Privacy Policy — Wave & Vibe

TL;DR — The short version

✦ We have no servers and no database. Your profile never leaves your device unless you wave at someone.
✦ When two phones connect, profiles are exchanged directly between them — no cloud relay.
✦ Your contact info (Instagram, phone, etc.) is only transmitted at the moment of a mutual wave, and only to that one person.
✦ Your Wave & Vibe ID is generated once on your device and never sent to any server.
✦ Uninstalling the app deletes everything. No "delete account" request needed.
✦ We don't sell your data because we never collect it in the first place. Your personal information is not—and will never be—a source of revenue for us.

1. Who we are

Wave & Vibe is an independent app. For feedback, bug reports, or questions, please leave a review on our Google Play listing. For the purposes of applicable data protection law, we are the controller of any personal data processed in connection with this policy — which, as you'll read below, is very little.

2. What data Wave & Vibe processes and where it lives

Wave & Vibe is designed around a core principle: your data stays on your device. There is no Wave & Vibe server, no cloud database, and no account in the traditional sense. Here is everything that exists:

Your profile (display name, photo, bio, contact info, discovery preference) — stored only in your phone's local app storage. Contact info is limited to Instagram, Twitter/X, and email.
Age confirmation — on first setup you confirm you are 18 or older by ticking a checkbox. No date of birth is collected or stored.
Waves you have sent — stored only on your phone.
Waves you have received — stored only on your phone.
Mutual matches (Vibes) — stored only on your phone, including the approximate location where the match occurred (used only to display a map pin to you).
Block list — tokens of users you have blocked, stored locally so they cannot rediscover you.
Wave & Vibe ID — a random identifier generated once when you first set up the app, stored only on your device, and broadcast locally over Bluetooth. It is not linked to your real identity and never sent to any server.

Because we have no servers, we are structurally incapable of accessing, storing, or disclosing your profile data. There is nothing to subpoena, nothing to hack, and nothing to breach.

3. How nearby discovery works

When you open Wave & Vibe with discovery enabled, your device broadcasts a completely anonymous signal over Bluetooth (Google Nearby Connections). This signal contains no identifying information whatsoever — not your name, not your Wave & Vibe ID, not your photo. It simply indicates that a Wave & Vibe user is nearby. Your identity is exchanged only after a direct encrypted connection is established.

Discovery requires both Bluetooth and Wi-Fi to be enabled on the device. Wi-Fi is used by the Google Nearby Connections API for the peer-to-peer data channel (Wi-Fi Direct). No internet connection is required and no data is routed through any Wi-Fi network or access point.

When another Wave & Vibe user is detected nearby, the two devices establish a direct encrypted connection to exchange profile data. This exchange happens entirely between the two devices; no data passes through any Wave & Vibe-controlled infrastructure.

You can disable discovery at any time in Profile settings, which immediately stops broadcasting.

4. How waving works

When you wave at someone:

A wave message is sent to the other person's device via the existing peer-to-peer connection. This message contains your display name and wave identifier so the recipient knows who waved at them. Their device shows a notification such as "[Your name] sent you a wave."
Your full profile (photo, bio, contact info) is not transmitted at this stage. Contact details are withheld until a wave is mutual.
If the other person waves back, both devices exchange full profiles directly over the peer-to-peer link, including the contact details each party chose to share. This exchange happens only between the two devices involved.
If the other person does not wave back, your contact details are never shared with them. The wave record exists on both devices (yours as a sent wave, theirs as a received wave), but you will not receive any "seen" confirmation — unreciprocated waves simply expire from your sent history.
Irrevocability of transmitted data. Because there is no server, data transmitted during a mutual wave (your display name at the wave stage, or your full profile at the match stage) exists on the recipient's device and cannot be remotely deleted or recalled by us or by you after the fact.

5. Third-party services and on-device processing

Wave & Vibe uses the following third-party SDKs on the device:

Google Nearby Connections API — used for peer-to-peer device discovery and data transfer over Bluetooth. Google's privacy policy applies to this SDK's use of Bluetooth hardware. We do not send any user-identifiable data to Google through this API.
Google ML Kit (Face Detection & Image Labeling) — used entirely on-device when you upload a profile photo from your gallery. It checks that the photo contains exactly one face and does not contain inappropriate content (nudity or similar). The photo is analysed locally; no image data or biometric information is sent to Google or to us. The analysis result (pass/fail) is used solely to allow or reject the photo. No biometric template is stored.
Coil (image loading library) — used to display profile photos stored locally on the device. No data is transmitted externally.

We do not integrate any analytics SDKs, advertising SDKs, or crash-reporting services that would transmit personal data off the device.

The face detection processing described above constitutes automated processing of biometric data under GDPR Article 9. The legal basis is your explicit consent, given when you choose to upload a profile photo. You may decline to set a photo at any time; the app functions without one.

5a. Block feature and account restriction

When you block another user, a short anonymous signal is sent to their device over the existing peer-to-peer connection. This signal contains no personal information — only an indication that a block has occurred. The receiving device increments a local counter of unique blockers stored in on-device preferences. If three distinct users block the same account, that account is permanently restricted on that device. No central record of blocks is maintained by us.

6. Permissions we request

Bluetooth & Nearby Devices — required to discover and connect to nearby phones running Wave & Vibe.
Wi-Fi — required by the Google Nearby Connections API for the peer-to-peer data channel (Wi-Fi Direct). No internet connection is used; data travels only between the two devices. This permission is also required on Android 13+ for Nearby Connections to function at all, even during the Bluetooth discovery phase.
Location (approximate, while using app) — required by Android to use Bluetooth scanning. We do not record or transmit your location. We use a one-time system cache lookup only when needed for platform requirements; no continuous GPS polling occurs.
Notifications — to alert you when you receive a wave or a mutual match occurs.
Photos / media — only if you choose to set a profile photo from your gallery.
Foreground service — to keep Bluetooth discovery running while the app is in the foreground.

7. Feedback

Wave & Vibe does not operate a contact form. If you want to report a bug, suggest a feature, or raise a concern, please use the review and feedback tools on our Google Play store listing. No personal data is collected through this process by us; Google's own privacy policy governs any data submitted through Play Store reviews.

8. Children and age verification

Wave & Vibe does not contain adult content. The 18+ minimum age requirement exists solely to protect children from unsolicited contact with adults — not because the app is intended for adult content or restricted activities.

On first setup, users must tick a checkbox confirming they are 18 or older; anyone who does not confirm is blocked from creating a profile. No date of birth is collected or stored — not on your device, not anywhere. We additionally rely on platform-level controls (Google Play family policies and parental controls) to reinforce this protection.

If you believe a minor is using Wave & Vibe, please flag it immediately via the Google Play listing. Because all data is stored locally on devices, we have no server-side mechanism to remove a specific account; we encourage parents to use device-level parental controls and to uninstall the app from a minor's device.

9. Your rights

Under GDPR, UK GDPR, and similar frameworks, you have rights including access, rectification, erasure, restriction, and portability of your personal data. Because all data lives on your device, you exercise these rights directly:

Access & portability — your data is on your phone; you have full access to it.
Rectification — edit your profile at any time in the Profile tab.
Erasure — uninstall the app. All data is permanently deleted with no server-side residue.
Restriction / objection — disable discovery in Profile settings to stop broadcasting.

For any rights request, please use the feedback option on our Google Play listing and we will respond within 30 days.

10. Data retention

On-device data persists until you uninstall the app or use the "Start fresh" option in Profile settings (which clears waves and vibes but retains your profile). We collect no data from contact forms because we do not operate one.

11. Security

Peer-to-peer profile exchanges occur over encrypted connections provided by the Google Nearby Connections API. Since there is no central server, there is no central point of attack. Your device's own security (lock screen, OS encryption) protects locally stored app data.

12. Changes to this policy

We will update this page if our practices change and note the revision date at the top. Significant changes will be communicated via an in-app notice. Continued use of the app after a change constitutes acceptance of the updated policy.

13. Child Safety (CSAE Standards)

Wave & Vibe has a zero-tolerance policy for child sexual abuse and exploitation (CSAE) material. The app is strictly limited to users aged 18 and older and requires explicit age confirmation before a profile can be created.

Our standards against CSAE include:

No user under 18 may create a profile or use the app. Age confirmation is enforced at first launch and cannot be bypassed.
No user-generated content is stored on any server. All data is exchanged directly between devices, minimising the risk of CSAE material being hosted or distributed through our infrastructure.
Profile photos are screened on-device by Google ML Kit before being shared, which rejects images containing nudity or inappropriate content.
Any report or credible indication of CSAE material or activity involving minors will be reported immediately to the relevant national authorities and to the National Center for Missing & Exploited Children (NCMEC) where required by law.
Users can report concerns via the Google Play store listing. We review every report promptly.

If you have encountered or suspect CSAE material or activity, please contact your local law enforcement immediately. In the United States, you can also report to NCMEC at missingkids.org. In the EU, contact your national authority or Europol.

14. Feedback & contact

Questions about this policy or your data? Leave a review on our Google Play listing. We read every review.