Privacy Policy
1. Who We Are
Foundry26 ("we", "us", "our") operates the Vael mobile application ("Vael", "the App"), available on iOS and Android. Contact us at [email protected].
2. Scope
This policy covers data collected by (a) the Vael mobile app and (b) the myvael.app website. It does not cover third-party websites linked from our pages.
3. The Data We Collect
| Data | How Collected | Stored? | Retention |
|---|---|---|---|
| Anonymous Firebase UID | Automatically at install | Yes | Until deletion + 30-day grace |
| Pseudonym | Profile setup | Yes | Until deletion |
| Age bracket (optional) | Profile setup | Yes | Until deletion |
| Gender (optional) | Profile setup | Yes | Until deletion |
| Thought content & image | Thought Composer | Yes | Until deleted or curated |
| Approximate location (coarse GeoPoint ±1–2km) | When posting | Yes — with thought only | Until thought deleted |
| Precise GPS coordinates | In-session only | Never stored | N/A |
| Echoes & Hugs (per-user presence on a thought) | Tap echo / hug button | Yes — per-user record under thought | Until you withdraw, the thought is deleted, or your account is deleted |
| Mosaic reactions (Hear You, Sending Strength, Me Too, Love This) | Tap a mosaic chip on a thought | Yes — one per-user record per thought (only your latest reaction is stored) | Until you withdraw, the thought is deleted, or your account is deleted |
| Poll votes (option A or B per thought) | Tap a poll option on a thought | Yes — one per-user record per thought (only the latest vote is kept) | Until you withdraw, the thought is deleted, or your account is deleted |
| Saved thoughts (“Echoed” bookmarks) | Tap the bookmark on another user’s thought | Yes — stored privately under your account; visible only to you | Until you unsave, the thought is deleted, or your account is deleted |
| Block list (users you have blocked) | Tap “Block User” in the report/block flow | Yes — stored privately under your account; visible only to you | Until you unblock or your account is deleted |
| Reports you submit (target id, reason, optional free-text) | In-app report flow | Yes — admin moderation system | 24 months (legal hold) |
| FCM push token | Firebase Messaging | Yes | Until session refresh or deletion |
| Chat messages (text/voice/image) | Chat feature | Yes | Until thread deleted or TTL expiry |
| View-once images | Chat feature | 7-day moderation window | Auto-deleted after 7 days |
| Report submissions | Report flow | Yes | 24 months (legal hold) |
| Email address (from OAuth provider) | Sign-in via Google / Apple / Facebook | Yes — admin system only | Until account deletion + 30-day grace |
| Biometric data | OS secure enclave only | Never received by Foundry26 | N/A |
| Device identifier (ban enforcement) | App start (moderation) | Yes — admin system only | Up to 12 months post-ban |
| Web analytics (myvael.app) | Firebase Analytics | IP-anonymised events | 26 months |
We collect the email address supplied by Google, Apple, or Facebook only when you sign in with those providers. That email is used solely for compliance and safety purposes, including age verification, ban enforcement, and lawful requests.
4. What We Do NOT Collect
We explicitly do not collect:
- Phone numbers or real names
- Profile photos
- Precise GPS movement history or location logs
- Financial or payment data
- Contacts or address book data
5. Lawful Bases for Processing (GDPR / UK GDPR)
| Processing Activity | Lawful Basis |
|---|---|
| Anonymous UID creation | Contractual necessity (Art. 6(1)(b)) |
| Storing thought content and reactions | Contractual necessity (Art. 6(1)(b)) |
| Storing per-user poll votes and mosaic reactions for aggregation | Contractual necessity (Art. 6(1)(b)) |
| Storing your private save list (“Echoed”) and block list | Contractual necessity (Art. 6(1)(b)) |
| Coarse location storage with thoughts | Contractual necessity (Art. 6(1)(b)) |
| Push notification delivery | Contractual necessity / Consent (Art. 6(1)(a)/(b)) |
| Moderation reports and audit logs | Legal obligation (Art. 6(1)(c)) |
| Device identifier (ban enforcement) | Legitimate interests — platform integrity (Art. 6(1)(f)) |
| Web analytics (IP-anonymised) | Legitimate interests — service improvement (Art. 6(1)(f)) |
6. Location Data — Special Notice
Your precise GPS coordinates are used in-session only to calculate which thoughts are within your selected radius and to assign a coarse GeoPoint (±1–2km accuracy) to your own thoughts. Precise coordinates are discarded immediately after this calculation. We do not build location history, movement logs, or location profiles of any kind.
7. Biometric Data — Special Notice
The optional App Lock feature uses Face ID or fingerprint recognition. This biometric processing is performed entirely by your device's operating system secure enclave (Apple Secure Enclave / Android TEE). Foundry26 never receives, transmits, processes, or stores any biometric identifier. This feature is outside the scope of BIPA (Illinois Biometric Information Privacy Act) and equivalent state laws.
8. Anonymous Authentication
Users sign in via Google, Apple, or Facebook. The email address provided by the OAuth provider is collected and stored solely for compliance and safety purposes — including ban enforcement and responding to law enforcement requests. It is never used for marketing, advertising, or profiling. The email is accessible only to Foundry26 admin staff and is not shared with third parties except where legally required.
8A. Reactions, Polls, and Saved Content — Special Notice
Engagement on Vael is intentionally structured (no free-text replies). Each action you take — echo, hug, poll vote, mosaic reaction, or saving a thought — stores a small private record linked to your anonymous UID and the relevant thought. No other user can see your individual choice; only you and Foundry26 can access it.
- Echo / Hug: A private record tied to your anonymous UID. Removing your echo or hug deletes it immediately.
- Poll vote: One record per thought, containing the option you chose. Changing your vote overwrites the record; withdrawing your vote deletes it.
- Mosaic reaction: One record per thought, containing the reaction you chose. Changing or withdrawing your reaction overwrites or deletes it.
- Saved thought (“Echoed”): A private record visible only to you. The thought’s author is never notified that you saved their post. Unsaving deletes the record.
Other users only ever see aggregate counts (“12 hear you”, “64% Option A”) — never your individual vote, reaction, or save. Your saves and your block list are never displayed to anyone other than you.
If the thought’s author deletes the thought, all related per-user records (echoes, hugs, poll votes, mosaic reactions, saves) are deleted server-side. If you delete your account, all per-user records you authored are deleted within the timelines stated in our Data Deletion Policy.
9. How We Share Your Data
We do not sell your personal data. Data is shared only in these limited circumstances:
- Firebase (Google LLC, US): Our infrastructure provider for auth, database, storage, functions, and messaging. Governed by EU Standard Contractual Clauses (SCCs). policies.google.com
- Pexels (Canva Pty Ltd, AU): Your search query string for thought backgrounds. No other data shared. pexels.com/privacy-policy
- Apple / Google / Facebook: Email address and OAuth token. See their respective privacy policies.
- Legal requirements: We may disclose data to law enforcement where legally required. See Law Enforcement Policy.
- Business transfers: If Foundry26 is acquired, users will be notified via in-app notice before any data transfer.
9A. Automated Processing of Reactions and Votes
When you submit a poll vote, mosaic reaction, echo, or hug, an automated server-side process runs to:
- Record your individual choice as described in §8A above; and
- Update the aggregate totals visible to other users so that public counts remain accurate.
This processing is purely arithmetic. No profiling, scoring, ranking, or advertising decision is made about you. The process exists only to keep public counts in sync with individual choices and to enforce one vote or reaction per user per thought. We rely on Article 6(1)(b) GDPR (contractual necessity) for this processing; it does not constitute a decision producing legal effects under Article 22.
10. International Data Transfers
Vael is powered by Firebase (Google LLC, US). Personal data is transferred to the US under EU Standard Contractual Clauses (SCCs) and the UK International Data Transfer Agreement (IDTA).
11. Your Rights (GDPR / UK GDPR)
If you are in the EEA or UK, you have the right to: Access · Erasure · Portability · Restriction · Object · Withdraw consent.
Contact [email protected]. We respond within 30 days. Complaints may be lodged with the ICO (ico.org.uk) or your local supervisory authority.
12. Your Rights (CCPA / CPRA — California)
California residents have the right to: know what we collect; delete personal information; correct inaccurate information; opt out of "sale" or "sharing" for cross-context behavioural advertising.
Foundry26 does not sell or share personal information for cross-context behavioural advertising. To exercise California rights, email [email protected] with "CCPA Request" in the subject line.
13. Children & Age Policy
Vael is intended exclusively for users aged 18 and over. We do not knowingly collect data from anyone under 18. If you believe a user under 18 is using Vael, contact [email protected] or use the in-app report function. Confirmed underage accounts are deleted immediately.
14. Data Security
All data in transit is encrypted via TLS 1.2+. Data at rest in Firestore and Firebase Storage is encrypted with AES-256 by Google. Firebase Security Rules enforce user-scoped access controls. Admin access is restricted to a separate allowlist.
15. Data Breach Notification
In the event of a personal data breach posing risk to users' rights, Foundry26 will notify the relevant supervisory authority (ICO for UK operations) within 72 hours per GDPR Article 33. Affected users will be notified without undue delay where high risk exists.
16. India (DPDP Act 2023)
If located in India, Foundry26 acts as the Data Fiduciary under the Digital Personal Data Protection Act 2023. You have the right to access, correct, and erase your personal data. Contact [email protected].
17. Brazil (LGPD)
If located in Brazil, processing is governed by the LGPD. Rights equivalent to GDPR Section 11 apply. Contact [email protected].
18. Australia (Privacy Act 1988)
We comply with the Australian Privacy Principles. Complaints may be directed to the OAIC (oaic.gov.au).
19. Cookies & Tracking (myvael.app)
myvael.app uses Firebase Analytics with IP anonymisation enabled. No advertising cookies. No third-party tracking pixels. See our Cookie Policy.
20. Changes to This Policy
Material changes will be communicated via an in-app notice. Continued use of Vael after the effective date constitutes acceptance of the updated policy.
Foundry26 · [email protected] · myvael.app · Effective: April 19, 2026