Privacy Policy
Self-drafted, not lawyer-reviewed. Suitable for closed beta. Have an Indian tech-focused lawyer (e.g. LegalKart / Vakilsearch online review, or a firm like Spice Route Legal / IndusLaw) review before public launch — at minimum to confirm DPDPA 2023, IT Rules 2021, and Google Play / Apple App Store Data Safety alignment.
Last updated: 2026-05-18
1. Who we are
Video Mate ("we", "us", "Trove" — the product brand) is a mobile application operated by [YOUR LEGAL NAME OR REGISTERED ENTITY] ("Operator"). Contact: privacy@videowithmate.7ven.work.
The Operator is the data fiduciary under India's Digital Personal Data Protection Act 2023 (DPDPA) and the data controller under EU / UK GDPR for users in those regions.
Postal address: [YOUR POSTAL ADDRESS].
2. What this policy covers
This policy describes what personal data Video Mate collects, why we collect it, who we share it with, how long we keep it, and the rights you have over it. It applies to:
- The Video Mate Android and iOS apps
- The companion website at
videowithmate.7ven.workand its subdomains (used for share-link previews and email delivery) - Email communications we send you about your account
It does not cover the third-party platforms whose videos we link to (YouTube, TikTok, Vimeo, Bilibili). When you tap "play", you leave Video Mate and the destination platform's policies apply.
3. Personal data we collect
3.1 Created automatically when you use the app
| Data | Why | Lawful basis (GDPR) / Purpose (DPDPA) |
|---|---|---|
| Anonymous device ID generated locally and stored in Keychain (iOS) / Keystore (Android) | Keep you signed in across launches; key Hive encryption | Contractual necessity |
| Idempotency key (random 32 hex bytes) | Migrate Guest playlists into your Member account exactly once | Contractual necessity |
| Usage events (video_started, video_completed, playlist_created, guest_migration_completed) | Improve curation; ad frequency capping | Legitimate interest / Service improvement |
| Crash diagnostics (stack traces, device model, OS version) sent to Firebase Crashlytics | Fix bugs you hit | Legitimate interest |
| Advertising identifier (Google Advertising ID / Apple IDFA) | Personalise ads from Google AdMob (only after you grant App Tracking Transparency permission on iOS) | Consent |
3.2 Provided by you on sign-up
- Email address
- Password — hashed by Supabase Auth using bcrypt before it reaches our database. We never see the plaintext.
- OAuth profile data when you sign in with Google: your email, display name, and avatar URL. We do not receive your password or contacts.
3.3 Generated by you in the app
- Playlist data — name, emoji icon, ordered list of video IDs you added. For Guests this lives in encrypted Hive on your device only; for Members it lives in our Supabase Postgres database, protected by Row Level Security (only you can read or modify your own playlists).
- Saved videos and watch history — when these tabs ship, the same storage rule applies.
3.4 What we deliberately do not collect
- Precise location (GPS / Wi-Fi triangulation)
- Contacts, calendar, address book
- Microphone, camera, photo library
- Browsing history outside our app
- SMS / call logs
If a future feature needs any of these, we will ask you in-app first and update this policy before the feature ships.
4. Why we collect each category
| Category | Purpose | Retention | |---|---|---| | Account (email, hashed password) | Sign you in, secure your data | Until you delete the account + 30 days grace | | Playlist content | Show your library across devices | Same as account | | Usage events | Curate the catalogue, tune ad pacing | 14 months, then aggregated and anonymised | | Crash diagnostics | Fix bugs | 90 days, auto-purged by Firebase | | Advertising identifier | Show relevant ads (if you opted in) | Reset by you anytime in OS settings |
5. Who we share data with
We share only what's necessary, and only with vendors who are bound by their own data-protection commitments:
| Vendor | What they receive | Where they process |
|---|---|---|
| Supabase Inc. (database, auth) | Email, hashed password, user ID, playlist data | Singapore region |
| Firebase / Google LLC (crashes, push, analytics) | Anonymous device token, crash data, usage events | Global Google infrastructure |
| Google AdMob (ads) | Anonymous Advertising ID (after your consent on iOS) | Global Google infrastructure |
| Resend Inc. (transactional email) | Your email + email body for account-related messages | United States, EU |
| Cloudflare Inc. (CDN, DNS) | IP address while you access our website | Global edge network |
| Vercel Inc. (web hosting) | IP address while you access videowithmate.7ven.work | Global edge network |
| YouTube / TikTok / Vimeo / Bilibili | A request whenever you tap a video — they may set their own cookies | Each platform's own infrastructure |
We do not sell or rent personal data to anyone. We do not use advertising networks beyond Google AdMob.
Cross-border transfers
Personal data may be processed in jurisdictions outside India / your home country (Singapore, EU, United States). All transfers use either:
- the standard contractual clauses provided by Supabase / Google / etc., or
- the receiving country's adequacy framework where one exists.
6. Your rights
6.1 Under India's DPDPA 2023
- Right to confirmation that we hold your data, and a free copy.
- Right to correction if anything is wrong.
- Right to erasure of your data.
- Right to nominate another person to exercise these rights if you cannot.
- Right to lodge a grievance with our Grievance Officer (see §10) before approaching the Data Protection Board of India.
We respond within 15 days for grievance complaints (IT Rules 2021) and within 30 days for general requests.
6.2 Under EU / UK GDPR
- Access — request a copy of your data.
- Rectification — correct inaccurate data.
- Erasure ("right to be forgotten").
- Restriction — pause processing while a complaint is open.
- Portability — receive your data in a machine-readable format (JSON export).
- Objection to processing based on legitimate interest (e.g. our analytics).
- Withdraw consent anytime for processing that depends on it.
- Lodge a complaint with your local data protection authority.
We respond within 30 days (extendable once by 60 days for complex requests).
6.3 How to exercise rights
- In-app: Profile → Settings → Account → Export / Delete (when the Account settings panel ships — Phase 3).
- Email:
privacy@videowithmate.7ven.work - Grievance Officer (India): see §10.
You will not need to give a reason. We may ask for proof of identity when a request is unusually large or sensitive (e.g. full export).
7. Children
Video Mate is intended for users 13 and older (Play Store) and 12 and older (App Store, mirroring 4+ rating with social features). EU users must be 16 or older to consent on their own; under-16s need parental consent under GDPR.
We do not knowingly collect data from children under these ages. If
you believe a child has provided personal data to us, contact
privacy@videowithmate.7ven.work and we will delete the account
within 7 days.
8. Security
- Transport: all traffic between the app, our backend, and our vendors is encrypted in transit using TLS 1.2 or higher.
- At rest on device: auth tokens live in iOS Keychain / Android EncryptedSharedPreferences. The Hive box that holds your local playlists is AES-encrypted with a 256-bit key unique to your device, itself stored in the secure store.
- At rest on our server: Supabase Postgres data is encrypted at rest using AWS RDS encryption. Passwords are bcrypt-hashed before storage.
- Access controls: only the Operator and authorised contractors with a business need can access raw data; access is logged.
- Breach notification: we will notify affected users without undue delay (within 72 hours where DPDPA / GDPR applies) if a breach is likely to result in risk to your rights.
9. Cookies and similar technologies
The mobile app does not use cookies. Our website uses:
- Essential cookies — session token for the share-preview page; no consent needed.
- No analytics, marketing, or fingerprinting cookies on the website. (Mobile-app analytics events live separately — see §3.1.)
10. Grievance Officer (India IT Rules 2021)
Under Rule 3(2) of the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021, we appoint a Grievance Officer:
Name: [YOUR FULL NAME OR APPOINTED OFFICER] Designation: Grievance Officer, Video Mate Email:
grievance@videowithmate.7ven.workAddress: [YOUR POSTAL ADDRESS]Operating hours: 10:00 – 18:00 IST, Monday – Friday (excluding public holidays)
The Grievance Officer will acknowledge any complaint within 24 hours and resolve it within 15 days as required by the IT Rules.
For complaints about unlawful content (defamation, impersonation, etc.) the response window is 24 hours for "patently false / harmful" content as defined in Rule 3(2)(b).
11. Changes to this policy
If we materially change how we collect or use data, we will:
- Email registered users at the address on file at least 14 days before the change takes effect; and
- Post an in-app notice on the next launch.
You can find prior versions in our git history at
docs/legal/PRIVACY_POLICY.md.
12. Contact
| | |
|---|---|
| Privacy questions | privacy@videowithmate.7ven.work |
| Grievance Officer (India) | grievance@videowithmate.7ven.work |
| Data subject requests | privacy@videowithmate.7ven.work |
| Security incident report | security@videowithmate.7ven.work |
| General | hello@videowithmate.7ven.work |
| Postal | [YOUR POSTAL ADDRESS] |