WhiteVine Privacy Policy
- Established Date: May 11, 2026
- Effective Date: May 11, 2026
- Operator: Nano Whitegrape
- Contact: [email protected]
This Privacy Policy explains how Nano Whitegrape ("Operator") processes personal information in connection with the WhiteVine mobile application ("Service").
1. Purposes of Processing
The Operator processes personal information for the following purposes:
- Account registration and management: account creation, account maintenance, identification, authentication, age confirmation, and abuse prevention.
- Providing the Service: providing WhiteVine's force-directed 3D social networking service, posts, profiles, feeds, and cosmos visualization based on user-entered tags and categories.
- User interaction features: operating friend, block, report, and related interaction features.
- User safety and service operation: report handling, automatic hiding of reported sexual or violent content, abuse prevention, dispute handling, and user support.
- Marketing notices: sending marketing information only where the User separately agrees to receive it.
2. Personal Information We Process
2.1 Information Collected During Registration
- Required: email address or Sign in with Apple identifier, password for email sign-up where applicable, handle/display name, and age confirmation.
- Optional: profile image and profile text.
2.2 Information Created or Collected During Use
- posts, text, images, coordinate data, tags, categories, relationship information, and comments;
- friend, block, and report records;
- cosmos position data and tag/category connection information calculated by the server force engine;
- service usage records, access time, IP address, device information, operating system, device identifier, and app version.
2.3 Information Processed With Separate Consent
- If the User agrees to marketing: marketing consent records.
3. Retention and Deletion
- The Operator keeps personal information for the period needed for the purposes described in this Policy or for the period consented to by the User.
- When a User deletes an account, the Operator deletes the User's personal information from active Service systems without undue delay, and some related information may be deleted together through database cascade deletion. However, information that must be retained under applicable law, security requirements, backup systems, or dispute-handling needs may be kept for the required or reasonably necessary period.
| Category | Retention Period |
|---|---|
| Account registration information, including email, handle, and password hash | until account deletion |
| User Content, including posts, images, coordinate data, tags, categories, relationship information, and comments | until account deletion or content deletion by the User, unless retention is required as described above |
| Service usage records, including IP address, device information, access time, and app version | for the period reasonably needed for security, debugging, abuse prevention, or legal compliance |
| Abuse, report, fraud-prevention, and security records | for the period reasonably needed to handle reports, prevent repeated abuse, protect the Service, or comply with law |
| Marketing consent records | until consent is withdrawn or the record is no longer needed to prove consent status |
| Backup records | for a limited period needed for disaster recovery, security, and system integrity |
4. Sharing and Disclosure
- The Operator uses personal information only for the purposes described in this Policy.
- The Operator may share or disclose information when:
- the User has consented;
- required by law, legal process, or a lawful request from a competent authority; or
- reasonably necessary to protect the life, safety, property, rights, or security of a User, the Operator, the Service, or a third party.
5. Service Providers
The Operator uses service providers to operate the Service.
| Service Provider | Purpose | Retention |
|---|---|---|
| Supabase Inc. or successor provider | authentication, user information processing, content storage, and database operation | until account deletion or the end of the service-provider relationship |
| Apple Inc. | iOS authentication, App Store distribution, and Apple Push Notifications service integration | until account deletion or the end of the service-provider relationship |
Service providers process information only as needed to provide services to the Operator.
The Operator acts as the controller for personal information processed through the Service. Service providers process personal information on behalf of the Operator under applicable service-provider or data-processing terms.
5.1 International Data Transfers
Personal information may be processed in countries other than the country where a User lives, including the United States and other locations where the Operator's service providers operate.
Where personal information of residents of the European Economic Area, the United Kingdom, or Switzerland is transferred outside those regions, the Operator relies on appropriate safeguards where required, such as the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, an adequacy decision, or another lawful transfer mechanism.
For Korean residents, where required by the Personal Information Protection Act, the Operator provides separate notice of the recipient, country, purpose, retention period, and right to refuse the transfer at the time of consent.
Users may request information about the applicable transfer mechanism by contacting the Operator at the email listed in this Policy.
6. User Rights and Choices
- Users may access, correct, or delete account information through the app where the feature is available.
- Users may contact the Operator by email to request access, correction, deletion, restriction of processing, withdrawal of consent, or other privacy assistance.
- Users must not violate another person's privacy or misuse another person's personal information.
- The Service is available only to persons who are at least 19 years old and does not knowingly collect information from children.
- If the Operator learns that a person under the required age has created an Account, the Operator may delete or restrict the Account and related information.
7. Deletion of Personal Information
- When personal information is no longer needed, the Operator deletes it without undue delay.
- When a User deletes an account, account information is deleted from active Service systems through an automated deletion process where technically supported.
- Electronic information is deleted through database deletion and cascade deletion where supported, subject to legally required retention, limited backup records, security records, and dispute-handling records.
8. Security
The Operator uses reasonable safeguards to protect personal information, including:
- limiting access to personal information;
- password protection through authentication infrastructure, including one-way password hashing where email sign-up is used;
- TLS encryption during transmission;
- storage and infrastructure protections provided by service providers, including provider-level encryption at rest where available;
- periodic review of privacy and security practices.
9. Automatically Collected Information
- The Service may automatically collect device identifiers, access logs, IP address, app version, and similar technical information for service operation, abuse prevention, security, debugging, and statistics.
- Users may limit some collection through device settings or by deleting the app, but some features may not work without necessary technical information.
9.1 Automated Processing and Force Engine
The Service uses a force-directed algorithm and tag/category connection processing (the "Force Engine") to calculate positions and connections used in the cosmos visualization. The Force Engine may process tags, categories, relationship information, and similar Service data to produce visualization coordinates and connection information.
Unless otherwise separately notified, cosmos coordinates are virtual visualization coordinates inside the Service and are not GPS, cellular, or real-world location information.
The Force Engine is intended to support visualization and Service operation. It is not intended to make decisions that produce legal effects or similarly significant effects on Users within the meaning of GDPR Article 22. Users may contact the Operator to request meaningful information about the logic involved or to request human review where applicable.
9.2 Marketing Choices
If a User agrees to receive marketing information, the User may withdraw that consent at any time through the app where available or by contacting the Operator. Withdrawal of consent does not affect processing that occurred before withdrawal.
10. Privacy Contact
- Privacy contact: Nano Whitegrape, Operator
- Email: [email protected]
Users may contact the Operator with privacy questions, complaints, or requests.
11. Changes to This Privacy Policy
The Operator may update this Privacy Policy when the Service, processing items, retention period, service providers, or policies change. Material changes will be announced through the app, website, or another reasonable method.
12. Notice to EEA, UK, and Swiss Users
If a User is located in the European Economic Area, the United Kingdom, or Switzerland, the following additional terms apply.
The Operator is the controller for personal information processed through the Service. The Operator relies on the following legal bases:
| Purpose | Legal Basis |
|---|---|
| account creation, authentication, and providing the Service | performance of a contract |
| abuse prevention, security, fraud detection, and service protection | legitimate interests |
| compliance with legal obligations and lawful requests | legal obligation |
| marketing communications | consent |
Subject to applicable conditions and exceptions, Users in these regions may have the right to access, correct, erase, restrict processing of, or receive a portable copy of their personal information; object to processing based on legitimate interests; withdraw consent; and not be subject to a decision based solely on automated processing that produces legal or similarly significant effects.
Users may exercise these rights through in-app account settings where available or by contacting the Operator. The Operator will respond within the period required by applicable law.
Users may also lodge a complaint with their local data protection authority. EEA authorities are listed by the European Data Protection Board, and UK residents may contact the UK Information Commissioner's Office.
13. Notice to California Residents
If a User is a California resident, this section explains rights and practices under the California Consumer Privacy Act, as amended by the California Privacy Rights Act.
The Service may collect the following categories of personal information: identifiers, internet or other electronic network activity information, user-provided audio or visual information such as profile images, and inferences or derived information such as cosmos positions and tag/category connections. The Operator collects this information directly from Users and through use of the Service for the purposes described in Section 1.
The Operator discloses personal information to service providers for the purposes described in Section 5. The Operator does not sell personal information or share personal information for cross-context behavioral advertising as defined by California law.
California residents may have the right to know, access, delete, correct, opt out of sale or sharing, and not be discriminated against for exercising privacy rights. Because the Operator does not sell or share personal information for cross-context behavioral advertising, the opt-out right for sale or sharing is not applicable to current Service operation.
Users may submit verifiable requests by contacting the Operator at the email listed in this Policy. The Operator may verify a request by confirming control of the email address associated with the Account or by another reasonable method.
14. Security Incident Notification
If the Operator becomes aware of a personal data breach that is likely to result in a risk to affected Users, the Operator will notify affected Users without undue delay through the app, by email, or through a website notice where appropriate.
Where applicable law requires, the Operator will also notify the relevant supervisory authority within the required period. The notice may include the nature of the incident, categories of information involved, likely consequences, measures taken or proposed to address the incident, and a contact point for further information.
Operator Information
- Operator: Nano Whitegrape
- Privacy contact: [email protected]