Privacy
Your data, with clear boundaries.
This policy explains what information Vapai processes, why it uses it, who may receive it, and what choices you have.
1. Controller and scope
The controller is Raftell SAS, a simplified joint-stock company incorporated in Uruguay, tax ID (RUT) 020594010017, at Calle Gaviotas, Manzana 48, Solar 11, Parque Solymar, Ciudad de la Costa, Canelones, postal code 15005, Uruguay. Vapai is developed under the LosHermanosPatos brand and legally operated by Raftell SAS.
This policy applies to the Vapai app, vapai.me and support channels. Registration is globally available to people aged 18 or older. Barcelona is the first city with active experiences; registration is not restricted by territory.
We must confirm whether Vapai needs to appoint a data protection officer and a European Union representative under GDPR Article 27.
2. Data, purposes and legal bases
Depending on how you use Vapai, we may process:
- account and authentication data, such as phone number, email, technical identifiers and Apple or Google sign-in signals;
- profile, self-declared date of birth, photos, bio, languages and city;
- identity and who-you-want-to-meet preferences when you provide them;
- approximate or precise location when permitted, distance preferences and the resulting city;
- interests, matches, invitations, conversations, and created or saved experiences;
- reports, blocks, appeals, support communications and submitted evidence;
- notification tokens, security logs, diagnostics and consented analytics.
We use this data to create and protect accounts; display profiles; provide discovery, compatibility, matching and chat; give support; send requested notifications; moderate content; prevent fraud and abuse; maintain the service; comply with law; and, if authorised, measure usage.
The proposed bases are performance of our contract for essential features; consent for sensitive data, location, notifications and analytics where required; legitimate interests for safety, moderation, fraud prevention, blocks and strictly necessary logs; and compliance with law. Vapai does not make solely automated decisions that have legal or similarly significant effects on you.
The allocation of legal bases, legitimate-interest balancing and jurisdiction-specific notices must be validated before launch.
3. Sensitive preferences
Vapai may ask for your identity and who you want to meet in structured fields. We use them for compatibility and discovery only after separate, recorded explicit consent. We do not infer orientation, identity or any other sensitive category from photos, bio, chat, behaviour or location.
You may withdraw this consent. We will delete the selections and disable compatibility and discovery, while keeping your account open. Experience partners never receive these preferences.
The wording and record for sensitive-consent-v1, and its effects in each jurisdiction, require final legal validation.
4. Location
If you grant permission, Vapai may receive your location to rank nearby experiences and assign a city. The product is designed to show a city or approximate distance, not exact coordinates, to other people. Only the latest location is kept; location logs are provisionally deleted within 30 days.
Apple may temporarily process coordinates when the device converts a location into a city. You can withdraw system permission; nearby features may then stop working.
5. Analytics, diagnostics and advertising
The mobile app configures Firebase Analytics as denied unless there is a valid choice. The website activates Google Analytics only after applicable permission. A first-party measurement pipeline may process minimal events only for eligible users with the relevant setting enabled. Firebase Crashlytics detects crashes and stability issues as strictly necessary diagnostics.
We do not sell personal data. We do not use IDFA or AAID, App Tracking Transparency, behavioural advertising, cross-app tracking or advertising profiles. Custom events must not contain email, phone number, profile content, sensitive preferences, chats or precise location.
You can review or withdraw your website analytics preferences by emailing support@vapai.me. If the website offers a cookie control, you will also be able to change your choice there.
6. Providers, transfers and partners
We disclose data only where needed to operate the service, fulfil a request, protect people or comply with law. The confirmed technical inventory includes:
- Google: Firebase Authentication, Cloud Firestore, Cloud Functions/Cloud, BigQuery, Google Analytics, Crashlytics and Google Sign-In;
- Apple: Sign in with Apple, system geocoding and APNs when active;
- Namecheap: support email infrastructure;
- Firebase Cloud Messaging, when active, to deliver notifications.
Processing location, contractual role, processing agreements, transfer clauses and applicable policies depend on the actual provider and configuration.
There is no launch commercial partner and no active booking or checkout. Vapai does not collect, transmit or store complete card numbers, PAN or CVV. In a future integration, a partner may receive only a random referral code for attribution, never a UID, email, phone number, profile, preferences, location or chat. We will disclose any additional processing before it is enabled.
The provider inventory, roles, regions, processing agreements and international-transfer safeguards still require a final audit.
7. Retention and deletion
We propose the following periods unless law or limited evidence preservation requires otherwise:
| Data | Proposed period |
|---|---|
| Inactive account | 24 months, with 30 days' prior warning |
| Profile and photos | While active; no more than 30 days after deletion |
| Location | Latest only; logs for up to 30 days |
| Sensitive preferences | Until consent withdrawal or account deletion |
| Chats, matches and invitations | While active; no more than 30 days after deletion |
| Reports and blocks | 12 months after case closure |
| Phone and authentication | While active; no more than 30 days after deletion |
| Security logs | 12 months |
| Push tokens | Until logout or deletion; no more than 30 days |
| Support | 24 months after closure |
| Prepared exports | 7 days |
| Backups | Up to 90 days |
| Crashlytics | Up to 90 days |
| Identifiable GA4/BigQuery data | Up to 14 months |
| Truly aggregated data | Indefinitely while it cannot identify anyone |
| Deletion-receipt hash | 3 years |
When deletion starts, the account is deactivated and disappears publicly at once. Operational data is removed within 30 days and backups within 90 days. The complete conversation disappears for both people within 30 days. Only strictly necessary evidence may be isolated for 12 months or under a documented legal hold.
All retention periods and future transaction-related statutory retention require legal and technical validation before definitive publication.
8. Your rights and complaints
You may request access, correction, deletion, objection, restriction, portability, or withdraw consent by emailing support@vapai.me. We may ask for information already provided to verify account ownership. Withdrawal does not affect earlier lawful processing.
You may also complain to Uruguay's Personal Data Regulatory and Control Unit (URCDP), the Spanish Data Protection Agency (AEPD), or your competent EEA authority, as applicable.
We use technical and organisational measures intended to limit access, record changes and respond to incidents. No system is infallible. We will provide breach notices where legally required.
We may update this policy for product or legal changes. We will communicate material changes and request renewed acceptance where necessary.
Applicable authorities, response periods and additional local rights must be confirmed for each jurisdiction.
Privacy and rights requests
Raftell SAS · Calle Gaviotas, Manzana 48, Solar 11, Parque Solymar, Ciudad de la Costa, Canelones, postal code 15005, Uruguay