1. Information We Collect
1.1 Account Information
- Email address (when you create an account)
- Name and profile information (if provided)
- Payment information (processed securely by Stripe)
1.2 Scan Data
- Target URLs you submit for scanning
- Scan results, findings, and security reports
- Redacted evidence of security issues (secrets are masked)
- HTTP headers, cookies, and DOM snapshots collected during scans
1.3 Usage Data
- IP addresses, browser type, and device information
- Pages viewed, features used, and scan frequency
- Error logs and performance metrics
2. How We Use Your Information
We use collected information to:
- Provide and improve the security scanning service
- Generate security reports and recommendations
- Process payments and manage subscriptions
- Send service updates and security alerts
- Detect and prevent abuse, fraud, and unauthorized access
- Comply with legal obligations
3. AI and LLM Processing
When enabled, we use Anthropic's Claude API to enrich scan findings with explanations and fix recommendations. Data sent to the LLM includes:
- Target URL (domain only, no full paths or query parameters)
- Stack/framework detection results
- Redacted security findings (secrets are masked before sending)
Anthropic does not train models on data sent via API. See Anthropic's commercial terms for details.
4. Data Sharing and Third Parties
We share data with the following third-party services:
4.1 Service Providers
- Stripe: Payment processing (see Stripe's Privacy Policy)
- Cloudflare R2: PDF report storage (encrypted at rest)
- Anthropic: LLM-powered finding enrichment (optional, when enabled)
- Sentry: Error tracking and monitoring (when enabled)
4.2 We Do Not Sell Your Data
We do not sell, rent, or trade your personal information to third parties for marketing purposes.
5. Data Retention
- Account data: Retained while your account is active, plus 90 days after closure
- Scan results: Retained for 30 days by default (configurable in account settings)
- Logs and analytics: Retained for 90 days
- Payment records: Retained for 7 years for tax and legal compliance
6. Data Security
We protect your data using:
- Encryption in transit (TLS 1.2+)
- Encryption at rest for database and file storage
- Automatic secret redaction (first/last 4 characters only)
- Access controls and audit logging
- Regular security audits and vulnerability scanning
7. Your Rights
You have the right to:
- Access your personal information and scan data
- Request corrections to inaccurate data
- Request deletion of your account and associated data
- Export your scan results in PDF or JSON format
- Opt out of LLM enrichment (disable in account settings)
- Withdraw consent for data processing
To exercise these rights, contact us at privacy@vibesafe.app
8. Children's Privacy
VibeSafe is not intended for users under 13 years of age. We do not knowingly collect personal information from children.
9. International Data Transfers
Your data may be processed in the United States and other countries where our service providers operate. We ensure appropriate safeguards are in place for international data transfers.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes via email or service announcement.
11. Contact
For privacy questions or to exercise your rights, contact: privacy@vibesafe.app