-product notification routed to your paired devices via the Relay. Today, the body of these notifications transits and is stored at our Relay in readable form (encrypted in transit via TLS 1.2+, encrypted at rest by our database provider, but accessible to our Relay servers and to authorized operators in the course of debugging or responding to lawful requests). We are migrating to client-side libsodium encryption of these notification bodies as part of the Happy absorption Phase 2 work — see Commercial-Direction Audit §12 and Happy Absorption Audit Phase 2 for the roadmap. Once shipped, the Relay will store ciphertext only for these bodies, and we will update this Privacy Policy in lockstep. The watcher does not read your source code, the contents of files in your editor, or any Claude Code prompt content; it only reads completed assistant-turn lines. You can disable the watcher in ~/.vibedispatcher/config.yaml.

Retention for these items is detailed in Section 9.

3.3 Voice content (the important distinction)

When you use cloud voice features (ElevenLabs Text-to-Speech or ElevenLabs ConvAI two-way conversations):

The audio of your speech and the audio of the agent's reply transit directly between your device and ElevenLabs LiveKit infrastructure. While the audio stream itself does not transit our servers, our Relay issues each voice session token and logs the session metadata (your user ID, session start/stop timestamp, billed duration, ElevenLabs session ID) in order to enforce per-user quotas and bill correctly. We do not log or have access to the audio content itself.
ElevenLabs receives, processes, and may temporarily retain your voice content subject to their privacy policy: https://elevenlabs.io/privacy-policy
See Section 5 (Trust Model) below for the full implications.

When you use local voice features (Apple's on-device Speech Framework, the local Atlas/Piper model, or say):

All audio processing happens on your device. No audio leaves your machine.

3.4 Optional crash reports (Sentry — opt-in)

Client-side (opt-in, controllable by you). If you opt in via Settings → Privacy, the desktop app, the voice subprocess, the Core orchestrator, the VS Code extension, and the Beacon iOS app may send crash reports and handled-error reports to Sentry. These reports may contain stack traces, the app version, the OS version, a session UUID, and the values of variables in scope at the time of the error.

Server-side (Relay — operated under Legitimate Interest). Our Relay emits server-side error reports to Sentry independently of any client-side opt-in, with PII scrubbed before transmission. This concerns server operation (security, abuse, debugging) — not your personal device — and cannot be opted out of by the user.

Lawful basis: Consent (Art. 6(1)(a)) for client-side opt-in. Legitimate interest (Art. 6(1)(f)) for server-side Relay error reporting, balanced against your rights and freedoms. Default for client-side is off. You can revoke client-side consent at any time via Settings → Privacy.

3.5 Optional product analytics (PostHog — opt-out outside EU/UK/CH; opt-in inside EU/UK/CH)

Default behavior depends on your region.

EU, UK, and Switzerland: PostHog product analytics is disabled by default. The SDK does not initialize and no instance UUID is generated until you affirmatively enable analytics in Settings → Privacy on first launch. This is required by the ePrivacy Directive (Art. 5(3)) and EDPB Guidelines on consent — opt-out cannot constitute valid consent for storage/access on your device.
Outside EU/UK/CH: PostHog product analytics is enabled by default on a Legitimate Interest (Art. 6(1)(f)) basis, with an unambiguous opt-out path in Settings → Privacy. You have the right under Art. 21 to object to processing based on Legitimate Interest at any time; we honor objections within 24 hours.

When enabled, we record anonymous product-usage events (e.g., "feature X used," "tier upgrade attempted," "voice session started") in PostHog. Events are tied to a stable but non-PII instance UUID, not to your email or name.

Lawful basis: Consent (Art. 6(1)(a)) in the EU, UK, and Switzerland (opt-in default). Legitimate interest (Art. 6(1)(f)) elsewhere (opt-out default; right to object under Art. 21). You can change this setting at any time via Settings → Privacy. Changes are honored within 24 hours.

3.6 Marketing site analytics (Plausible — cookieless)

The marketing site at vibedispatcher.com uses Plausible Analytics, a privacy-respecting alternative to Google Analytics. Plausible:

Does not use cookies.
Does not collect personal data, IP addresses, or any cross-site identifiers.
Counts unique visitors via a daily-rotating hash that cannot be reversed back to you.

Because Plausible is cookieless and does not process personal data, it does not require a cookie banner under EU ePrivacy / GDPR.

3.7 What we do not collect

Your microphone audio when you have not initiated a voice action.
The contents of files you open in VS Code, Terminal, or any editor.
Source code or repository contents (other than as may be embedded in a Claude Code assistant-turn reply that the local ClaudeProjectsWatcher extracts as event body — see §3.2; we do not read source files directly).
Filesystem listings (other than the workspace-name basename described in §3.2).
Keystrokes outside the active voice-command capture window.
Browsing history or activity outside our app.

BYO API keys (when applicable). When you use BYO-key features (your own Anthropic and/or ElevenLabs API key), the keys are stored locally in ~/.vibedispatcher/config.yaml on your Mac in plaintext. They are not transmitted to our Relay and we never see them. Optionally, the desktop app supports reading a TTS API key from the macOS Keychain (tts_api_key_service config option). If keeping API keys in a plaintext config file is a concern, you may use the Keychain-backed option for TTS, or rely on our managed cloud-voice path (where you do not provide a key).

3.8 App Tracking Transparency (Apple devices)

VibeDispatcher does not track users across apps or websites owned by other companies, as Apple defines "tracking" under the App Tracking Transparency (ATT) framework. We will not present an ATT prompt because we do not engage in tracking. Both PostHog (product analytics) and Sentry (crash reporting) are configured to operate without cross-app/cross-site tracking; identifiers are app-scoped and not shared with third-party data brokers or ad networks.

4. How We Use the Information

We use the information in Section 3 to:

Operate the Service — route events, deliver commands, issue voice tokens, send push notifications, render the UI.
Bill correctly — match usage to your subscription tier; enforce per-user cost ceilings.
Secure the Service — detect abuse, prevent fraud, mitigate DDoS, investigate incidents.
Communicate with you — send service-critical notices (billing failures, security advisories, material policy changes). We do not send marketing emails without separate consent.
Improve the Service — debug errors (with your consent for crash reports); understand feature usage (where analytics is enabled per §3.5).
Comply with law — respond to lawful requests; meet tax, accounting, and regulatory obligations.

We do not:

"Sell" your personal information, and we do not "share" it for cross-context behavioral advertising as those terms are defined under the CCPA/CPRA. We do disclose limited categories of information to service providers (listed in Section 6) under written contracts that restrict their use to providing services to us. (See Section 8 — "Do Not Sell or Share My Personal Information.")
Use your voice content, message content, command content, or event content to train AI models.
Build advertising profiles. We do not run ads.

5. Trust Model — The E2E vs Voice Distinction

This section is the most important one in this policy. Read it twice.

5.1 Text messages: end-to-end encrypted (with one disclosed exception below)

Messages between your Mac and your paired devices (e.g., the Beacon iOS app) are end-to-end encrypted using libsodium (NaCl box). Each device generates its own libsodium key pair on first launch; the private key never leaves the device's secure storage (macOS Keychain, iOS Keychain).

The result: when one of your devices sends a text message to another, our relay servers see only ciphertext. We cannot read the content of your messages, even if compelled. We cannot turn over plaintext we do not have.

We can see, and do retain, the metadata described in Section 3.2 (event IDs, workspace names, timestamps, etc.). End-to-end encryption protects message content, not the fact that a message was sent or who sent it to whom.

One disclosed exception today: Claude Code watcher notification bodies. The notifications produced by the local ClaudeProjectsWatcher (assistant-turn text routed to your paired devices — see §3.2) are not yet end-to-end encrypted in v1. Today, the body transits and is stored at our Relay in readable form (TLS 1.2+ in transit, encrypted at rest). We are migrating these bodies to the same client-side libsodium encryption used for direct device-to-device text messages, as part of the Happy absorption Phase 2 work (see Commercial-Direction Audit and Happy Absorption Audit). Once shipped, the watcher's notification bodies will join the "server sees ciphertext only" bucket, and we will update this Privacy Policy in lockstep. Until then, treat the body of these notifications as visible to our Relay operators in the course of debugging or responding to lawful requests. If this matters for a specific session, you can disable the watcher in ~/.vibedispatcher/config.yaml.

Recovery root-of-trust. The end-to-end trust model rests on the device key pairs (cross-pair from any already-paired device) and the 24-word recovery phrase generated locally at first pairing using libsodium's crypto_box_seed_keypair primitive. The recovery phrase is the cold-start recovery root-of-trust — it is shown to you once, never transmitted to or stored on our servers, and you are responsible for storing it securely. Email is a verification overlay only, not a recovery root: an email round-trip can confirm an account anchor but cannot, on its own, restore device-side keys. If you lose all paired devices and your recovery phrase, your encrypted message history cannot be recovered by us — we do not hold the keys.

5.2 Voice content: NOT end-to-end encrypted to us, but processed by ElevenLabs

When you use cloud voice features (ElevenLabs TTS or ConvAI):

Audio flows directly between your device and ElevenLabs. The audio stream itself does not transit our servers.
We never receive, store, or have access to the audio. Our Relay does, however, issue each voice session token and log the session metadata described in §3.3 (your user ID, session start/stop timestamp, billed duration, ElevenLabs session ID) for quota enforcement and billing.
ElevenLabs receives the audio and processes it on their infrastructure. They can hear what you say.
ElevenLabs is an independent controller for voice content. ElevenLabs determines its own retention, training-data use, and security practices for the audio it receives. Their handling is governed by their privacy policy: https://elevenlabs.io/privacy-policy. We do not control ElevenLabs's processing decisions for the audio data after it arrives at their infrastructure.
Lawful basis for the onward transfer to ElevenLabs: Contract performance (Art. 6(1)(b)) for the speech-to-text and text-to-speech transcription purpose. Where ElevenLabs's enterprise terms apply, our contractual relationship with them restricts certain training-data uses; otherwise, ElevenLabs's published policy governs.
ElevenLabs retains conversation data per their published policy, which you should review at https://elevenlabs.io/privacy-policy. We do not control or modify their retention.
ElevenLabs may use voice data to improve their own services, subject to their opt-out controls. See ElevenLabs's privacy policy for the current state of these controls.
Per ElevenLabs's stated practices, they do not use voice data to profile or target consumers.

When you use local voice features (on-device Apple Speech, local Atlas/Piper, say):

Audio never leaves your device. ElevenLabs (or any other cloud provider) is not involved.

5.3 What this means in plain English

If voice content sensitivity matters to you, use the local voice options. They are first-class features, not a fallback.
If you use cloud voice, your speech is heard by ElevenLabs's systems. We have made a deliberate engineering choice to not insert ourselves into the audio path — that means we cannot make E2E claims about voice content. We could not credibly call it E2E even if we wanted to, because ElevenLabs is in the audio path by design.

5.4 Voice biometrics

We do not use voice content to identify you, build voiceprints, or perform speaker recognition. Our cloud voice integration with ElevenLabs is configured for the purpose of speech-to-text transcription and text-to-speech generation — not speaker identification.

Illinois geo-block for cloud voice (BIPA compliance). Cloud voice features (ConvAI two-way conversational voice via ElevenLabs) are not currently available to users whose IP address resolves to Illinois, United States. This is a deliberate compliance choice tied to the Illinois Biometric Information Privacy Act (BIPA), 740 ILCS 14. Requests to cloud-voice endpoints from Illinois IPs return HTTP 451 with the error code VD_GEOBLOCK_BIPA_IL.

Local voice features (on-device Apple Speech, the local Atlas/Piper model, and the macOS say command) remain available to all users including those in Illinois. The geo-block is narrow — it covers only the cloud-voice path that sends audio to ElevenLabs. The rest of the product works the same.

Non-US users are not affected. BIPA's scope is US-state-specific; users outside the United States never hit this geo-block.

A note on VPN and IP-resolution false positives. The geo-block is enforced at the edge based on the resolved IP of the request. Users connecting through a VPN with an Illinois exit node may be blocked even if they are not Illinois residents; users physically in Illinois connecting through a non-IL VPN may not be blocked. The check is best-effort and not an attestation of residency.

If you reside in a jurisdiction with biometric privacy law (such as Texas (CUBI) or Washington (Biometric Privacy Act)) and have specific concerns about voice processing, please contact privacy@vibedispatcher.com before using cloud voice features. We will discuss your options, including disabling cloud voice and using only the local voice path.

6. Who We Share Information With (Sub-Processors)

We use the following third-party service providers ("sub-processors") to operate the Service. Each is contractually bound to confidentiality and to use your information only as needed to provide their service to us.

Sub-processor	Purpose	Data shared	Jurisdiction	Transfer mechanism (for EU/UK/CH data)	Privacy policy
Stripe, Inc.	Subscription payments (web checkout)	Email, payment method token, billing address	United States (HQ); processes globally	SCCs (Module 2) + supplementary measures	https://stripe.com/privacy
RevenueCat, Inc.	App Store / Play Store entitlement management	App Store transaction ID, anonymous user ID, entitlement state	United States	SCCs (Module 2) + supplementary measures	https://www.revenuecat.com/privacy
Apple Inc.	iOS App Store distribution (when native Beacon ships); In-App Purchases for Beacon; APNs push delivery	App Store transaction details (purchase ID, user receipt, sandbox/production indicator) for IAP processing; APNs receives the device push token and the encrypted notification payload for push delivery	United States; processes globally	SCCs accepted via Apple Developer Program License Agreement	https://www.apple.com/legal/privacy/
Fly.io, Inc.	Hosting for the relay service and database	All data the relay processes (in encrypted-in-transit form; ciphertext for E2E messages)	United States (HQ); regional data centers	SCCs (Module 2) + supplementary measures	https://fly.io/legal/privacy-policy/
ElevenLabs, Inc.	Cloud voice (TTS + ConvAI two-way)	Audio of your speech; audio of agent replies	United States	SCCs (Module 2) + supplementary measures	https://elevenlabs.io/privacy-policy
Sentry (Functional Software, Inc.)	Crash + error reporting (client opt-in; server-side under Legitimate Interest)	Stack traces, app/OS version, session UUID, in-scope variables (PII scrubbed for server-side)	United States	SCCs (Module 2) + supplementary measures	https://sentry.io/privacy/
PostHog, Inc.	Product analytics (opt-in in EU/UK/CH; opt-out elsewhere)	Anonymous instance UUID, event names, feature flags	United States / United Kingdom	SCCs (Module 2) for US transfer; UK IDTA for UK transfer	https://posthog.com/privacy
Plausible Insights OÜ	Marketing site analytics (cookieless, no PII)	Aggregated, non-personal site usage	Estonia (European Union)	EU/EEA — none required	https://plausible.io/privacy
Expo (Exponent, Inc.)	Push notification delivery to iOS (Expo Push)	Push token, notification payload	United States	SCCs (Module 2) + supplementary measures	https://expo.dev/privacy
GitHub, Inc. (Sparkle appcast hosting)	Distribute desktop-app updates via GitHub Pages	Standard HTTP request metadata (IP, user agent, app version)	United States	SCCs accepted via GitHub Customer Terms / DPA	https://docs.github.com/en/site-policy/privacy-policies/github-general-privacy-statement

We will update this list when we add or remove a sub-processor. Material changes are notified per Section 11.

We may also disclose information when required by law, court order, or to protect our rights, our users, or the public. We will challenge overbroad requests where it is appropriate to do so.

We do not share information with advertisers or data brokers.

7. Lawful Bases for Processing (GDPR)

We rely on the following lawful bases under GDPR Article 6:

Activity	Lawful basis
Account creation, billing, device pairing, event/command routing, voice token issuance, push notification delivery, ElevenLabs voice transfer for transcription	Contract performance (Art. 6(1)(b))
Tax compliance, regulatory record-keeping, response to lawful requests	Legal obligation (Art. 6(1)(c))
Server logs, abuse detection, fraud prevention, security incident investigation, per-user cost circuit breakers, server-side error reporting	Legitimate interest (Art. 6(1)(f)) — balanced against your rights and freedoms
Crash reporting (Sentry, client-side); product analytics (PostHog) in EU/UK/CH; product analytics elsewhere where local law requires consent; marketing emails	Consent (Art. 6(1)(a)) — withdrawable at any time
Product analytics (PostHog) outside EU/UK/CH	Legitimate interest (Art. 6(1)(f)) — opt-out available; right to object under Art. 21

You may withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal. See Section 8 for the mechanism.

8. Your Rights

Subject to applicable law, you have the rights listed below. To exercise any right, email privacy@vibedispatcher.com with the request and the email address tied to your account, or use the in-app Settings → Privacy → Data Requests flow (where available). We will verify your identity before fulfilling the request.

8.1 Rights for everyone (where local law applies)

Right	What it means	How to exercise
Access	Get a copy of the personal data we hold about you	Email request + in-app data export
Rectification	Correct inaccurate or incomplete data	In-app account settings + email request
Erasure ("right to be forgotten")	Have your data deleted	In-app account deletion + email request. Some data may be retained where law requires (e.g., billing records — see Section 9).
Restriction	Pause processing while a dispute is resolved	Email request
Objection	Object to processing based on legitimate interest (Art. 21)	Email request + in-app Settings → Privacy
Portability	Receive your data in a machine-readable format	In-app data export — JSON in a documented schema published at `vibedispatcher.com/data-export-format`. Export includes all data categories enumerated in Section 3 of this Privacy Policy.
Withdraw consent	Turn off optional features (analytics, crash reports, marketing emails)	Settings → Privacy + email unsubscribe links
Lodge a complaint	File a complaint with your local data protection authority	EU residents: We have not yet appointed an EU representative. EU residents may file complaints with their national supervisory authority — see the EDPB members directory at https://edpb.europa.eu/about-edpb/about-edpb/members_en. UK: the Information Commissioner's Office (ICO) at https://ico.org.uk.

We respond within 30 days (GDPR) or 45 days (CCPA) of a verifiable request. We may extend by an additional 45 days where reasonably necessary, with notice to you.

8.2 California-specific rights (CCPA/CPRA)

If you are a California resident, you also have the right to:

Right to know the specific pieces of personal information we have collected about you, the categories of sources, the business or commercial purpose for collecting, and the categories of third parties to whom we disclosed it.
Right to delete personal information we collected from you (subject to exceptions in Cal. Civ. Code § 1798.105(d)).
Right to correct inaccurate personal information.
Right to opt out of the sale or sharing of personal information. We do not "sell" your personal information, and we do not "share" it for cross-context behavioral advertising as those terms are defined under the CCPA/CPRA. We do disclose limited categories of information to service providers (listed in Section 6) under written contracts that restrict their use to providing services to us. The link below is provided as a transparency commitment regardless:

Do Not Sell or Share My Personal Information

We honor opt-out requests within 15 business days of receipt, as required by California Civil Code § 1798.135.
Right to limit use of sensitive personal information. We do not use sensitive personal information for purposes beyond those needed to provide the Service. The link below is provided regardless:

Limit the Use of My Sensitive Personal Information
Right to non-discrimination for exercising any of these rights. We will not deny service, charge a different price, or provide a different level of quality based on your exercise of CCPA rights.

You may designate an authorized agent to make a request on your behalf. We may require verification.

8.3 Categories of personal information we collect (CCPA Notice at Collection)

Under the CCPA categories defined in Cal. Civ. Code § 1798.140(v):

CCPA category	Do we collect?	Source	Purpose
Identifiers (email, IP, device IDs)	Yes	You + automatic	Service operation, security
Commercial information (purchases)	Yes	You via Stripe	Billing
Internet activity (interaction with our service)	Yes	Automatic	Service operation, debugging
Geolocation (general — from IP)	Yes (coarse)	Automatic	Security, regional service routing
Audio/voice information	Only when you use cloud voice; processed by ElevenLabs, not retained by us	You	Service operation
Sensory data (other)	No	—	—
Professional or employment-related	No	—	—
Education information	No	—	—
Inferences from the above	No	—	—
Sensitive PI (precise geolocation, biometric, financial account #s, etc.)	No (we do not collect biometric identifiers; we do not store full card numbers)	—	—

We retain each category for the periods stated in Section 9. We do not sell or share any category. We disclose categories to sub-processors only as listed in Section 6.

9. How Long We Keep Your Data (Retention)

We keep personal data only as long as we need it for the purposes described in this policy, then we delete or anonymize it.

Data	Default retention
Account data (email, payment method, device pairings)	Life of the account + 30 days post-cancellation, then deletion (except billing records required by law for up to 7 years)
Events archive (event metadata + summaries)	90 days, then deletion
Commands archive	90 days, then deletion
Pinned events	Until you unpin them, or 12 months, whichever is sooner
Voice usage counters and session metadata	7 years (matching billing-record retention for chargeback/dispute defense)
Server logs	30 days, then deletion. For data subject to active security investigation or required to defend a legal claim, retention is extended only for the duration of that specific investigation or claim, not to exceed 12 months without an additional documented justification.
Crash reports (Sentry)	Per Sentry's default retention (currently 90 days for free tier, configurable)
Product analytics (PostHog)	24 months, then deletion or aggregation
Stripe billing records	Retained by Stripe per their policies; we retain invoice metadata for 7 years for tax / accounting compliance
Voice audio (ElevenLabs)	Per ElevenLabs's policy. We do not control or retain it.

You may request earlier deletion via the rights process in Section 8. We will honor the request unless retention is required by law or necessary for the establishment, exercise, or defense of legal claims.

10. International Transfers

We are based in the United States. The relay service is hosted on Fly.io infrastructure in the United States and other regions. Most of our sub-processors are US-based, with the exception of Plausible (Estonia, EU) and PostHog (US/UK).

If you access the Service from outside the United States, your information will be transferred to, processed in, and stored in the United States and other countries.

For transfers of personal data from the European Economic Area, the United Kingdom, or Switzerland to the United States, we rely on the following safeguards (in order of preference):

EU–U.S. Data Privacy Framework (DPF) and the UK Extension thereto / Swiss–U.S. DPF — where the recipient has self-certified. VibeDispatcher LLC has not yet self-certified to the DPF; this is on our roadmap. Until self-certification, we rely on (2).
Standard Contractual Clauses (SCCs) as adopted by the European Commission (Decision 2021/914) and the UK International Data Transfer Addendum, with supplementary measures where appropriate (encryption in transit, encryption at rest, libsodium E2E for message content). Where SCCs are required, we are in the process of executing them with each US-based sub-processor; copies are available on request once finalized.

You may request a copy of the relevant SCCs by emailing privacy@vibedispatcher.com.

Data Processing Addendum. Business customers who use the Service on behalf of an organization (and are therefore the Controller, with VibeDispatcher acting as Processor under GDPR Art. 28) may request our standard Data Processing Addendum, which incorporates the EU SCCs (2021/914) and the UK IDTA, by emailing privacy@vibedispatcher.com. Our DPA will be published at vibedispatcher.com/dpa.

11. Changes to This Policy

We may update this policy from time to time to reflect changes to the Service, the law, or our practices. When we update it:

We update the Last Updated date at the top.
For material changes (changes that expand the scope of data collection, change the legal basis, or reduce your rights), we aim to provide notice at least 30 days in advance via in-app banner, email to your account, and a notice on vibedispatcher.com/privacy, where the timing is within our control.
For sub-processor additions or substitutions, we will provide notice as soon as reasonably practicable; some changes (e.g., emergency migrations, acquisitions) may require shorter notice windows.
For non-material changes (clarifications, fixes, sub-processor updates with equivalent protection), the updated date is the only notice.

You can review prior versions on request.

12. Children

The Service is not directed to children under 16. We do not knowingly collect personal data from anyone under 16. We do not currently operate an age-verification mechanism; account creation requires self-assertion of age at checkout or first device pairing. If you are a parent or guardian and believe your child has created an account, contact privacy@vibedispatcher.com for deletion.

In some jurisdictions, the relevant age is 13 (United States, COPPA) rather than 16 (GDPR). We apply the more protective standard (16) globally.

13. Apple App Privacy Label Mapping

For the Beacon iOS app (when shipped via the App Store), the following table maps each VibeDispatcher data category to Apple's App Privacy taxonomy used in the App Store Connect privacy questionnaire.

VibeDispatcher data category	Apple privacy category	Used for	Linked to user	Used for tracking
Email address	Contact Info > Email Address	App Functionality, Account Management	Yes	No
Display name (optional)	Contact Info > Name	App Functionality	Yes	No
Payment method (token)	Financial Info > Payment Info	App Functionality (billing)	Yes	No
Device names	User Content > Other User Content	App Functionality (paired-device list)	Yes	No
Device public keys (libsodium)	Identifiers > Other (cryptographic device IDs)	App Functionality (authentication)	Yes	No
Event metadata + summaries	User Content > Other User Content	App Functionality	Yes	No
Commands you submit	User Content > Other User Content	App Functionality	Yes	No
Push subscription tokens	Identifiers > Device ID	App Functionality	Yes	No
Pinned events	User Content > Other User Content	App Functionality	Yes	No
Voice usage counters + session metadata	Usage Data > Product Interaction	App Functionality, Analytics	Yes	No
Voice audio (cloud)	Audio Data > Voice Recordings	App Functionality (transit only; not retained by us)	No (we do not retain)	No
Server logs (IP, request path, etc.)	Diagnostics > Other Diagnostic Data	App Functionality, Security	Yes	No
Crash reports (Sentry, opt-in client / Legitimate Interest server)	Diagnostics > Crash Data	App Functionality, Diagnostics	Yes (where opted in)	No
Product analytics (PostHog)	Usage Data > Product Interaction	Analytics	No (anonymous instance UUID)	No

VibeDispatcher does not use any data category for tracking as Apple defines the term under ATT. See Section 3.8.

14. Security

We protect your data with:

TLS 1.2+ for all network traffic between your devices, our relay, and our sub-processors.
libsodium end-to-end encryption for text messages between your paired devices (we cannot read them — see Section 5).
Encryption at rest for our database (provided by Fly.io's managed Postgres or equivalent).
Per-user authentication via libsodium device key pairs; no shared secrets between users.
Per-user cost circuit breakers to prevent abuse-driven cost runaway.
Audit logging of administrative access.
Principle of least privilege on infrastructure access; multi-factor authentication on administrative accounts.

No system is perfectly secure. If you discover a vulnerability, please responsibly disclose to security@vibedispatcher.com.

15. Contact

Privacy Inquiries: privacy@vibedispatcher.com Security Disclosures: security@vibedispatcher.com General Support: support@vibedispatcher.com Legal: legal@vibedispatcher.com

Postal: VibeDispatcher LLC, [ADDRESS — TBD; finalize at Delaware LLC filing]

For EU/UK users, you have the right to lodge a complaint with your supervisory authority. EU residents may use the EDPB members directory at https://edpb.europa.eu/about-edpb/about-edpb/members_en to find their national DPA. In the UK, that is the Information Commissioner's Office (ICO): https://ico.org.uk

This Privacy Policy applies to the VibeDispatcher Service operated by VibeDispatcher LLC, a Delaware single-member limited liability company. It does not apply to third-party services, websites, or applications linked from or integrated with the Service; those are governed by their own privacy policies.