Skip to content
Millennium Vibe
Sign In

Privacy Policy

Last updated: May 22, 2026

Millennium Vibe ("we", "us", or "our") is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and share your information when you use our platform, in compliance with the General Data Protection Regulation (GDPR) and applicable Romanian data protection legislation.

1. Data Controller

The data controller responsible for your personal data is Millennium Vibe, a company registered in Romania. If you have any questions about how we handle your data, you can reach us at [email protected].

Creator Communities: Controller and Processor Roles

Our platform is multi-tenant β€” creators run their own communities. Who is responsible under data protection law depends on whose data is processed:

  • For your account and platform-wide data, we are the data controller, as described in this policy.
  • For personal data that a creator collects, accesses, exports, or uses to message the members of their community (for example member lists, CRM notes, and email broadcasts), the creator is an independent data controller and we act as a processor on their behalf.

If your request concerns data controlled by a creator, please contact that creator directly. We will assist creators in responding to such requests where required by law.

2. Data We Collect

We collect the following categories of personal data:

  • Account data: name, email address, username, avatar, bio, location, and social media links you choose to provide when creating or updating your profile.
  • Payment data: billing address, transaction history, and subscription details. Payment card information is processed directly by Stripe and is never stored on our servers.
  • Usage data: pages visited, features used, interactions with content (likes, comments, course progress), and time spent on the platform.
  • Technical data: IP address, browser type and version, device type, operating system, referring URLs, and language preferences.
  • User-generated content: posts, comments, chat messages, course submissions, uploaded files, and other content you create on the platform.
  • Communication data: emails and messages you send to us, support requests, and feedback.

We and our providers use cookies and similar technologies to operate the platform, remember your preferences, and (with your consent) measure usage. For details and to manage your choices, see our Cookie Policy.

3. Legal Basis for Processing

We process your personal data on the following legal bases under the GDPR:

  • Contract performance (Art. 6(1)(b)): Processing necessary to provide you with our services, including account management, community access, course delivery, and payment processing.
  • Consent (Art. 6(1)(a)): For analytics cookies, marketing communications, and optional data processing. You can withdraw consent at any time.
  • Legitimate interests (Art. 6(1)(f)): For platform security, fraud prevention, service improvement, and aggregated analytics that do not identify individuals.
  • Legal obligation (Art. 6(1)(c)): For tax record keeping, financial reporting, and compliance with applicable laws.

4. Data Retention

We retain your data for the following periods:

  • Account data: Retained for the duration of your account. Upon account deletion, personal data is erased within 30 days, except where retention is required by law.
  • Payment and invoice data: Retained for 10 years after the transaction to comply with Romanian fiscal and accounting regulations.
  • Analytics data: Aggregated and anonymized within 26 months of collection.
  • Server logs: Automatically deleted after 90 days.
  • Consent records: Retained for 5 years from the date of consent as evidence of compliance.
  • Uploaded videos, session recordings, and data-export files are deleted automatically after a configurable retention period (data exports expire after 7 days).

5. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

  • Right of access: You can request a copy of the personal data we hold about you.
  • Right to rectification: You can ask us to correct inaccurate or incomplete data.
  • Right to erasure ("right to be forgotten"): You can request deletion of your personal data, subject to legal retention requirements.
  • Right to data portability: You can download your personal data in a structured, commonly used, machine-readable (JSON) format at any time from Settings β†’ Privacy β†’ Export your data, or request a copy from us.
  • Right to restriction of processing: You can ask us to limit how we process your data in certain circumstances.
  • Right to object: You can object to processing based on legitimate interests, including profiling.
  • Right to withdraw consent: Where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.
  • Right to lodge a complaint: You have the right to lodge a complaint with your local data protection supervisory authority. In Romania this is ANSPDCP (Autoritatea NaΘ›ionalΔƒ de Supraveghere a PrelucrΔƒrii Datelor cu Caracter Personal).

You can exercise your rights to access, portability, and erasure directly in the app: download your data from Settings β†’ Privacy β†’ Export your data, and delete your account from Settings β†’ Danger Zone. For any other request, contact us at [email protected]. We will respond within 30 days.

Automated Decision-Making

We do not subject you to decisions based solely on automated processing, including profiling, that produce legal effects concerning you or similarly significantly affect you.

United States State Privacy Rights

If you are a resident of California or another U.S. state with applicable privacy laws, you have the right to know about, access, correct, and delete your personal information, and not to be discriminated against for exercising these rights. You can access and delete your data directly in the app (see your rights above) or contact us.

We do not sell your personal information, and we do not share it for cross-context behavioral advertising.

6. Data Sharing

We share your data with the following categories of third-party service providers, all of which are bound by data processing agreements:

  • Stripe: Payment processing, subscription management, and invoicing. Stripe acts as an independent data controller for payment data.
  • Postmark and Amazon SES: Transactional and marketing email delivery.
  • Cloudflare: Content delivery, DNS management, and DDoS protection. Cloudflare processes IP addresses and request metadata.
  • Cloudflare R2: File and media storage. Uploaded content is stored on Cloudflare's infrastructure.
  • Bunny.net and LiveKit: Video hosting, transcoding, and live video conferencing.
  • Meilisearch β€” search indexing of content you make searchable (communities, courses, posts, profiles)
  • Twilio / 360dialog β€” SMS and WhatsApp one-time codes, if a creator enables phone verification
  • OpenAI / Anthropic β€” AI assistant and content-generation features, if enabled
  • Expo β€” push notifications to the mobile app

We do not sell your personal data to any third party. Data shared with processors is limited to what is strictly necessary for the service they provide.

7. International Data Transfers

Some of our service providers are located outside the European Economic Area (EEA). Where data is transferred outside the EEA, we ensure adequate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, or the service provider's participation in recognized certification mechanisms.

8. Security Measures

We protect your data with industry-standard measures: encrypted connections (TLS/HTTPS) for all data in transit, hashed passwords, access controls and authentication, rate limiting, input sanitization, and infrastructure hosted on secure servers in the European Union. No method of transmission or storage is completely secure, but we continually review and improve our safeguards.

9. Children's Privacy

Our platform is not intended for children under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16 without parental consent, we will take steps to delete that information promptly.

10. Data Protection Authority

The supervisory authority for data protection in Romania is ANSPDCP (Autoritatea Nationala de Supraveghere a Prelucrarii Datelor cu Caracter Personal). You can contact them at [email protected] or visit their website at www.dataprotection.ro if you wish to lodge a complaint.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will notify you of material changes by email or through a prominent notice on our platform at least 30 days before the changes take effect.

12. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us at [email protected].