Skip to main content
    Vivreal Back to login

    Legal

    Privacy Policy

    Effective date:  · Last updated:

    Hill Bomb Creations LLC ("Hill Bomb Creations," "Vivreal," "we," "us," or "our") operates the Vivreal platform (the "Service") and the website at https://vivreal.io (the "Site"). This Privacy Policy explains how we collect, use, share, and protect information when you visit the Site, create an account, or use the Service. By using the Site or the Service, you acknowledge that you have read and understood this Privacy Policy.

    1. Who This Applies To

    This Privacy Policy applies to:

    • Visitors to https://vivreal.io.
    • Individuals who create a Vivreal account.
    • Members invited to a Vivreal group workspace.
    • Individuals who connect a third-party platform (such as TikTok, Instagram, Facebook, X/Twitter, LinkedIn, Stripe, or Mailchimp) to a Vivreal workspace.

    If you are a member of a workspace owned by another organization, the workspace owner is the controller of the data you contribute to that workspace, and their own policies may apply in addition to ours.

    2. Information We Collect

    2.1 Information You Provide Directly

    • Account information: name, email address, username, password (we never store your plaintext password; we store a salted hash).
    • Profile and workspace information: organization name, job title, group settings, member roles, and profile picture.
    • Content:text, images, video, audio, files, schemas, and other media you upload, create, or publish through Vivreal ("Your Content").
    • Billing information: payment-method details processed exclusively by Stripe. We do not store raw card numbers; we receive only a payment-method token, the card brand, last-4 digits, and billing zip.
    • Communications: messages and attachments you send to our support team or in response to surveys.

    2.2 Information Collected Automatically

    • Device and connection data: IP address, browser type and version, operating system, device identifiers, language preferences, and time zone.
    • Usage data: pages visited, features used, actions performed, session duration, click paths, and referring URLs.
    • Audit logs: a record of significant actions taken inside your workspace (content changes, member invitations, integration changes, billing actions), retained for the period defined by your subscription tier.
    • Error and performance telemetry: crash reports, stack traces, and performance metrics.
    • Cookies and similar technologies: see Section 7.

    2.3 Information from Connected Third-Party Platforms

    When you connect a third-party integration to your workspace, we receive data from that platform on your behalf. Specifics by platform:

    • TikTok. When you connect a TikTok Business account, we receive your TikTok user ID, username, display name, profile photo, follower count, video metadata for content you authorize us to read or post, and the OAuth access and refresh tokens needed to perform the actions you request. We use this data only to power the features you initiate (publishing, analytics, scheduling). We do not sell, share for advertising, or use TikTok data to train AI models. You can revoke our access at any time at https://www.tiktok.com/setting/connect-apps or by removing the integration from inside Vivreal. We delete the associated OAuth tokens within thirty (30) days of revocation.
    • Meta (Instagram and Facebook). Profile ID, username, display name, profile photo, page or business account IDs you authorize, post metadata, and OAuth tokens.
    • X (Twitter). Profile ID, username, display name, profile photo, post metadata, and OAuth tokens.
    • LinkedIn. Profile ID, public profile URL, display name, profile photo, post metadata, and OAuth tokens.
    • Stripe. Stripe account ID, product and price metadata you authorize us to read, and (when you fulfill orders through Vivreal) order and customer-purchase metadata. Payment card data is never transmitted to us.
    • Mailchimp. Audience IDs and metadata required to send the campaigns you create in Vivreal.

    You may revoke our access to any connected platform at any time through that platform’s settings or by removing the integration in Vivreal.

    3. How We Use Your Information

    We use the information we collect for the following purposes. Where required by law (including the EU and UK GDPR), the legal basis for each is identified.

    • Provide, operate, and improve the Service — performance of contract; legitimate interests.
    • Authenticate you and secure your account — performance of contract; legitimate interests.
    • Process billing, calculate overage charges, and send invoices — performance of contract; legal obligation.
    • Send transactional emails (verification, password reset, billing receipts, security notices) — performance of contract.
    • Send product updates and marketing communications — consent (where required); legitimate interests.
    • Diagnose errors, monitor performance, and maintain platform security — legitimate interests.
    • Enforce these Terms and our Acceptable Use Policy — legitimate interests.
    • Comply with legal obligations and respond to lawful requests — legal obligation.

    We do not:

    • Sell your personal information.
    • Share your personal information for cross-context behavioral advertising.
    • Use Your Content or third-party platform data to train Vivreal’s AI models or any third-party AI model.
    • Use the contents of your private workspace data for any purpose other than providing the Service to you.

    4. How We Share Your Information

    We share information only as described in this section.

    4.1 Service Providers (Sub-Processors)

    We use trusted vendors that process data on our behalf under contractual confidentiality and security commitments. Our current sub-processors include:

    • Amazon Web Services (AWS) — cloud infrastructure, storage (S3), compute (Lambda), and identity (Cognito), in US regions.
    • MongoDB Atlas — workspace database hosting (multi-tenant, each group is isolated in its own database).
    • Stripe — payment processing and subscription billing.
    • Sentry — error monitoring and performance tracing.
    • Google Analytics 4 — aggregate site analytics (consent-based).
    • Microsoft Clarity — session replay and heatmaps for product improvement (consent-based; personal data masked by default).
    • GitHub and AWS Amplify — source-code hosting and deployment infrastructure for customer-deployed websites.
    • Transactional email providers — for verification, password-reset, and billing emails.

    We will update this list as our sub-processor footprint changes and notify customers of material changes.

    4.2 Within Your Workspace

    Members of your group workspace can view content, audit logs, and activity according to their assigned role. Workspace owners and admins control who has access.

    4.3 At Your Direction

    When you connect a third-party platform (TikTok, Stripe, etc.) and use Vivreal to publish, sync, or otherwise interact with that platform, we transmit the data you direct us to send.

    4.4 Business Transfers

    If Hill Bomb Creations is involved in a merger, acquisition, financing, or sale of assets, your information may be transferred to the acquiring entity. We will notify you (by email or prominent site notice) before any such transfer is effective.

    4.5 Legal Requirements

    We may disclose information if required by law, regulation, valid legal process, or governmental request, or if we believe in good faith that disclosure is necessary to comply with a legal obligation; protect the rights, property, or safety of Hill Bomb Creations, our users, or the public; detect, prevent, or address fraud, security, or technical issues; or enforce these Terms. We will challenge overbroad requests where lawfully permitted.

    5. Data Retention

    We retain personal information only as long as necessary for the purposes described above, or as required by law:

    • Account data: while your account is active; thirty (30) days after closure, then deleted.
    • Workspace content: while the workspace is active; thirty (30) days after deletion, then deleted.
    • Content versions:up to your subscription tier’s maximum version count; older versions are pruned automatically.
    • Audit logs:the number of days defined by your tier’s audit-retention quota.
    • Billing records: seven (7) years (US tax and financial recordkeeping requirements).
    • OAuth tokens for connected platforms: until you disconnect the integration; deleted within thirty (30) days of disconnect.
    • Sentry error data: ninety (90) days.
    • Server logs (including IP): thirty (30) days.
    • Backup snapshots: thirty (30) days, on a rolling basis.

    6. Data Security

    We implement administrative, technical, and physical safeguards designed to protect your information, including:

    • TLS 1.2+ encryption for all data in transit.
    • AWS-managed encryption at rest (KMS, AES-256).
    • JWT-based authentication with short-lived session tokens.
    • CSRF protection (double-submit cookie pattern) on all state-changing operations.
    • Sliding-window rate limiting on authentication endpoints.
    • Optional WebAuthn (hardware security key) authentication.
    • Role-based access control inside group workspaces.
    • Multi-tenant database isolation (each group has its own MongoDB database).
    • OAuth tokens for connected platforms encrypted at rest with AES-256-GCM before storage.
    • Operational secrets stored in AWS Secrets Manager; access is logged and periodically reviewed.

    No system can be made completely secure. You are responsible for keeping your password and authentication factors confidential.

    7. Cookies and Similar Technologies

    We use the following categories of cookies and tokens:

    • Strictly necessary (authentication tokens, CSRF tokens, active workspace context). Required for the Service to function; cannot be disabled.
    • Functionality (onboarding state, theme preferences). Required for those features.
    • Analytics (Google Analytics 4, Microsoft Clarity). Consent-based; you can opt in or out via our cookie banner.
    • Error monitoring (Sentry session ID). Used to tie errors to a session for debugging.

    Microsoft Clarity captures session replays with all text masked by default (Strict masking). Sentry session replay activates only on errors and similarly masks all text and inputs by default. Neither is used to track you across other websites.

    You can manage analytics cookies via the cookie banner, your browser settings, or via Google’s opt-out tool at https://tools.google.com/dlpage/gaoptout.

    8. Your Rights and Choices

    Depending on your location, you have the following rights regarding your personal data:

    • Access: request a copy of the personal information we hold about you.
    • Correction (Rectification): request correction of inaccurate or incomplete information.
    • Deletion (“Right to be Forgotten”): request deletion of your account and personal data, subject to legal retention requirements.
    • Portability: request export of your content in a portable format.
    • Restriction of processing: request that we limit how we use your data in certain circumstances.
    • Objection: object to processing based on legitimate interests, including direct marketing.
    • Withdraw consent: where we rely on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
    • Lodge a complaint: with the data protection authority in your country (EU/UK residents).

    To exercise any of these rights, email hello@vivreal.io or use the “Delete my account” option in your account settings. We will verify your identity (typically by sending a confirmation email to your account on file) and respond within thirty (30) days. We may extend this period by up to sixty (60) additional days for complex requests, with notice.

    We will not discriminate against you for exercising these rights.

    9. California Privacy Rights (CCPA / CPRA)

    If you are a California resident, you have additional rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:

    • Right to know what personal information we collect, the sources, the purposes for collection, and the categories of recipients.
    • Right to delete your personal information, subject to legal exceptions.
    • Right to correct inaccurate personal information.
    • Right to opt out of the sale or sharing of personal information. We do not sell or share personal information for cross-context behavioral advertising, so there is nothing to opt out of.
    • Right to limit use of sensitive personal information. We do not use sensitive personal information for purposes beyond what is necessary to provide the Service.
    • Right to non-discrimination for exercising any of these rights.

    Categories of personal information we collect: identifiers (name, email, IP), customer records (account, billing), commercial information (subscription history), internet activity (usage logs), approximate geolocation (from IP), professional information (organization, role), and inferences (preferences from usage).

    Categories of sources: you, your workspace members, connected third-party platforms, and automatically from your device.

    Categories of recipients: the sub-processors listed in Section 4.1.

    Notice at Collection: we collect the categories above for the purposes described in Section 3 and retain each category for the periods listed in Section 5.

    To exercise California rights, email hello@vivreal.io. We will verify your identity (typically by sending a confirmation email to your account on file) and respond within forty-five (45) days. You may also designate an authorized agent to make a request on your behalf.

    10. Children's Privacy

    The Service is not directed to, and we do not knowingly collect personal information from, individuals under the age of eighteen (18). If you believe a child under 18 has provided personal information, contact hello@vivreal.io and we will delete it promptly.

    If you are between 13 and 17 and use a workspace that an adult administrator has invited you to, that administrator is responsible for obtaining any required parental consent and for the data you contribute.

    11. International Data Transfers

    Vivreal is operated from the United States. If you access the Service from outside the United States, your information will be transferred to, stored in, and processed in the United States and other countries where our sub-processors operate.

    For transfers from the European Economic Area, the United Kingdom, or Switzerland to the United States, we rely on:

    • The EU–US Data Privacy Framework (DPF) and its UK and Swiss extensions, where applicable to a recipient.
    • Standard Contractual Clauses (SCCs) approved by the European Commission for transfers to recipients not certified under the DPF.

    You may request a copy of the safeguards we use by emailing hello@vivreal.io.

    12. Data Breach Notification

    If we become aware of a personal data breach that creates a risk to your rights and freedoms, we will:

    • Notify the competent supervisory authority (if required) within seventy-two (72) hours, in line with GDPR Article 33.
    • Notify affected users without undue delay, in line with GDPR Article 34 and applicable US state breach-notification laws.

    13. Do Not Track Signals

    Our Service does not currently respond to Do Not Track (“DNT”) browser signals because no consistent industry standard for DNT compliance has been adopted.

    14. Changes to This Privacy Policy

    We may update this Privacy Policy from time to time. If changes are material, we will notify you by email and by posting a notice on the Site at least thirty (30) days before the changes take effect. The “Last Updated” date at the top reflects the most recent revision. Continued use of the Service after the effective date constitutes acceptance.

    15. Contact Us

    For questions, concerns, or to exercise your rights, contact:

    Hill Bomb Creations LLC
    Vivreal Privacy Team
    3315 E Taro Ln
    Phoenix, Arizona 85050
    United States
    Email: hello@vivreal.io