ViftChat — Privacy Policy
Version v1 — February 2026
1. Introduction
This Privacy Policy (“Policy”) describes how Vift ApS (“we”, “us”, “our”), a company registered in Denmark, collects, uses, stores, and protects your personal data when you use the ViftChat application (“Service”).
We are the data controller for the processing of your personal data in accordance with the EU General Data Protection Regulation (GDPR).
2. Data We Collect
2.1 Information You Provide
| Data Type | Examples |
|---|---|
| Account information | Phone number, name, profile picture |
| Chat content | Messages, images, videos, voice messages, files (E2EE encrypted) |
| Circles | Posts, comments, images, location data (if voluntarily shared) |
| Stories | Temporary content (automatically deleted after 24 hours) |
| Digital Locker | Documents and files (AES-256 encrypted) |
| Contact information | Contacts you choose to share with the Service |
2.2 Information We Collect Automatically
| Data Type | Purpose |
|---|---|
| Device information | Device type, operating system, app version — for debugging and compatibility |
| Push tokens | For delivering push notifications via Expo Push Notifications |
| Usage data | Anonymized usage patterns — for improving the Service |
| Log data | IP address, timestamps — for security and debugging |
2.3 Information from Third Parties
We receive limited information from:
- Apple / Google: Subscription status and payment confirmations (via RevenueCat). We do not receive your payment details.
- Supabase Auth: Authentication data (anonymized user ID).
3. How We Use Your Data
We use your data for the following purposes:
| Purpose | Legal Basis (GDPR) |
|---|---|
| Providing the Service (messaging, storage, notifications) | Performance of contract (Art. 6(1)(b)) |
| Account security and fraud prevention | Legitimate interest (Art. 6(1)(f)) |
| Subscription management and billing | Performance of contract (Art. 6(1)(b)) |
| Improving the Service (anonymized analytics) | Legitimate interest (Art. 6(1)(f)) |
| Compliance with legal obligations | Legal obligation (Art. 6(1)(c)) |
| Push notifications | Consent (Art. 6(1)(a)) |
We never sell your personal data to third parties.
4. Data Storage & Retention
4.1 Retention Periods
| Data Type | Retention Period |
|---|---|
| Account information | As long as the account is active + 30-day grace period |
| Chat messages (text) | As long as the account is active (E2EE encrypted) |
| Videos in chat | 5 days |
| Images in chat | 14 days |
| Voice messages | 30 days |
| Files in chat | 90 days |
| Circles | Permanent (until deleted by the user) |
| Stories | 24 hours (automatic deletion) |
| Digital Locker | As long as the account is active |
| Log data | Maximum 90 days |
4.2 Account Deletion
When you request account deletion, a 30-day grace period begins. After this period, all your data is permanently deleted, including messages, media files, posts, and Digital Locker content.
4.3 Data Storage Location
All data is stored within the EU:
- Database: Supabase (EU region) with PostgreSQL.
- File storage: Cloudflare R2 (EU region).
5. Third-Party Services
We use the following third-party services to deliver the Service:
| Service | Purpose | Data Processing |
|---|---|---|
| Supabase | Authentication and database | EU-based data processing |
| Cloudflare R2 | File storage (media, documents) | EU-based data processing |
| RevenueCat | Subscription management | Receives only subscription status |
| Apple App Store / Google Play | Payment and distribution | Their privacy policies apply |
| Expo Push Notifications | Push notifications | Push tokens and message metadata |
We have data processing agreements with all relevant third parties in compliance with GDPR.
6. Your Rights (GDPR)
As a user in the EU, you have the following rights:
| Right | Description |
|---|---|
| Right of access | You may request a copy of all personal data we hold about you. |
| Right to rectification | You may request correction of inaccurate information. |
| Right to erasure | You may request deletion of your data (“right to be forgotten”). |
| Right to data portability | You may request to receive your data in a structured, machine-readable format. |
| Right to restriction | You may request that we restrict the processing of your data. |
| Right to object | You may object to processing based on legitimate interest. |
| Right to withdraw consent | You may withdraw your consent at any time (e.g., for push notifications). |
How to Exercise Your Rights
Send a request to [email protected]. We will respond within 30 days in accordance with GDPR.
Complaints to Supervisory Authority
You have the right to file a complaint with the Danish Data Protection Agency (Datatilsynet, datatilsynet.dk) or the supervisory authority in the EU member state where you reside.
7. Encryption & Security
We take data security seriously and employ the following measures:
| Measure | Description |
|---|---|
| End-to-end encryption (E2EE) | Chat messages are encrypted on your device and can only be read by the recipient. We cannot read your messages. |
| AES-256 encryption | Digital Locker content is encrypted with AES-256 — the industry standard for data security. |
| Encrypted transport | All data transmission occurs over TLS/HTTPS. |
| Access controls | Strict access controls on our servers and database. |
| EU-based storage | Data is stored exclusively within the EU. |
Important note on E2EE: Because chat messages are end-to-end encrypted, we cannot read or recover the content of your messages. If you lose access to your device, encrypted messages may not be recoverable.
8. Children’s Privacy
ViftChat is not directed at children under 16 years of age. We do not knowingly collect personal data from children under 16. If we discover that we have collected data from a child under 16, we will delete that data as promptly as possible.
If you are a parent or guardian and believe your child has created an account, please contact us at [email protected].
9. Cookies & Tracking Technologies
The ViftChat app does not use cookies. We do not use advertising tracking technologies and do not share data with advertising networks.
Anonymized usage data is collected solely for improving the Service, not for targeted advertising.
10. International Data Transfers
All data is stored within the EU. In the event that data is exceptionally transferred outside the EU (e.g., via a sub-processor), we ensure appropriate safeguards in accordance with GDPR, including the European Commission’s Standard Contractual Clauses (SCCs).
11. Changes to This Policy
We may update this Policy from time to time. For material changes, we will notify you through the app at least 30 days before they take effect. The current version is always available within the app.
12. Contact
If you have questions about this Policy or wish to exercise your rights, you may contact us:
- Data Protection (DPO): [email protected]
- General inquiries: [email protected]
- Company: Vift ApS, Denmark
Last updated: February 2026