Tribes.app

Privacy Policy

Version 1.0.0 — Effective April 30, 2026

Tribes.app ("we", "our", "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our social networking platform.

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

  • Identity data: Your name, email address, and profile avatar.
  • Authentication data: Passkey (WebAuthn) credentials. We never store passwords — authentication is handled via industry-standard FIDO2/WebAuthn protocols.
  • OAuth data: If you sign in via Google or Apple, we receive your name, email, and profile picture from your account. Apple may choose to hide your email via their Private Email Relay service.
1.2 Content You Create

We store content you voluntarily provide:

  • Posts, comments, and reactions ("vibes")
  • Images and files you upload
  • Profile information including bio, aliases, and personal wall blocks
  • Event RSVPs and event stream posts
  • Bond connections and tribe memberships
1.3 AI Interactions

If you use the T-Codex Prime AI assistant, your messages and the assistant's responses may be transmitted to a third-party AI inference provider for processing. We do not use your AI conversations to train models. The AI provider is configurable by platform administrators and may change. See Section 5 for details.

1.4 NFC & Proximity Bonding

When you use Tap-to-Bond (NFC) or nearby discovery (Bluetooth/Bonjour), the following data is exchanged directly between devices:

  • A temporary cryptographic challenge and your user ID (not your name or email) are transmitted via NFC.
  • Bluetooth/Bonjour discovery broadcasts a randomized local service identifier — your personal information is not broadcast.
  • Proximity bonding data is used solely to establish a verified bond between two users. It is not stored on our servers beyond the resulting bond record.
1.5 Biometric Authentication

Tribes.app uses passkeys (WebAuthn/FIDO2) for authentication. Key privacy facts:

  • Biometric data never leaves your device. Face ID, Touch ID, or other biometric verification happens entirely on your hardware.
  • Our servers only receive and store a public key and credential ID — never your biometric template, fingerprint, or face data.
  • You can register multiple passkeys and revoke them individually in Settings.
1.6 End-to-End Encryption (E2E)

Private tribe content, journal posts, and bond messages are end-to-end encrypted:

  • Encryption keys are generated on your device and stored in your browser's IndexedDB.
  • Our servers store only the ciphertext — we cannot read your encrypted content.
  • When you join a private tribe, the tribe founder's device encrypts and delivers the group key to your device via a key-exchange protocol (RSA-OAEP + AES-GCM).
  • If you clear your browser data, you will need to re-sync keys from another authorized device or the tribe founder.
1.7 Content Safety Scanning

To comply with child safety obligations, we perform the following on public (non-encrypted) uploads only:

  • PDQ perceptual hashing: Uploaded images are hashed using the open-source PDQ algorithm and compared against known CSAM hash lists provided by NCMEC.
  • No scanning of encrypted content: End-to-end encrypted files and messages are never scanned, as we cannot access the plaintext.
  • If a match is detected, the content is blocked and a report is filed with NCMEC as required by federal law (18 U.S.C. § 2258A).
1.8 Automatically Collected Data
  • Session data: Session identifiers and user-agent strings for security and session management.
  • Cookies: See our Cookie Policy for details.

2. How We Use Your Information

  • Provide the service: Display your content to other users, manage tribe memberships and bonds, facilitate events.
  • Authentication & security: Verify your identity via passkeys, manage sessions, enforce platform safety.
  • Billing: Process subscriptions and payments via Stripe (web) or Apple In-App Purchase (iOS). We do not store your payment card details.
  • Communication: Send transactional emails (event reminders, verification), and commercial emails (only with your consent).
  • AI features: Process your messages through AI inference to provide assistant responses.
  • Moderation: Review reported content and enforce community guidelines.

3. Third-Party Sharing

We share data with third parties only as necessary:

ProviderPurposeData Shared
StripePayment processing (web)Email, subscription plan, Stripe customer ID
AppleIn-App Purchase processing (iOS)Apple transaction ID, subscription status (via App Store Server API)
AI Inference ProviderAI assistant responsesConversation messages (user inputs + AI responses)
S3-Compatible StorageFile/image hostingUploaded files (images, avatars)
Google OAuthAuthentication (optional)OAuth tokens (received from Google, not sent)
Apple Sign-InAuthentication (optional)OAuth tokens (received from Apple, not sent)

We do not sell your personal data to third parties.

4. Data Retention

We retain your personal data for as long as your account is active. When you delete your account, we permanently remove your personal information and either delete or anonymize your content. Posts with replies from other users are anonymized (author set to "Deleted User") to preserve conversation thread integrity.

5. AI Data Processing

The T-Codex Prime AI assistant processes your messages through an external AI provider. Key points:

  • Your conversation history is sent to the configured AI endpoint for each interaction.
  • Platform administrators may change the AI provider. The current provider may be self-hosted or cloud-based.
  • We do not use your AI conversations for model training purposes.
  • Recommendation: Do not share sensitive personal information (passwords, financial details, health data) in AI conversations.

6. Your Rights

GDPR (EU/EEA Residents)

You have the right to:

  • Access your personal data
  • Rectify inaccurate data (via Settings → Identity & Profile)
  • Erase your data (via Settings → Delete Account)
  • Object to processing
  • Data portability — request a copy of your data
  • Withdraw consent at any time
CCPA / CPRA (California Residents)

You have the right to:

  • Know what personal information is collected
  • Request deletion of your personal information
  • Opt out of the sale of personal information (we do not sell your data)
  • Non-discrimination for exercising your privacy rights

7. Children's Privacy

Tribes.app is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us and we will delete it promptly.

8. Security

We implement industry-standard security measures including:

  • Passwordless authentication via WebAuthn/FIDO2
  • End-to-end encryption (AES-256-GCM) for private content
  • CSRF protection on all state-changing operations
  • Session management with server-side revocation
  • Rate limiting on authentication endpoints
  • Age verification at signup (13+ minimum)
  • Encrypted vault backups for end-to-end encryption keys

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting a notice on the platform. Your continued use after changes constitutes acceptance of the updated policy.

10. Contact Us

For privacy-related questions or to exercise your rights, contact us at:

Email: privacy@tribes.app Address: 7210 78th Dr. NE, Marysville, WA 98270