Privacy Policy

PosterVibe ("we", "our", or "us") operates the website at https://postervibe.app and provides album poster design tools (the "Service"). This Privacy Policy explains what information we collect, why we collect it, how we use and protect it, and what choices you have.

By using our Service you agree to the practices described in this Policy. If you do not agree, please discontinue use of the Service.

**Account information.** When you register, we collect your email address and a hashed password. If you sign in with Google OAuth, we receive your name, email, and profile photo from Google.

**Profile data.** You may optionally provide a display name. This is stored in our database and displayed within the app.

**Usage data.** We automatically collect information about how you interact with the Service — pages visited, features used, export actions, and error logs. This data is associated with your account or an anonymous session ID.

**Editor content.** Poster designs you save are stored as JSON in our database. Album metadata (titles, artists, track lists) fetched from third-party APIs is cached temporarily on our servers.

**Payment data.** Billing is handled entirely by Stripe. We do not store credit card numbers. We receive and store your Stripe customer ID and subscription status.

**Cookies & local storage.** We use session cookies for authentication and localStorage to persist editor state between sessions. See our Cookie Policy for details.

We use the information we collect to:

• Provide, maintain, and improve the Service • Authenticate your account and keep it secure • Send transactional emails (account creation, password reset, billing receipts) • Process payments via Stripe • Respond to support requests • Detect and prevent fraud or abuse • Analyze aggregate usage patterns to improve product features • Comply with legal obligations

We do not sell your personal data to third parties. We do not use your poster designs for advertising or AI training without explicit consent.

We share your data only with trusted third-party service providers necessary to operate the Service:

**Neon (Neon Inc.)** — Managed PostgreSQL database hosting. Your projects and account data are stored here. **Vercel Inc.** — Application hosting and CDN. Web traffic and logs pass through Vercel. **Stripe, Inc.** — Payment processing. See Stripe's Privacy Policy for details. **Spotify AB** — Album metadata is fetched from the Spotify API. No personal data is sent to Spotify. **MusicBrainz** — Open-source music database used as a fallback. No personal data is sent. **NextAuth.js / Google OAuth** — If you use Google sign-in, your authentication flow passes through Google's servers.

All processors are contractually bound to process data only on our instructions and to implement appropriate security measures.

We retain your account data and saved projects for as long as your account is active. If you delete your account, all associated data is permanently deleted within 30 days, except where retention is required by law (e.g., financial records required for 7 years in certain jurisdictions).

Anonymized aggregate analytics data may be retained indefinitely as it contains no personally identifiable information.

We implement industry-standard security measures including:

• Passwords hashed with bcrypt • HTTPS (TLS 1.2+) for all data in transit • Database access restricted to application servers via private network • Regular security dependency audits

No system is completely secure. In the event of a data breach affecting your personal data, we will notify you by email within 72 hours of becoming aware of the breach, as required by applicable law.

Depending on your location, you may have the following rights regarding your personal data:

**Access** — Request a copy of the personal data we hold about you. **Rectification** — Correct inaccurate or incomplete data. **Deletion** — Request deletion of your account and associated data. **Portability** — Receive your project data in a machine-readable format (JSON). **Objection** — Object to processing based on legitimate interests. **Restriction** — Request that we restrict processing of your data while a dispute is resolved.

To exercise any of these rights, email us at privacy@postervibe.app. We will respond within 30 days. Residents of the EU/EEA may also lodge a complaint with their local data protection authority.

The Service is not directed to children under the age of 13 (or 16 in the EU). We do not knowingly collect personal data from children. If we learn that we have inadvertently collected data from a child, we will delete it promptly. Please contact us at privacy@postervibe.app if you believe we have collected data from a child.

We may update this Privacy Policy from time to time. We will notify registered users of material changes by email at least 14 days before the change takes effect. Continued use of the Service after the effective date constitutes your acceptance of the revised Policy.

If you have questions about this Privacy Policy or how we handle your data, please contact us:

Email: privacy@postervibe.app Address: PosterVibe, [Company Address]