← Back to Home

Privacy Policy

Last updated: May 4, 2026

VibeKOL ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application VibeKOL (the "App"), including its Facebook Login, Facebook Page posting, and Facebook Messenger Agent features.

1. Information We Collect

1.1 Information You Provide

  • Account Information: When you sign in with Google, we receive your name, email address, and profile picture from your Google account.
  • Facebook Account Information: When you connect a Facebook account through Facebook Login for Business, we receive your public profile, the list of Facebook Pages you manage (Page ID, Page name), and a Page Access Token for each Page you select. See Section 5 for full details.
  • User Content: Photos you upload (product photos, model photos), AI-generated images and videos, KOL profiles, text prompts, captions, and knowledge-base files you upload for the Agent feature.
  • Purchase Information: When you make in-app purchases, transaction details are processed by Apple App Store or Google Play Store. We receive confirmation of purchases but do not store your payment card details.

1.2 Information Collected Automatically

  • Device Information: Device type, operating system version, unique device identifiers.
  • Usage Data: App features used, generation history, credits consumed, session duration.
  • Analytics Data: We use Firebase Analytics to understand how users interact with the App.

2. How We Use Your Information

  • To provide and maintain the App's core functionality (AI image/video generation, KOL management)
  • To publish content you create to Facebook Pages you have explicitly connected, using the caption and media you have selected
  • To receive Facebook Messenger events for connected Pages and generate AI replies when you have enabled the Messenger Agent feature
  • To process your in-app purchases and manage your credit balance
  • To sync your data across devices via Google Drive (when you enable Cloud Sync)
  • To improve the App's performance, features, and user experience
  • To communicate with you about updates, support, and promotional offers (with your consent)
  • To detect, prevent, and address technical issues or abuse

3. AI-Generated Content & Your Consent for Third-Party AI Processing

The App's image generation, video generation, caption suggestion, video script suggestion, and Messenger Agent reply features rely on third-party artificial intelligence services. Before any of these features sends your data off your device, the App will display an in-app consent dialog and will not transmit anything until you tap Agree. You can revoke that consent at any time from the user menu (Avatar β†’ Data Sharing β†’ Revoke Consent). Revoking blocks new AI requests but does not delete content that was already generated.

3.1 Data we send to AI services

  • Face / portrait images you upload from your camera roll or capture in-app (KOL portraits, model references)
  • Product images you upload from your camera roll
  • Text prompts you type to describe an image, video, or post caption
  • Generated images and videos (passed back into Gemini for caption / script suggestions)
  • Knowledge-base files (PDF, TXT, URL content) you upload for the Messenger Agent feature
  • Incoming Messenger messages sent by visitors to a Page on which you have enabled the Messenger Agent

3.2 How this data is collected

All inputs above are provided by you directly through the App's image picker, camera, file picker, and text fields β€” except for Messenger messages, which are delivered to our backend by Meta's webhook in real time when you have enabled the Messenger Agent on a connected Page.

3.3 What we use this data for

  • Generating images via Google Vertex AI (Gemini)
  • Generating videos via Google Veo
  • Generating Facebook post captions via Google Vertex AI (Gemini)
  • Generating Veo video scripts via Google Vertex AI (Gemini)
  • Extracting text from your uploaded knowledge-base PDFs / URLs via Google Vertex AI (Gemini)
  • Generating Messenger replies on your behalf via Google Vertex AI (Gemini)
  • Publishing the content you author to Pages you have connected via the Meta Graph API

We do not use your inputs or generated content to train any AI model.

3.4 Third parties that may process your data

Third partyRolePrivacy policy
Google LLC Vertex AI / Gemini, Veo, Cloud Run backend, Firebase (Auth, RTDB, Storage, App Check), Google Drive (optional sync) policies.google.com/privacy
Meta Platforms, Inc. Facebook Login for Business, Graph API publishing, Messenger webhook delivery facebook.com/privacy/policy
Apple Inc. App Store in-app purchases (iOS) apple.com/legal/privacy
Google LLC (Play) Google Play Billing in-app purchases (Android) policies.google.com/privacy

3.5 Equivalent protection

We have reviewed each third-party processor named above and confirm that they provide privacy and security protections at a level equivalent to or stronger than those described in this Policy, including encryption in transit, restricted access, audit logging, regional data-residency controls, and contractual obligations not to use your content to train their AI models without your consent. Each processor is independently certified under recognized frameworks (Google: ISO 27001 / 27017 / 27018, SOC 2, GDPR / CCPA compliance; Meta: ISO 27001, SOC 2, GDPR / CCPA compliance).

3.6 Withdrawing consent

You may withdraw your consent at any time. To withdraw, open the App, tap your avatar in the top-right corner, choose Data Sharing, and tap Revoke Consent. Once revoked, the App will no longer call third-party AI services on your behalf. You will be asked again the next time you initiate an AI generation. Withdrawal does not affect the lawfulness of processing that occurred before withdrawal.

4. Facial Data Collection and Use

This Section provides additional, dedicated transparency about how the App handles facial / portrait images, in line with biometric-data privacy laws (such as Illinois BIPA, Texas CUBI, and the EU GDPR's special-category rules) and Apple App Store / Google Play store requirements. It supplements β€” but does not replace β€” Section 3 above.

4.1 What we collect

VibeKOL collects facial / portrait images only when you explicitly upload them from your camera roll, choose them from your KOL library, or capture them with the in-app camera and tap the upload button. The App does not activate the camera, microphone, or any biometric sensor in the background. The App does not perform on-device face detection, face recognition, faceprint extraction, or liveness checks; we do not generate or store any biometric template, faceprint, embedding, or identifier derived from a face.

4.2 How we use it

Facial images you provide are sent to Google Vertex AI (Gemini and Veo) for the sole purpose of generating the image or video you requested (KOL portrait, product model photo, video clip). We do not use facial data for:

  • Advertising or marketing personalization
  • Identity verification, KYC, or authentication
  • Surveillance, tracking, or analytics on the depicted person
  • Building a faceprint, biometric template, or face-recognition database
  • Training any AI model β€” neither ours nor the third-party providers'
  • Sharing with advertisers, data brokers, or any party other than the AI processors named in Section 4.3

4.3 Sharing

Facial data is shared only with the AI processors needed to fulfil your generation request, namely Google LLC (Vertex AI Gemini, Veo, Cloud Run worker, Firebase Cloud Storage). Each processor is contractually required to provide an equivalent or stronger level of data protection, as further described in Section 3.5. For their handling of your data, see Google's Privacy Policy and the Google Cloud Data Processing Addendum.

4.4 Processing pipeline and intermediate storage

Image and video generation runs as a background job through Google Cloud Tasks β†’ Google Cloud Run β†’ Vertex AI. To support this asynchronous pipeline, your uploaded image is briefly written to Firebase Cloud Storage at image/{jobId}/<name>.png (encrypted in transit and at rest, region asia-southeast1) so the Cloud Run worker can read it. The intermediate file is automatically deleted as soon as the job finishes; an automated cleanup hard-caps any orphaned file at 24 hours. Generated outputs are returned to your device and stored in your local Hive database under images/{userId}/{kol|history|videos}/.

4.5 Retention

  • Intermediate Firebase Storage copy: deleted at job completion; hard cap of 24 hours.
  • Generated KOL / history / video outputs: retained on your device until you delete them. If Cloud Sync is enabled, a copy is stored in your own Google Drive (we have no access).
  • Vertex AI / Veo: processed under Google's service-specific data terms; we do not retain facial inputs at the AI provider beyond the request lifecycle.
  • Account deletion: when you delete your account (see Section 10), all associated facial images, KOL portraits, and generation history are removed within 30 days.

4.6 Storage location

  • On your device: encrypted Hive databases on iOS / Android local storage.
  • Backend transit storage: Firebase Cloud Storage in Google Cloud region asia-southeast1 (Singapore).
  • AI processing: Google Vertex AI managed infrastructure (Google's global Vertex AI footprint, primarily US and EU regions).

4.7 How to request deletion

You can delete an individual image at any time inside the App (Gallery β†’ long-press β†’ Delete; KOL β†’ swipe β†’ Delete). To delete all facial data we hold, delete your account from the user menu (Avatar β†’ Delete Account) or email hello@nviai.com from the address linked to your account. Deletion is completed within 30 days.

4.8 We discourage uploading real faces

For your privacy and to reduce the risk of misuse, the App actively encourages you to create fully AI-generated KOL portraits via the KOL AI tab rather than uploading photos of real people. The App is built for marketing and e-commerce content creation and does not attempt to produce a photorealistic likeness of a real, identifiable individual. If you choose to upload a real person's photo, you confirm that you are that person or have their explicit, informed consent to use their image for AI generation, and you accept full responsibility for that upload under applicable law.

5. Facebook Login & Meta Integration

VibeKOL uses Facebook Login for Business and the Meta Graph API to let you connect Facebook Pages you manage, publish content to those Pages, and optionally enable an AI Messenger Agent. Facebook Login is strictly optional β€” you can use the rest of the App without connecting any Facebook account.

4.1 Permissions We Request

PermissionWhy we use it
public_profileIdentify you during OAuth (default permission).
pages_show_listShow the list of Pages you manage so you can choose which Page to connect.
pages_manage_postsPublish image, video, and text posts to Pages you have connected, using content you author in the App.
pages_read_engagementRead basic Page metadata (Page name and ID) to display connected Pages inside the App.
pages_manage_metadataSubscribe a connected Page to our Messenger webhook when you enable the Messenger Agent feature.
pages_messagingSend and receive Messenger messages on behalf of a connected Page when you enable the Messenger Agent feature (optional).

We do not request email, user_friends, user_gender, user_birthday, user_posts, or any other user-level advanced-access permissions. All Meta API calls are Page-scoped β€” we never post to your personal timeline.

4.2 Facebook Data We Store

  • Page ID and Page name β€” stored in our Firebase Realtime Database so the App can display your connected Pages.
  • Page Access Token β€” stored in our Firebase Realtime Database (path page_tokens/{pageId}/access_token), used solely to call the Graph API on your behalf when you publish a post or reply to a message.
  • Agent configuration β€” the settings you choose for each Agent (whether auto-reply is enabled, which knowledge base is attached) stored at agents/{uid}/{agentId}.

Tokens and Page data are retained only while your Agent is connected. When you disconnect a Page inside the App, we call DELETE /{page-id}/subscribed_apps to unsubscribe our webhook, call DELETE /me/permissions to revoke app permissions, and then delete the stored token and Page record from our database.

4.3 Graph API Endpoints Used

  • GET /me/accounts β€” list the Pages you manage during setup
  • POST /{page-id}/photos β€” publish image posts you compose in the App
  • POST /{page-id}/videos β€” publish video posts you compose in the App
  • POST /{page-id}/feed β€” publish text posts you compose in the App
  • POST /{page-id}/subscribed_apps β€” subscribe your Page to our Messenger webhook (only if Messenger Agent is enabled)
  • DELETE /{page-id}/subscribed_apps and DELETE /me/permissions β€” executed when you disconnect

For information about how Meta processes your data, see Meta's Privacy Policy and Meta Platform Terms.

6. Facebook Messenger Agent (Optional)

If you choose to enable the Messenger Agent on a connected Page, the following additional processing takes place:

  • Incoming messages sent by your Page visitors are delivered to our backend via Meta's webhook in real time.
  • We pass the message text and conversation context to Google's Gemini API to generate an AI reply, which we then post back to the Page via the Graph API.
  • If you attach a knowledge base (RAG), files you upload are stored in our secure backend storage and used only to augment Agent replies for that specific Agent.
  • We do not use end-user message content or your knowledge-base files to train AI models.
  • Message content is retained only as long as necessary to generate and deliver the reply, plus short-term logs for abuse prevention and debugging (≀ 30 days).
  • End users messaging your Page should be informed that they are interacting with an AI assistant β€” you are responsible for providing this disclosure in accordance with applicable law and Meta's policies.

7. Data Storage & Security

  • Local Storage: Your KOL profiles, generation history, and generated images are stored locally on your device using encrypted storage.
  • Cloud Sync: If you enable Cloud Sync, your data is stored in your personal Google Drive account. We do not have access to your Google Drive data.
  • Firebase: Account information, credit balances, Agent configurations, and Page Access Tokens are stored in Firebase Realtime Database with industry-standard security measures and access rules that restrict data to the owning user.
  • Backend (Cloud Run): Our Agent API runs on Google Cloud Run in asia-southeast1. Webhook events and knowledge-base files are processed in this environment.
  • App Check: We use Firebase App Check to verify that requests originate from our genuine App and block unauthorized clients.

8. Data Sharing

We do not sell your personal information. We may share data with:

  • Google (Firebase, Gemini AI, Vertex AI, Google Drive): infrastructure, authentication, generation, and optional sync
  • Meta Platforms, Inc. (Facebook Login, Graph API, Messenger webhooks): only data necessary to perform the actions you initiate on your connected Pages
  • Apple & Google (App Stores): for purchase processing
  • Legal Requirements: when required by law or to protect our rights

9. Your Rights

You have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your account and associated data
  • Withdraw consent for data processing
  • Disconnect any Facebook Page at any time from within the App
  • Export your data (via Google Drive sync)
  • Opt out of promotional communications

10. Data Deletion

You can delete your data at any time using the options below.

9.1 Delete Facebook-Related Data

  • In-app: Go to the Agent tab β†’ open the Agent β†’ tap Disconnect. This action (a) unsubscribes the Page from our webhook, (b) revokes the app's permissions via DELETE /me/permissions, and (c) deletes the stored Page Access Token, Page record, and Agent configuration from our database.
  • From Facebook: Open Facebook β†’ Settings & Privacy β†’ Settings β†’ Apps and Websites, find VibeKOL, and remove it. Meta will notify our app and we will delete the associated tokens within 30 days.

9.2 Delete Your Entire Account

To permanently delete your VibeKOL account and all associated data (KOLs, generation history, Agent configurations, Facebook tokens, purchase records where permitted), email us at hello@nviai.com from the address associated with your account. We will complete deletion within 30 days and confirm by email.

9.3 Data Deletion Callback

Our Data Deletion Request URL for Meta platform compliance is:
https://vibekol.com/data-deletion

11. Children's Privacy

The App is not intended for children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please contact us.

12. Data Retention

We retain your account data for as long as your account is active. Facebook Page Access Tokens are retained only while the corresponding Agent is connected. Message content processed by the Messenger Agent is retained for at most 30 days in short-term logs for abuse prevention and debugging. You can delete your data at any time by:

  • Deleting individual KOLs and generated images within the App
  • Disconnecting individual Facebook Pages from the Agent tab
  • Disabling Cloud Sync to remove cloud-stored data
  • Contacting us to request full account deletion (see Section 10)

13. International Data Transfers

Your data may be processed in countries other than your own, including the United States (Google's servers) and Singapore / asia-southeast1 (our Cloud Run backend). We ensure appropriate safeguards are in place for international data transfers.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes through the App or via email. Your continued use of the App after changes constitutes acceptance of the updated policy.

15. Contact Us

If you have questions about this Privacy Policy or wish to exercise your rights, contact us at:

Email: hello@nviai.com