Vix – Your Manifestation Coach
Effective date: 9 July 2025
This Privacy Policy explains how Monday Labs Inc. ("Company", "we", "our", or "us") collects, uses, shares, and protects your information when you use Vix – Your Manifestation Coach mobile application, websites, and related services (collectively, the "Services"). It also describes your privacy rights and how you can exercise them.
By downloading, installing, registering for, accessing, or using the Services, you agree to this Privacy Policy and our Terms of Service.
Data: Email address, name, avatar URL, Apple ID or Google ID tokens, Supabase session JWT
Source: You via Apple Sign‑In / Google Sign‑In / guest flow
Purpose: Create & secure your account
Legal Basis: Contract (Art. 6 (1)(b))
Data: Gender / pronouns, age range, zodiac sign
Source: You during onboarding
Purpose: Personalise content & voice
Legal Basis: Consent (Art. 6 (1)(a))
Data: Manifestation goals, desires, journal entries, mood logs
Source: You in‑app
Purpose: Provide AI content & tracking
Legal Basis: Contract / Consent
Data: Device model, OS, IP address, Expo push token, network status, app version, internal UUID
Source: Automatically from your device
Purpose: App security, diagnostics, push notifications
Legal Basis: Legitimate interest (Art. 6 (1)(f))
Data: App‑open timestamps, streak counts, listening stats, achievements
Source: Automatically in‑app
Purpose: Feature analytics, habit tracking
Legal Basis: Legitimate interest
Data: Original purchase date, renewal & expiry dates, product ID, platform, RevenueCat event log, entitlement status
Source: RevenueCat webhook
Purpose: Fulfil premium features & bookkeeping
Legal Basis: Contract / Legal obligation (Art. 6 (1)(c))
Data: Mental‑health intentions (e.g., anxiety, stress)
Source: You during onboarding
Purpose: Tailor affirmations
Legal Basis: Explicit Consent (Art. 9 (2)(a))
Data: Microphone input (voice prompts)
Source: You in‑app
Purpose: Transcribed to generate AI content (audio deleted immediately; transcript stored)
Legal Basis: Contract
| Category | Data Elements | Source | Purpose | Legal Basis (GDPR Art. 6) |
|---|---|---|---|---|
| Account & Authentication | Email address, name, avatar URL, Apple ID or Google ID tokens, Supabase session JWT | You via Apple Sign‑In / Google Sign‑In / guest flow | Create & secure your account | Contract (Art. 6 (1)(b)) |
| Demographic (voluntary) | Gender / pronouns, age range, zodiac sign | You during onboarding | Personalise content & voice | Consent (Art. 6 (1)(a)) |
| User‑generated content | Manifestation goals, desires, journal entries, mood logs | You in‑app | Provide AI content & tracking | Contract / Consent |
| Device & Technical | Device model, OS, IP address, Expo push token, network status, app version, internal UUID | Automatically from your device | App security, diagnostics, push notifications | Legitimate interest (Art. 6 (1)(f)) |
| Usage & Progress | App‑open timestamps, streak counts, listening stats, achievements | Automatically in‑app | Feature analytics, habit tracking | Legitimate interest |
| Subscription / Purchase | Original purchase date, renewal & expiry dates, product ID, platform, RevenueCat event log, entitlement status | RevenueCat webhook | Fulfil premium features & bookkeeping | Contract / Legal obligation (Art. 6 (1)(c)) |
| Sensitive Data Flags (optional) | Mental‑health intentions (e.g., anxiety, stress) | You during onboarding | Tailor affirmations | Explicit Consent (Art. 9 (2)(a)) |
| Audio Recordings | Microphone input (voice prompts) | You in‑app | Transcribed to generate AI content (audio deleted immediately; transcript stored) | Contract |
Children's Data. The Services are not directed to anyone under 16 and we do not knowingly collect personal data from children under 16. If we discover such data, we will delete it.
We use your information to:
We do not use your data to train public AI models. Enterprise APIs (e.g., OpenAI, ElevenLabs) process prompts/transcripts only to return results and cannot retain or reuse them for their model training.
We share your information only as necessary to operate the Services:
Service: Cloud database & auth
Data Shared: All stored data
Safeguard: DPA & SCCs in place
Service: Language generation
Data Shared: Prompt text / context
Safeguard: No training / 30‑day retention cap
Service: Voice synthesis
Data Shared: Text prompts
Safeguard: No training
Service: Subscription management
Data Shared: Purchase & entitlement data
Safeguard: DPA
Service: Push notifications, device constants
Data Shared: Device ID & token
Safeguard: DPA
Service: Sign‑in & payments
Data Shared: Auth & transaction data
Safeguard: Platform terms
| Recipient | Role / Service | Data Shared | Safeguard |
|---|---|---|---|
| Supabase | Cloud database & auth | All stored data | DPA & SCCs in place |
| OpenAI (Enterprise API) | Language generation | Prompt text / context | No training / 30‑day retention cap |
| ElevenLabs (Enterprise API) | Voice synthesis | Text prompts | No training |
| RevenueCat | Subscription management | Purchase & entitlement data | DPA |
| Expo Services | Push notifications, device constants | Device ID & token | DPA |
| Apple & Google | Sign‑in & payments | Auth & transaction data | Platform terms |
| Law enforcement / regulators | Legal compliance | As required by law | Legal obligation |
| Acquirers | Corporate transaction | Limited data as part of due diligence | Appropriate safeguards |
We do not sell your personal information.
Supabase and several processors store data in the United States. When we transfer data from the EU/UK/EEA, we rely on Standard Contractual Clauses or other approved safeguards under GDPR.
Until you delete the account or request erasure
7 years (tax & accounting)
12 months, unless needed for security investigations
Deleted immediately after transcription
Cleared on sign‑out or app uninstall
| Data Category | Retention Period |
|---|---|
| Account profile & UGC | Until you delete the account or request erasure |
| Subscription & purchase records | 7 years (tax & accounting) |
| Logs & diagnostics | 12 months, unless needed for security investigations |
| Audio recordings | Deleted immediately after transcription |
| Local device cache (AsyncStorage) | Cleared on sign‑out or app uninstall |
When you delete your account, we soft‑delete your profile, scramble personal identifiers, and queue associated content for permanent deletion within 30 days (unless retention is required by law).
Depending on your jurisdiction, you may have rights to:
You can exercise these rights via in‑app settings or by emailing privacy@vixapp.ai. We may verify your identity before responding. EU/UK users may lodge a complaint with their local data‑protection authority.
We implement technical and organisational measures to protect your data, including:
Despite these measures, no system is 100% secure; you use the Services at your own risk.
The mobile App uses local storage and push‑notification tokens to operate. Our websites (if any) may use first‑party cookies for session management and analytics. We do not use third‑party advertising cookies.
Vix uses AI to generate personalised content based on your inputs and mood history. This profiling is non‑consequential—it affects only the wording and tone of affirmations—and has no legal or similarly significant effect on you.
We may update this Privacy Policy from time to time. If we make material changes, we will notify you via the App or by email at least 7 days before the new policy takes effect. Continued use of the Services after the effective date constitutes acceptance of the updated Policy.
If you have questions or concerns about this Privacy Policy or our data practices, contact us at: