VibeGuard

Privacy

Privacy policy

What data we collect, why we collect it, and how we protect it.

What we collect

  • Account information: email, name, role, account creation date.
  • Project metadata: project name, source type (ZIP or GitHub), detected stack, file counts, complexity score, findings.
  • Uploaded code: raw uploaded archives and cloned GitHub repository contents, stored in isolated temporary storage and deleted after report delivery per the retention window.
  • Payment metadata: order/transaction IDs, amounts, and statuses from our payment provider. We never store full payment card numbers.
  • Audit logs: authorization confirmations (scan, GitHub PR), including IP and user-agent for fraud prevention.

What we do NOT store

  • Full secret values detected in your code — secrets are masked.
  • Full payment card details — our payment provider handles those.
  • Raw uploaded code after the retention window — auto-deleted.

How we use your data

  • To perform the scan, audit, and fix-generation you requested.
  • To bill, support, and improve the service.
  • To prevent abuse (rate limits, fraud detection).
  • To meet legal obligations.

Third parties we share with

  • Supabase — database, auth, and storage.
  • PayPal — payment processing.
  • AI model provider — AI-assisted paid audits (we send only filtered, security-relevant project content; we never send your secrets or ignored files). The specific model provider is disclosed on request and listed in our internal data-processing register.
  • Resend — transactional email delivery.
  • GitHub — repository read, branch, and pull-request operations for GitHub-connected projects.
  • Sentry — error monitoring (no code content, only stack traces).

Your rights

  • You can delete your account at any time.
  • You can delete any individual report.
  • You can disconnect GitHub at any time.
  • You can request an export of your data.

Data security

We enforce row-level security at the database layer (you can only access your own data), TLS in transit, signed expiring URLs for downloads, and webhook signature verification. Service-role credentials are backend-only — never exposed to the browser.

Contact

For privacy questions, contact support with your account email.

Last updated: June 7, 2026