Privacy Policy

Most content on the Platform is public and can be viewed by anyone — even without an account.

When you post content in public areas (such as tank journals, posts, comments, or stories), all visitors and users can see that content, your username, and when it was posted. This content may appear in search engine results (e.g., Google).

Your account has a public profile page that includes your username, display name, avatar, bio, tank list, and follower/following counts.

Please consider the public nature of the Platform before posting. By using the Services, you consent to the public display of such content.

Information You Provide:

• Account data: Email address, username, and password. Your username is public; you are not required to use your real name.

• Google OAuth data (if you choose to sign in with Google): We receive your email address, display name, and profile photo from Google. This data is used solely for authentication and populating your Vivaloop profile. We do not access your Google contacts, calendar, Drive, or any other Google services.

• Profile data: Display name, avatar, bio, and city/region. These are all optional and can be changed or removed at any time.

• Public content: Your tank profiles (name, photos, species, plants, equipment, journal entries), posts, comments, stories, and trade listings.

• Non-public content: Your private messages, reports, feedback submissions, and bookmark/notification preferences.

• Trading data: Listing information, approximate location (city/region), and trading preferences (sell/trade/giveaway).

Information We Collect Automatically:

• Log data: IP address, browser type, operating system, referring URL, and device information.

• Usage data: Pages viewed, interactions (likes, follows, bookmarks), and search queries.

• Cookie data: Essential login cookies and anonymous analytics cookies from Google Analytics (see the Cookies section below).

• Approximate location: General geographic location inferred from your IP address.

• Provide, maintain, and improve the Services

• Display your public profile, tanks, and posts

• Facilitate trade matchmaking between users

• Send in-app notifications (follows, likes, comments, trade messages)

• Personalize your content recommendations (e.g., home feed, explore page)

• Protect platform safety, detect abuse, and enforce our Terms of Service

• Analyze usage trends to improve platform features

• Comply with legal obligations

We do not use your data to:

• Sell your personal information to third parties or data brokers

• Send you third-party marketing emails

• Build user profiles for off-platform advertising

• Public content: Your tank profiles, posts, and comments are publicly visible and may be indexed by search engines.

• Service providers: We work with trusted third-party service providers to process data (see the list below). These providers are bound by strict confidentiality and security obligations.

• Legal requirements: We may disclose information when required by law, court order, or government request. We will notify you in advance where legally permitted.

• Safety: We may share necessary information to prevent fraud, protect user safety, or enforce our Terms of Service.

• Anonymized data: We may share aggregated or de-identified data that cannot reasonably be used to identify you.

We use the following third-party services to operate the Platform:

• Supabase (Database & Authentication) — Your account data and content are stored in Supabase's PostgreSQL database, hosted on servers in Tokyo, Japan. Authentication is handled by Supabase Auth.

• Google Analytics (Web Analytics) — We use Google Analytics 4 to collect anonymous usage statistics such as page views and general usage patterns. Google Analytics uses cookies. You can opt out via your browser settings, the Google Analytics Opt-out Browser Add-on, or by enabling Do Not Track in your browser.

• Vercel (Web Hosting) — The Platform is hosted on Vercel's global edge network.

• Cloudflare R2 (Image Storage) — User-uploaded photos are stored in Cloudflare R2 object storage.

Each of these services has its own privacy policy. We share only the minimum data necessary for them to provide their services.

Cookies We Use:

• Essential cookies: Maintain your login session and language preferences. The Platform cannot function properly without these cookies. They cannot be disabled.

• Analytics cookies: Google Analytics 4 uses cookies to collect anonymous usage data (page views, session duration, approximate location). These cookies do not personally identify you.

What We Do Not Use:

• Third-party advertising or tracking cookies

• Social media tracking pixels

• Cross-site tracking technologies

Managing Cookies: You can manage or delete cookies through your browser settings. Disabling essential cookies may affect features such as login functionality.

We implement appropriate measures to protect your data:

• All data transmissions are encrypted via HTTPS (TLS)

• The database uses Row Level Security (RLS) to ensure users can only access data they are authorized to view

• Passwords are hashed before storage and are never stored in plaintext

• Administrative access is restricted and protected by security policies

• Regular security reviews are conducted

While we strive to protect your data, no system can guarantee 100% security. If we discover a security breach that affects your personal data, we will notify affected users as required by law.

Under Taiwan's Personal Data Protection Act (PDPA), and as our commitment to all users regardless of location, you have the following rights:

• Access your data: You can access and download your personal data at any time through the Settings page.

• Correct your data: You can update or correct your account information in your profile settings.

• Delete your account: You can delete your account through the Settings page. Upon deletion, we will remove your personal data within a reasonable timeframe. Please note that public content you posted before deletion (posts, comments) may remain visible to others due to caching or citations.

• Request cessation of processing: You can request that we stop collecting or processing your data.

• Data portability: You can request a copy of your data through the feedback feature.

Additional rights for users in the EU/EEA: If you are located in the European Economic Area, you may also have the right to object to processing based on legitimate interests, the right to restrict processing, and the right to lodge a complaint with your local data protection authority. Our legal basis for processing your data includes: performance of our contract with you (providing the Services), your consent (where applicable), and our legitimate interests (platform safety, service improvement).

To exercise any of these rights, visit the Settings page or contact us through the in-app feedback feature.

• Account data: Retained until you delete your account.

• Public content: Published posts, comments, and tank data may remain visible after account deletion if you did not delete individual content items beforehand, though they will be disassociated from your account.

• Log and usage data: Periodically purged and typically retained for no more than 90 days.

• Anonymized data: Anonymous statistics (e.g., page views, feature usage counts) may be retained indefinitely.

• Legal obligations: We may retain certain data as required by law or to enforce our Terms of Service and prevent fraud.

The Platform is not intended for children under 13 years of age (or under 16 in jurisdictions where a higher age of consent applies). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data without parental consent, please contact us through the feedback feature and we will take immediate action to delete that information.

Your data may be transferred to and stored on servers located outside your country of residence, including in Japan and the United States. If you are accessing the Platform from outside Taiwan, please be aware that your data will be processed in jurisdictions that may have different data protection standards than your own. By using the Services, you consent to these transfers. We ensure that such transfers are protected by appropriate security measures. For users in the EU/EEA, transfers are conducted in accordance with applicable data protection requirements, including the use of standard contractual clauses or other recognized transfer mechanisms where applicable.

We may update this Privacy Policy from time to time. When we make material changes, we will notify you via in-app notification and update the effective date on this page. Your continued use of the Platform after such changes constitutes acceptance of the updated policy.

If you have any privacy-related questions or wish to exercise your data rights, please contact us at privacy@vivaloop.app or through the in-app feedback feature. We will respond to your request within 30 days.