← Back to home

Privacy Policy

Last updated: June 7, 2026

1. Introduction

VibeContent (“we,” “our,” or “us”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use our AI-powered content generation platform (the “Service”).

This policy is prepared in compliance with the Digital Personal Data Protection Act, 2023 (“DPDP Act”) of India, the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (collectively, “Applicable Law”).

By using VibeContent, you confirm that you have read and understood this Privacy Policy and consent to the collection, use, and disclosure of your personal data as described below.

2. Data Fiduciary & Contact

For the purposes of the DPDP Act, 2023, VibeContent is the Data Fiduciary of your personal data. The Service is operated by:

Dhruv Parmar (Sole Proprietorship)
Operating as “VibeContent”
India

Our Grievance Officer (appointed under the IT Rules, 2011 and the DPDP Act, 2023) is:

Dhruv Parmar
Email: grievance@vibecontent.site

For details, see our Grievance Officer page. We acknowledge complaints within 48 hours and aim to resolve them within 30 days.

3. What Personal Data We Collect

3.1 Account Data

  • Email address
  • Password (hashed using bcrypt; we never store plain-text passwords)
  • Instagram handle (the public username you provide at sign-up)

3.2 Instagram Profile Data (Public)

When you sign up, we use a third-party service (Apify) to fetch publicly available information from your Instagram profile to personalise your content suggestions. This may include: full name, biography, profile picture URL, follower and following counts, post count, recent post captions and hooks, hashtags, and engagement metrics. We do not request, store, or process your Instagram password.

3.3 Usage Data

  • Ideas and scripts you generate
  • Feature usage (auto-generate sessions, custom topics, script generations)
  • Subscription tier, billing history, and Razorpay subscription ID
  • Account settings and preferences (language, style)

3.4 Technical Data

  • IP address
  • Browser type, version, and operating system
  • Pages visited, time spent, and referring URL
  • Authentication cookies (httpOnly JWT)

3.5 Communications Data

  • Records of your correspondence with our Grievance Officer or support team
  • Email verification and password reset tokens (one-time, short-lived, hashed)

4. Purpose of Processing

We process your personal data for the following specific purposes:

  • To create and authenticate your account
  • To fetch your public Instagram data via Apify to personalise your generated content
  • To provide, maintain, secure, and improve the Service
  • To process subscription payments, refunds, and tax invoices
  • To detect and prevent fraud, abuse, and unauthorised access
  • To respond to your queries, support requests, and complaints
  • To comply with our legal, regulatory, and tax obligations
  • To send you transactional emails (verification, password reset, receipts, security alerts)

5. Lawful Basis for Processing

Under the DPDP Act, 2023, we rely on the following lawful bases:

  • Consent — for processing your data for the specific purposes you signed up for, and for any optional processing (such as marketing communications, if you opt in).
  • Necessary for performance of a contract (DPDP Act §7(g)) — to provide the Service you have subscribed to, process payments, and deliver generated content.
  • Compliance with legal obligations — to retain financial records as required by Indian tax law, to respond to lawful requests from authorities, and to maintain security logs as required by the CERT-In Directions of April 2022.

6. Cross-Border Data Transfer

Your personal data may be transferred to and processed in countries outside India by the following data processors, with whom we have contractual data-processing arrangements no less protective than the DPDP Act:

  • MongoDB Atlas (database, primarily in AWS regions in India and Singapore)
  • Vercel Inc. (application hosting, edge network globally)
  • Google Cloud / Gemini (AI generation, US/EU regions)
  • Groq Inc. (fallback AI provider, US region)
  • Apify (Instagram data fetching, EU/US regions)
  • Razorpay (payment processing, India region)
  • Google Analytics (usage analytics, US region)

We do not transfer your personal data to any third party for advertising or marketing purposes. We do not sell your personal data.

7. Cookies

We use cookies and similar local-storage technologies. On your first visit, you will see a cookie consent banner allowing you to accept all cookies or to use essential cookies only.

  • Essential cookies: A secure, httpOnly JWT cookie (vibecontent_token) used to keep you signed in. These cannot be disabled as the Service cannot function without them.
  • Analytics cookies: Google Analytics (ID G-YLZN08PLJ4) is loaded only after you click “Accept All”. It is not loaded if you choose “Essential Only”.
  • Local storage: We store your cookie consent preference (vibecontent_cookie_consent) in your browser’s local storage.

8. Data Security

We implement industry-standard security measures to protect your personal data:

  • Passwords hashed using bcrypt with a cost factor of 12
  • Authentication tokens are httpOnly, secure, SameSite=Lax cookies
  • All API endpoints are rate-limited to prevent abuse
  • Data is encrypted in transit (HTTPS/TLS 1.2+) and at rest (provider-managed)
  • Database access restricted via MongoDB Atlas IP allowlist and role-based credentials
  • Backups encrypted and retained for no longer than 90 days

9. Data Retention

  • Account data: retained for the lifetime of your account. On account deletion, your personal data is erased or anonymised within 30 days, except as noted below.
  • Financial records (invoices, payment history): retained for 8 years as required by the Income Tax Act, 1961 and GST law.
  • Security and access logs: retained for 180 days in line with the Indian Computer Emergency Response Team (CERT-In) Directions of April 2022.
  • Database backups: retained for up to 90 days on encrypted storage, then overwritten on a rolling basis.
  • Aggregated, anonymised analytics: may be retained indefinitely.

10. Your Rights as a Data Principal

Under the DPDP Act, 2023, you have the following rights as a Data Principal. You may exercise any of these rights by contacting our Grievance Officer at grievance@vibecontent.site.

  • Right to access a summary of your personal data and the processing activities relating to you.
  • Right to correction and erasure of inaccurate, incomplete, or no-longer-needed personal data.
  • Right to grievance redressal — we will acknowledge your complaint within 48 hours and resolve within 30 days.
  • Right to nominate another individual to exercise your rights under this Act in the event of your death or incapacity.
  • Right to withdraw consent at any time, with prospective effect. Withdrawal of consent may limit your ability to use the Service.

We may require identity verification before acting on a request to protect against fraudulent requests.

11. Children’s Privacy

The Service is intended for users aged 13 years and older. We do not knowingly collect personal data from children under 13. If we become aware that we have inadvertently collected personal data from a child under 13, we will delete it within a reasonable time.

If you are a parent or guardian and believe your child has provided us with personal data, please contact grievance@vibecontent.site and we will delete the information.

12. Data Breach Notification

In the event of a personal data breach that is likely to cause harm to you, we will notify:

  • The Data Protection Board of India and any other relevant authority, in accordance with the DPDP Act, 2023.
  • Affected users, by email to your registered email address.

We will provide such notification as soon as reasonably practicable and in any case within 72 hours of becoming aware of the breach, consistent with the DPDP Act and CERT-In Directions.

13. Marketing Communications

We may send you product updates, creator tips, and other marketing communications only if you have opted in. Every marketing email includes an unsubscribe link. We honour unsubscribe requests within 10 days, in line with the Telecom Commercial Communications Customer Preference Regulations (TRAI) and the IT Rules, 2011.

Transactional emails (verification, password reset, receipts, security alerts, grievance acknowledgements) are not “marketing” and are sent as part of providing the Service. You cannot opt out of these.

14. Third-Party Links

The Service may contain links to third-party websites (for example, Instagram). We are not responsible for the privacy practices of those websites. We encourage you to read the privacy policy of every website that collects your personal data.

15. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified by:

  • Posting the updated policy on this page with a new “Last updated” date
  • Sending an email to your registered email address for material changes
  • Displaying an in-app banner for at least 14 days

Continued use of the Service after the effective date of a change constitutes acceptance of the updated policy. If you do not agree with the updated policy, you may close your account.

16. Contact & Grievance Officer

For any questions about this Privacy Policy, or to exercise your rights as a Data Principal, contact our Grievance Officer:

Dhruv Parmar
Grievance Officer & Data Fiduciary Representative
VibeContent
Email: grievance@vibecontent.site

For general support: support@vibecontent.site

← Back to VibeContent