Privacy Policy

Definitions

In this policy, the following terms have the following meanings:

• "Personal Data" means any information relating to an identified or identifiable natural person, such as name, email address, or other identifiers.
• "User" means any individual who uses the Service.
• "Service" means the website, applications, and all related services provided by VAYSS.
• "Processing" means any operation performed on personal data, including collection, recording, storage, use, disclosure, and deletion.

Information We Collect

3.1 Account Information

• Email address (obtained via authentication provider)
• Display name
• Username (auto-generated, modifiable)
• Profile picture
• Authentication provider information (Google or Apple)
• Age confirmation (confirmation of being 13 years or older)

3.2 Profile Information

• Bio/self-introduction
• Website and social media links
• Country/region
• Cover image

3.3 Activity Data

• Message content and timestamps in rooms
• Direct message content and images
• Room participation and creation history
• Block and mute settings
• Uploaded images (PNG, JPEG, GIF, WebP format, max 5MB)

3.4 Technical Data

• IP address (used for rate limiting purposes)
• Device and browser information
• Session tokens and access tokens
• Access logs

Purpose of Data Processing

• User authentication and account management
• Provision, maintenance, and improvement of the Service
• Message delivery and notification distribution
• AI-powered automatic translation of messages and room titles
• Prevention of abuse, security assurance, and rate limiting
• Automated scanning of messages (including direct messages) to ensure compliance with our Terms of Service. Scanning is designed to detect serious violations such as violence, hate speech, and child exploitation; message content is not reviewed by humans
• Service quality improvement and usage analysis
• Compliance with legal obligations and dispute resolution

Legal Basis for Processing

The legal basis for processing your personal data depends on applicable laws in your region and includes:

• Consent: When you have given explicit consent to the processing (GDPR Art. 6(1)(a), APPI, PIPA, etc.)
• Contractual necessity: Processing necessary for providing the Service (GDPR Art. 6(1)(b))
• Legitimate interests: Ensuring service security, fraud prevention, etc. (GDPR Art. 6(1)(f))
• Legal obligation: Compliance with applicable laws and regulations (GDPR Art. 6(1)(c))

Third-Party Services

We use the following third-party services. Each service is governed by its own privacy policy:

6.1 Supabase

Used for database, authentication, and file storage. Your account information, messages, and uploaded images are stored on Supabase. Supabase processes data in compliance with GDPR under a Data Processing Addendum (DPA).

6.2 OpenAI

Used for automatic translation of messages and room titles via the OpenAI API. Only the text to be translated is sent to OpenAI; no personally identifiable information is included. OpenAI does not use data sent via the API for model training.

6.3 Upstash (Redis)

Used for API rate limiting. Hashed IP addresses are temporarily stored, but no personally identifiable information is retained.

6.4 Authentication Providers

Social login is available through Google and Apple. Only the minimum information required for authentication (email address, display name, profile image) is obtained from these providers. Please also check each provider's privacy policy.

AI and Automatic Translation

To enable multilingual communication, the Service provides automatic translation powered by the OpenAI API:

• Only message text and room titles are subject to translation
• User personal information (name, email, etc.) is not sent to the translation API
• Text sent via the OpenAI API is not used for AI model training
• Translation results are cached in our database to improve service quality

International Data Transfers

As the Service is available globally, your personal data may be processed and stored on servers in countries other than your country of residence. Such transfers are conducted based on GDPR Standard Contractual Clauses (SCCs), adequacy decisions, or other appropriate safeguards. For transfers under Japan's APPI, appropriate measures are taken for provision to third parties in foreign countries. For cross-border transfers under South Korea's PIPA, necessary consent and information disclosure are provided.

Data Retention

Personal data is retained for as long as necessary to fulfill the purposes for which it was collected, and is promptly deleted when no longer needed:

• Account information: Fully deleted 30 days after deletion request (can be cancelled during this period)
• Room messages: Automatically deleted 90 days after creation
• Rooms: Expire 12 hours after creation (become inaccessible)
• Access logs and technical data: Retained for up to 90 days

Your Rights

Subject to applicable law, you have the following rights regarding your personal data:

• Right of access: Access to and copies of your collected personal data
• Right to rectification: Correction of inaccurate personal data
• Right to erasure (right to be forgotten): Request deletion of your personal data
• Right to restriction: Restriction of processing under certain conditions
• Right to data portability: Receive your personal data in a structured, machine-readable format
• Right to object: Object to specific types of processing
• Right to withdraw consent: Withdraw consent at any time (without affecting the lawfulness of processing prior to withdrawal)

To exercise these rights, please contact us using the information at the end of this policy. We will verify your identity and respond within 30 days. If the request is complex or requires additional time, we may extend this period by up to 60 days with prior notice to you.

Region-Specific Provisions

Children's Privacy

The Service is not intended for individuals under 13 years of age, and we do not knowingly collect personal information from children under 13. Age confirmation (13 years or older) is required during account registration. If we become aware that a child under 13 is using the Service, we will promptly delete their account and associated personal information. In the EU, parental consent is required for children under 16 (13-16 depending on member state) under GDPR Article 8. In the United States, we do not collect information from children under 13 in compliance with COPPA.

Security

We implement the following security measures to protect your personal information:

• HTTPS (TLS) encryption for all communications
• Row Level Security (RLS) for database-level access control
• API rate limiting to prevent unauthorized access
• Magic byte verification for uploaded files
• Security headers (CSP, HSTS, X-Frame-Options, etc.)

Cookies and Local Storage

The Service uses the following essential cookies and local storage:

• Session management cookies (maintaining authentication state)
• Language preference cookie (NEXT_LOCALE)
• Theme preference (dark/light mode)

We do not use advertising tracking cookies or third-party cookies.

Changes to This Policy

This policy may be updated due to changes in laws or the Service. If significant changes are made, we will notify you through in-service notifications or other appropriate means. Your continued use of the Service after changes constitutes acceptance of the updated policy.

Contact Us

For questions about this policy, or to submit requests regarding disclosure, deletion, or other handling of your personal information, please use the in-app support@vayss.com or contact us at vayssdev@gmail.com.