The smallest data footprint I can ship.

Last reviewed · April 30, 2026

Five things I actually do.

• Phone numbers are hashed on-device.

  Before any contact data leaves your device, each number is normalized to E.164 and run through SHA-256 with a per-app salt. The salt is hardcoded in the iOS binary, so reverse-lookup of an arbitrary hash requires brute-forcing 10⁹ candidates per country code. The raw numbers never reach my servers.

• All transport is TLS 1.3 only.

  The app refuses any HTTP connection. The CA bundle is pinned to a small set of issuers; pinning failures fail the request rather than fall back to system trust. HSTS is enforced on every domain.

• Auth tokens are scoped & rotated.

  Sessions are short-lived JWTs (15 minutes) backed by a refresh token stored in iOS Keychain with the kSecAttrAccessibleWhenUnlockedThisDeviceOnly attribute, so the token is unreadable when the device is locked and never leaves the device via iCloud Keychain. Logout revokes server-side immediately.

• Server data is encrypted at rest.

  The Firestore primary store is encrypted at rest by GCP (AES-256). Backup snapshots are encrypted with a separately-managed KMS key and stored in a different region. Logs are scrubbed of PII before retention.

• No third-party analytics, ad, or tracking SDKs.

  I use exactly two third-party SDKs: Firebase (auth + database) and Apple's MusicKit. No Mixpanel. No Segment. No Branch. No AppsFlyer. No Facebook SDK. No Sentry. (Crash reports come through Apple's first-party MetricKit, which never sees user data.)

A list of deliberate absences.

• Raw phone numbers.

  Stored only as their salted SHA-256 fingerprint. Even I can't reverse it.

• Listening history outside the app.

  Vibes has no idea what you played in Spotify or Apple Music. The "now playing" indicator on your profile only fires when the song is actively playing inside Vibes itself.

• Location data.

  The app doesn't request the location permission, ever. The "San Francisco, CA" on your profile is whatever you typed.

• Read receipts.

  I track whether a vibe has been opened (so the sender can see the read indicator) and that's it. I don't track when beyond the first open, I don't store how many seconds you listened, and I don't share any of that with anyone besides the original sender.

• Device fingerprints.

  I don't combine your IDFA, screen resolution, IP, and battery level into a "shadow profile." I log the iOS version (for crash bucketing) and the app version. Nothing else.

Disclosure. Within 72 hours.

If I discover a security incident affecting user data, I commit to disclosing it within 72 hours via a banner on this site, an in-app notice, and a direct email to anyone whose data was implicated. I will publish a written postmortem describing what happened, what data was affected, and what I changed. No corporate-comms theater.

If you've found a vulnerability, please email security@vibesmusic.app. I don't run a bounty program yet but I'll send you a real thank-you, credit you in the changelog if you want, and treat the report as the gift that it is.

Soon. Not yet.

As of April 2026, Vibes hasn't been formally audited by a third party. That'll change once I'm past TestFlight; I'll publish the report here when it does. Until then, every claim on this page is verifiable from the iOS binary plus the published privacy policy, and any security researcher who wants to poke at the app should treat themselves as authorized to do so under standard safe-harbor terms.

Get the app    Report a vulnerability