Privacy Policy

Last updated: June 23, 2026

Vibesecure ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered code security platform ("Service").

1. Information We Collect

Account Information: When you create an account, we collect your name, email address, and authentication credentials via Firebase Authentication. We support email/password and Google Sign-In.

Code & Project Data: When you use our scanning features, you may upload source code files, connect GitHub repositories, or provide URLs for external scanning. This code is processed exclusively for security analysis purposes.

Scan Results: We store the results of your security scans, including findings, risk scores, and generated reports, associated with your user account.

Usage Data: We automatically collect information about your interaction with the Service, including pages visited, features used, scan frequency, and device/browser information.

Payment Information: If you subscribe to a paid plan, payment processing is handled entirely by Stripe. We do not store credit card numbers or bank details on our servers.

2. How We Use Your Information

• To provide and maintain the Service, including running security scans and generating reports
• To process uploaded code through our AI analysis engine (Claude by Anthropic) in isolated Docker sandboxes
• To manage your account, subscriptions, and billing
• To communicate with you about service updates, security alerts, and support
• To improve the Service through anonymized, aggregated usage analytics
• To comply with legal obligations

3. Code Data Processing

Sandbox Isolation: All uploaded code is processed in isolated Docker containers with no network access, read-only filesystems, and strict resource limits. Containers are automatically destroyed after scan completion.

AI Analysis: Code snippets may be sent to Anthropic's Claude API for deep analysis. This data is processed under Anthropic's API terms and is not used to train AI models.

No Persistent Storage of Code: Uploaded source code is deleted from our servers within 24 hours of scan completion. Only scan results and reports are retained.

URL Scanning: When you use the Prospect Scanner feature, we only access publicly available information from the provided URLs (HTTP headers, client-side JavaScript, SSL certificates). We do not attempt to bypass authentication or access private resources.

4. Data Sharing & Disclosure

We do not sell, rent, or trade your personal information. We may share data with:

• Anthropic: Code snippets for AI analysis (under their API data processing terms)
• Stripe: Payment processing (subject to Stripe's privacy policy)
• Firebase/Google: Authentication services (subject to Google's privacy policy)
• Neon: Database hosting for user accounts and scan metadata
• Law enforcement: Only when required by law or to protect our legal rights

5. Data Security

We implement industry-standard security measures including:

• TLS encryption for all data in transit
• Encrypted database connections (SSL/TLS to Neon PostgreSQL)
• Firebase JWT-based authentication with token verification
• Environment-based secrets management (no hardcoded credentials)
• Isolated Docker sandboxes for code execution

6. Your Rights (GDPR / CCPA)

Depending on your jurisdiction, you have the right to:

• Access: Request a copy of the personal data we hold about you
• Rectification: Correct inaccurate personal data
• Erasure: Request deletion of your account and associated data
• Portability: Receive your data in a structured, machine-readable format
• Objection: Object to processing of your data for certain purposes
• Opt-out of sale: We do not sell personal data, but you may opt out of any future changes

To exercise any of these rights, contact us at privacy@vibesecure.dev.

7. Data Retention

• Account data: Retained while your account is active, deleted within 30 days of account closure
• Uploaded code: Deleted within 24 hours of scan completion
• Scan reports: Retained for 12 months, then automatically purged
• Usage logs: Retained for 90 days for operational purposes

8. International Transfers

Your data may be processed in data centers located in the EU (Neon, Frankfurt) and the US (Firebase, Anthropic). We ensure adequate safeguards are in place for international transfers in compliance with GDPR requirements.

9. Children's Privacy

Vibesecure is not intended for individuals under 16 years of age. We do not knowingly collect personal data from children.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email. Continued use of the Service after changes constitutes acceptance of the updated policy.

11. Contact

For privacy-related inquiries:

• Email: privacy@vibesecure.dev
• Data Protection Officer: privacy@vibesecure.dev