Megmaa Solutions Pvt. Ltd. (“Megmaa”, “Vybe”, “we”, “us”, “our”) operates the Vybe mobile application, the Vybe SDK, the website at vybe.megmaasolutions.com and related infrastructure. We are an Indian private limited company; our company facts are listed in our Terms of Service.
For the purpose of this Policy we are a:
- Data Fiduciary — under India's Digital Personal Data Protection Act 2023 (the “DPDP Act”).
- Data Controller — under the EU General Data Protection Regulation (“GDPR”) and the UK GDPR.
- Business — under the California Consumer Privacy Act, as amended by the CPRA (the “CCPA”).
This Policy applies to everyone who uses Vybe, regardless of where you live. Where your local law gives you more protection than the baseline below, that local law applies in addition.
1. The short version
- Your Vybe-to-Vybe chats are end-to-end encrypted. We cannot read them. Not us, not our staff, not law enforcement with a warrant.
- We never sell your data to advertisers, data brokers, analytics resellers or anyone else. We make money from subscriptions.
- You can export everything we hold about you, or delete your account in one tap, at any time.
- Our servers are in Mumbai (India) and Frankfurt (EU). International transfers use the safeguards described in §10.
- If you live in India, the EU/UK or California you have additional named rights — see §6.
2. The data we collect
2.1 Information you give us
- Account credentials — email and password (hashed with bcrypt; we never see your plaintext password). Optional: Google or Apple sign-in token in lieu of password.
- Profile — optional display name, profile photo, language preference.
- Phone numbers we provision for you — Indian or international Vybe Numbers, the country/region for each, and any KYC documentation required by the upstream carrier (proof of identity / address) for regulated jurisdictions.
- Payment information — handled entirely by the Apple App Store or Google Play Store. Vybe never sees your card number or bank details. We receive only a transaction reference + product purchased.
- Contacts you choose to sync — phone-number hashes (SHA-256) of contacts you import for the “Find friends on Vybe” feature. The plaintext contact stays on your device. You can disable sync at any time.
2.2 Information generated by use of Vybe
- Call metadata — caller and callee Vybe Numbers, call start/end timestamps, duration, direction, status code (answered / missed / voicemail), and billing tags. Stored for your call history and billing.
- SMS metadata — sender, recipient and timestamp for SMS sent from/to your Vybe Number. We do not store the plaintext message body beyond the brief window needed for carrier delivery and for you to read it in the app.
- Voicemails — audio recordings and (where you have enabled it) auto-transcribed text. Stored on your behalf so you can listen and search.
- End-to-end encrypted chat — Vybe-to-Vybe chat uses Olm/Megolm (the Signal protocol family). We hold only the encrypted ciphertext and the routing envelope. We cannot decrypt the content.
- Call recordings — only if you choose to record a call. Stored encrypted, accessible only to you. See §11 in our Terms for the legal implications.
2.3 Device and diagnostic data
- Push notification token — issued by Apple (APNs) or Google (FCM). Required to ring incoming calls and deliver chat notifications.
- App version, OS version, device model, screen size, locale — used to deliver compatible builds and diagnose crashes.
- Crash reports + performance metrics — captured by our crash-reporting provider. We strip personal data from breadcrumbs before upload.
- Product analytics — anonymised aggregate funnel metrics and (optionally) masked session replay. Categories of providers listed in §5.
- IP address — at the time of each request, for security, fraud prevention, and routing. Not stored for longer than 90 days.
- Approximate location — derived from IP at country level only. We do not collect GPS / precise location.
3. What we DON'T collect
- The plaintext content of your Vybe-to-Vybe chats. End-to-end encryption means we literally cannot read them.
- Your real SIM phone number (unless you choose to provide it for verification).
- Your contact list in plaintext — only one-way hashes (see §2.1).
- Your browsing history, web URLs, app usage outside of Vybe, GPS location, or biometric data.
- Sensitive personal data (race, religion, health, sexual orientation, political opinion) — we don't ask for any, and you should not put any in your profile.
4. Why we use it (legal bases)
Every category of personal data is processed for a specific purpose under a specific legal basis. The same processing may rely on different bases depending on your country.
| Purpose | India (DPDP) | EU / UK (GDPR) | California (CCPA) |
|---|---|---|---|
| Deliver calls, messages, voicemail you signed up for | Contract performance (§7) | Art. 6(1)(b) Contract | Business purpose |
| Bill you and process refunds | Contract / Legal obligation | Art. 6(1)(b) / (c) | Business purpose |
| Detect fraud, abuse, spam, security threats | Legitimate use (§7(j)) | Art. 6(1)(f) Legitimate interests | Business purpose |
| Comply with court orders, lawful intercept, tax law | Legal obligation | Art. 6(1)(c) Legal obligation | Legal obligation |
| Send product announcements + service emails | Legitimate use | Art. 6(1)(f) Legitimate interests | Business purpose |
| Marketing / promotional emails (opt-in only) | Consent | Art. 6(1)(a) Consent | Opt-in marketing |
| Optional analytics + crash replay | Consent | Art. 6(1)(a) Consent | Opt-in |
5. Who we share with (sub-processors)
We use carefully vetted Tier-1 service providers (“sub-processors”) to operate Vybe. They process data on our behalf under written Data Processing Agreements, only for the purpose we instruct, and never for their own purposes. By category:
- Voice and SMS carriers — to route calls and text messages between Vybe Numbers and the public phone network.
- Push-notification providers — Apple and Google's platform services, to deliver incoming-call ringers and chat notifications.
- Cloud hosting and content delivery — to run the Vybe servers and serve static assets.
- Encrypted object storage — to hold voicemail audio and (optional) call recordings.
- Crash reporting — to capture crash signals and diagnostic logs (PII stripped before upload).
- Product analytics — opt-in aggregate funnel metrics and masked session replay.
- Transactional email — to deliver receipts, security alerts and account notices.
- Platform payment processing — Apple App Store and Google Play handle all card data; we never see it.
A current, named list of our sub-processors is available on request at privacy@vybe.app. We respond within 7 days. We update the list at least 30 days before adding any new sub-processor that materially changes data flow.
We never sell or rent your personal information to advertisers, data brokers, marketing networks, AI training datasets, or any third party. Under CCPA “sale” and “share” definitions: we do not sell or share your personal information.
6. Your rights
Different laws use different names for similar rights. The table below maps your rights to their statutory source. You can exercise any of them at any time — see §7 for how.
| Right | India (DPDP) | EU / UK (GDPR) | California (CCPA) |
|---|---|---|---|
| Know what we hold about you / access | §11 | Art. 15 | §1798.110 |
| Correct inaccurate data | §12 | Art. 16 | §1798.106 |
| Delete your account + data | §12 | Art. 17 | §1798.105 |
| Export in a portable format | Implied by §11 | Art. 20 | §1798.100 |
| Withdraw consent | §6(4) | Art. 7(3) | Opt-out controls |
| Object to processing | Grievance under §13 | Art. 21 | §1798.120 |
| Nominate someone to exercise your rights after death/incapacity | §14 | — | — |
| Lodge a complaint with the regulator | Data Protection Board of India | Your local DPA | California AG / CPPA |
| Non-discrimination for exercising rights | — | — | §1798.125 |
7. How to exercise your rights
- From the app — Settings → Profile gives you direct controls for: export your data, delete account, withdraw consent for analytics, change communication preferences.
- By email — privacy@vybe.app. We will acknowledge within 7 days and respond substantively within 30 days (and faster where local law requires).
- By post — Privacy Team, Megmaa Solutions Pvt. Ltd., [registered office address].
We may need to verify your identity (typically a request from the email registered to your account) before processing your request. For California residents, you may also designate an authorised agent with written permission.
8. Children
Vybe is not directed to children below the age limit set by their country — typically 13 (US), 16 (EU/UK), or 18 (India for paid subscriptions; 13 for chat with verified parental consent). We do not knowingly collect personal data from children below the applicable age.
If you believe a child has registered, email privacy@vybe.app and we will delete the account.
9. Data retention
We keep your data only as long as we need it for the purpose for which it was collected, or for as long as the law requires.
| Category | Retention | Why |
|---|---|---|
| Active account data (profile, settings) | Until you delete the account | To provide the service |
| Call & SMS metadata | 2 years | Billing reconciliation, regulatory inquiry, fraud detection |
| Billing & tax records | 8 years | Income Tax Act 1961 §44AA, GST Act §36 |
| Voicemail recordings + transcripts | Until you delete them, or 90 days after account closure | For your access |
| End-to-end encrypted chat (ciphertext) | Until delivered + 30 days, or until you delete | Multi-device sync; we cannot read |
| Plaintext SMS body | Brief carrier-delivery window only | Required for delivery |
| IP address logs | 90 days | Security, abuse investigation |
| Crash reports | 90 days | Debug + product improvement |
| Backups | Anonymised at 30 days, purged at 90 days | Disaster recovery |
Deleting your account triggers a 30-day grace window (so an accidental deletion can be reversed). After 30 days, personal data is irreversibly purged from active systems. Anonymised statistical data and the legally-required billing records noted above are retained.
10. International transfers
Vybe servers are hosted primarily in Mumbai (India) and Frankfurt (EU). Some of our sub-processors operate from the United States and other jurisdictions — see §5 for the categories.
Cross-border transfers rely on one or more of the following safeguards:
- India (DPDP Act §16) — transfers to countries not restricted by the Central Government under the DPDP Act.
- EU/UK (GDPR Ch. V) — Standard Contractual Clauses (SCCs) approved by the European Commission and the UK ICO; adequacy decisions where available.
- California (CCPA) — contractual safeguards prohibiting onward sale and limiting use to instructed purposes.
11. Security
- End-to-end encryption — Vybe-to-Vybe chats use Olm/Megolm (the Signal protocol family). Recording-feature audio is encrypted client-side.
- Transport — TLS 1.3, HSTS, certificate pinning on mobile clients.
- At rest — AES-256-GCM for sensitive fields; database disk encryption.
- Authentication — bcrypt password hashing, JWT access tokens (15-min lifetime) with rotating refresh tokens, OAuth (Google / Apple) where available, optional two-factor authentication.
- Operations — least-privilege production access, audit logging, separate per-environment credentials, rotated quarterly.
- Application security — annual third-party penetration testing, dependency vulnerability scanning, secure-development training for engineers, responsible-disclosure programme at security@vybe.app.
No system is perfectly secure. We commit to using industry best practice, but we cannot guarantee that personal data is fully immune from unauthorised access.
12. Data breach notification
If we suffer a personal-data breach that is likely to result in risk to your rights and freedoms, we will:
- Notify the Data Protection Board of India within 72 hours (per DPDP Act §8(6)).
- Notify the relevant EU/UK Data Protection Authority within 72 hours (per GDPR Art. 33).
- Notify affected users without undue delay (per GDPR Art. 34, DPDP §8(6), and applicable US state breach laws).
13. Marketing and communications
Service emails (billing receipts, security alerts, account notices, policy changes) are sent on a transactional basis and cannot be opted out of while your account is active.
Marketing emails (product announcements, feature launches, tips) are sent only if you opt in. You can withdraw consent at any time from Settings → Notifications or by clicking the unsubscribe link in any marketing email.
14. Automated decision-making
We do not make decisions with significant legal or similarly significant effects about you based solely on automated processing. Some of our anti-spam, anti-abuse and fraud-detection systems use machine-learned rules, but every adverse action that affects your account (suspension, termination) is reviewed by a human before it takes effect.
15. Cookies and similar technologies
The Vybe mobile app does not use browser cookies. It uses standard OS keychains / encrypted local storage for session tokens and your settings.
Our website at vybe.megmaasolutions.com uses a minimal set of first-party cookies — described in our Cookie Policy — and respects the “Do Not Track” and Global Privacy Control signals.
16. Lodge a complaint
You always have the right to lodge a complaint with the relevant regulator if you believe we have not handled your personal data in accordance with applicable law.
- India — Data Protection Board of India (once operational; see meity.gov.in).
- EU — your local Data Protection Authority (full list at edpb.europa.eu).
- UK — Information Commissioner's Office (ico.org.uk).
- California — California Privacy Protection Agency (cppa.ca.gov) or the California Attorney General.
We'd appreciate the chance to address your concern first — please write to us at privacy@vybe.app or to the Grievance Officer below.
17. Data Protection Officer & Grievance Officer
Data Protection Officer (global)
- Name: [insert DPO name]
- Email: privacy@vybe.app
- Postal: Data Protection Officer, Megmaa Solutions Pvt. Ltd., [registered office address]
Grievance Officer (India — DPDP Act §10(2)(c) + IT Rules 2021)
- Name: [insert Grievance Officer name]
- Email: grievance@vybe.app
- Postal: Grievance Officer, Megmaa Solutions Pvt. Ltd., [registered office address]
- Working hours: Monday–Friday, 10:00–18:00 IST (excluding public holidays)
We will acknowledge grievances within 24 hoursand resolve them within 15 days.
EU Representative (GDPR Art. 27) — appointed for users in the European Union: eu-rep@vybe.app.
UK Representative (UK GDPR Art. 27) — appointed for users in the United Kingdom: uk-rep@vybe.app.
18. Changes to this Policy
We may update this Privacy Policy from time to time. For material changes we will notify you at least 30 days in advancevia email and in-app notice. Minor clarifications may take effect immediately. The “Last updated” date at the top of this page always reflects the current version. Older versions are available on request.
19. Contact
- Privacy questions: privacy@vybe.app
- Grievance officer (India): grievance@vybe.app
- Security disclosure: security@vybe.app
- General support: support@vybe.app
- EU Representative: eu-rep@vybe.app
- UK Representative: uk-rep@vybe.app
Megmaa Solutions Pvt. Ltd. · [Registered office, City, State, India]