VibeScan Privacy Policy

1. Who we are

VibeScan is a security scanning service for developers and builders. We help you find security vulnerabilities in your code and explain them in plain English.

For privacy questions, contact us at support@vibescan.co.

2. What data we collect

Account data

When you sign up, we collect your email address and a hashed password (if using email/password auth) or an OAuth token (if using Google or GitHub sign-in). We use Supabase to manage authentication.

Scan data

When you run a scan, we receive the zip file you upload. We extract it in a temporary directory on our scan server, run the security analysis, and delete the extracted files immediately after the scan completes. We store the scan results (the list of findings, severity levels, file names, and line numbers) so you can view your report later. We do not store your source code.

Payment data

Payments are processed by Stripe. We never see or store your full card number, CVV, or banking details. We store your Stripe customer ID and subscription status for billing purposes.

Usage metadata

We log minimal metadata about scan activity: when a scan ran, how long it took, how many findings were returned, and whether it succeeded or failed. We do not log the contents of your code or the details of your findings in our infrastructure logs.

3. What we do not do

• We do not sell your data to third parties
• We do not use your source code to train AI models
• We do not share your scan results with anyone except you
• We do not retain your source code after a scan completes
• We do not send marketing emails without your explicit opt-in

4. How we use your data

We use the data we collect to:

• Provide the VibeScan service (running scans and delivering reports)
• Manage your account and subscription
• Process payments via Stripe
• Respond to support requests
• Improve the service (using aggregated, anonymized usage patterns only)

5. Data storage and security

Your account data and scan results are stored in Supabase, a cloud database provider with SOC 2 compliance and encryption at rest and in transit.

Scan processing runs on Railway, a cloud infrastructure provider. Each scan runs in an isolated container that is destroyed after the scan completes. Your source code never persists beyond the duration of a single scan.

All data is transmitted over HTTPS/TLS. We use row-level security policies in our database to ensure users can only access their own data.

6. Third-party services

VibeScan uses the following third-party services:

7. Data retention

We retain your account data and scan results for as long as your account is active. If you delete your account, we will delete your personal data and scan results within 30 days.

Source code uploaded for scanning is deleted immediately after the scan completes and is never retained.

Payment records are retained for 7 years as required by applicable tax and financial regulations.

8. Your rights

Depending on where you are located, you may have the right to:

• Access the personal data we hold about you
• Correct inaccurate data
• Request deletion of your data
• Export your data in a portable format
• Withdraw consent where processing is based on consent

To exercise any of these rights, email support@vibescan.co. We will respond within 30 days.

9. Cookies

VibeScan uses minimal cookies necessary for authentication and session management. We do not use advertising cookies or third-party tracking cookies. We do not use Google Analytics or similar tracking services.

10. Children's privacy

VibeScan is not directed at children under 13. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us at support@vibescan.co and we will delete it.

11. Changes to this policy

We will notify users of material changes to this policy by updating the "Last updated" date at the top of this page. Continued use of VibeScan after changes constitutes acceptance of the updated policy.

12. Contact

Privacy questions: support@vibescan.co