Privacy Policy

1. Introduction

Welcome to TypeVibe, a personality quiz application operated by Nedeveon EOOD, a company registered in Bulgaria. We are committed to protecting your personal data and respecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our application available at https://typevibe.app.

By using TypeVibe, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, please do not use our service.

2. Data Controller

Nedeveon EOOD is the data controller responsible for your personal data under the General Data Protection Regulation (GDPR) and Bulgarian data protection laws.

3. Information We Collect

We collect several types of information from and about users of our service:

3.1 Account Information

• Email address: Required for account creation and authentication
• Name: Collected when you sign in via Google OAuth or provided during account creation
• Profile image: Optional, collected from Google OAuth if available
• Authentication tokens: Encrypted OAuth tokens stored securely for session management

3.2 Profile Information

• Handle: A unique username (3-48 characters, alphanumeric with hyphens, dots, and underscores)
• Display name: Optional display name for your profile
• Avatar URL: Optional profile picture URL
• Social links: Optional links to your social media profiles
• Privacy settings: Your preferences for profile visibility and email notifications

3.3 Quiz and Assessment Data

• Quiz answers: Your responses to personality quiz questions
• Assessment progress: Information about quizzes you have started, completed, or are in progress
• Personality reports: AI-generated personality analysis reports based on your quiz responses
• Vibe reports: Comparative analysis reports between you and other users
• Ratings and feedback: Optional ratings and feedback you provide on reports

3.4 Payment and Billing Information

• Payment data: Processed securely through Polar.sh (which uses Stripe as the underlying payment processor)
• Billing events: Records of purchases, subscriptions, and payment transactions
• Customer information: Email and user ID linked to Polar customer records

3.5 Technical and Usage Data

• IP address: Collected for security, rate limiting, and session management
• User agent: Browser and device information for technical support
• Session data: Session tokens and expiration information
• Upload data: Files you upload (images, etc.) with metadata (size, content type, timestamps)

3.6 Moderation Data

• Profile reports: Reports submitted about user profiles (including reporter information and IP address for anonymous reports)
• Account status: Information about account bans or restrictions if applicable

4. How We Use Your Information

We use the information we collect for the following purposes:

4.1 Service Provision

• To create and manage your account
• To provide and maintain our personality quiz services
• To generate and deliver personality and vibe reports
• To process payments and manage subscriptions
• To enable social features such as profile sharing and vibe comparisons
• To save and restore your quiz progress

4.2 Communication

• To send authentication magic links via email
• To send service-related notifications (with your consent)
• To respond to your inquiries and provide customer support
• To send important updates about our service

4.3 Security and Safety

• To protect against unauthorized access and fraud
• To enforce rate limiting and prevent abuse
• To investigate and respond to reports of misconduct
• To maintain the security and integrity of our platform

4.4 Service Improvement

• To analyze usage patterns and improve our services
• To develop new features and functionality
• To ensure technical compatibility and optimize performance

5. Legal Basis for Processing

Under GDPR, we process your personal data based on the following legal bases:

6. Data Sharing and Third-Party Services

We do not sell, rent, or trade your personal data. However, we may share your data with the following third-party service providers:

6.1 Service Providers

• Polar.sh / Stripe: Payment processing and merchant of record services. Polar.sh uses Stripe as the underlying payment processor. Your payment information is handled securely by these providers in accordance with their privacy policies.
• Google: Authentication via OAuth. When you sign in with Google, we receive your email, name, and profile image (if available) in accordance with Google's privacy policy.
• Cloudflare: Content delivery network (CDN), security services, and object storage (Cloudflare R2). Cloudflare may process your IP address and request data to provide these services. User uploads (images, files) are stored in Cloudflare R2 object storage.
• Hetzner: Cloud hosting provider for our application servers. Your data is stored on Hetzner servers located in the European Union.
• Scaleway: Email service provider for sending transactional emails, including magic link authentication emails and other service-related communications.
• AI Service Providers: We use AI models (OpenAI, Anthropic, Google Gemini) to generate personality reports. Your quiz answers are sent to these providers to generate your personalized reports. These providers process data in accordance with their respective privacy policies.

6.2 Data Transfers

Some of our service providers may process data outside the European Economic Area (EEA). When we transfer data outside the EEA, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses approved by the European Commission
• Adequacy decisions by the European Commission
• Other legally recognized transfer mechanisms

6.3 Legal Requirements

We may disclose your information if required by law, court order, or government regulation, or if we believe disclosure is necessary to:

• Comply with legal obligations
• Protect our rights, property, or safety
• Protect the rights, property, or safety of our users or others
• Investigate fraud or security issues

7. Cookies and Tracking Technologies

We use cookies and similar technologies to provide and improve our services:

7.1 Essential Cookies

• Session cookies: Required for authentication and maintaining your login session. These cookies are essential for the service to function.
• Security cookies: Used for security features such as CSRF protection and rate limiting.

7.2 Analytics

We do not use third-party analytics services such as Google Analytics. We may collect minimal usage data internally for service improvement, but this does not involve third-party tracking services.

7.3 Cookie Management

Most browsers allow you to control cookies through their settings. However, disabling essential cookies may affect your ability to use our service.

8. Data Retention

We retain your personal data for the following periods:

• Account data: Retained for as long as your account is active. You may delete your account at any time by going to your profile page and clicking the "Delete Account" button.
• Quiz data and reports: Retained for as long as your account is active, unless you request deletion or delete your account.
• Session data: Retained for up to 1 year from last activity, then automatically deleted.
• Payment records: Retained for 7 years to comply with tax and accounting obligations.
• Moderation records: Retained as necessary for platform safety and compliance.

Account Deletion: You can delete your account at any time by navigating to your profile page and clicking the "Delete Account" button. When you delete your account, we will delete or anonymize your personal data, except where we are required to retain it for legal, tax, or regulatory purposes.

9. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights regarding your personal data:

To exercise any of these rights, please contact us at [email protected]. We will respond to your request within one month.

10. Your Rights Under U.S. State Privacy Laws

If you are a resident of certain U.S. states, you may have additional rights regarding your personal information under applicable state privacy laws, including the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), and other similar state laws.

10.1 California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have the following rights:

10.2 Other U.S. State Privacy Rights

Residents of Virginia, Colorado, Connecticut, Utah, and other states with comprehensive privacy laws may have similar rights, including:

• Right to Access: The right to confirm whether we process your personal information and to access such information.
• Right to Correct: The right to correct inaccuracies in your personal information.
• Right to Delete: The right to delete your personal information.
• Right to Data Portability: The right to obtain a copy of your personal information in a portable format.
• Right to Opt-Out: The right to opt-out of the processing of your personal information for targeted advertising, the sale of personal information, or profiling in furtherance of decisions that produce legal or similarly significant effects.

10.3 How to Exercise Your U.S. State Privacy Rights

To exercise any of these rights, please contact us at [email protected]. We will verify your identity before processing your request. We will respond to your request within the timeframes required by applicable law (typically 45 days, which may be extended by an additional 45 days if reasonably necessary).

You may also designate an authorized agent to make a request on your behalf. We will require proof of authorization and verify your identity directly, unless the authorized agent has power of attorney.

10.4 Do Not Track Signals

Some web browsers transmit "Do Not Track" (DNT) signals to websites. We currently do not respond to DNT signals because there is no industry standard for how to respond to such signals.

11. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction:

• Encryption: Data in transit is encrypted using TLS/SSL. Sensitive data such as OAuth tokens are encrypted at rest.
• Access Controls: Access to personal data is restricted to authorized personnel only.
• Secure Storage: Data is stored on secure servers with appropriate access controls and monitoring.
• Regular Updates: We keep our systems and dependencies updated to address security vulnerabilities.
• Rate Limiting: We implement rate limiting to prevent abuse and unauthorized access attempts.

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security.

12. Children's Privacy

Our service is not intended for children under the age of 16. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at [email protected]. If we become aware that we have collected data from a child under 16, we will take steps to delete such information.

13. International Users

TypeVibe is operated from Bulgaria and is subject to Bulgarian and European Union data protection laws. If you are accessing our service from outside the EU, please be aware that your data may be transferred to, stored, and processed in the EU where our servers are located.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of any material changes by:

• Posting the updated policy on this page
• Updating the "Last updated" date at the top of this policy
• Sending an email notification for significant changes (if you have provided an email address)

Your continued use of our service after any changes constitutes acceptance of the updated Privacy Policy.

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: