Privacy Policy

This Privacy Policy ("Policy") describes how VibeSafe ("VibeSafe," "we," "us," or "our"), collects, uses, stores, shares, and protects information obtained from users ("User," "you," or "your") of the VibeSafe platform, including the website at vibesafe.tech, APIs, and related services (collectively, the "Service").

By accessing or using the Service, you consent to the collection and use of your information as described in this Policy. If you do not agree with this Policy, you must not use the Service.

2.1 Information You Provide Directly

• Account Information: When you register, we collect your email address, name (if provided), and authentication credentials. If you register via a third-party provider (Google, GitHub), we receive the information authorized by that provider, which may include your name, email address, and profile picture URL.
• Payment Information: When you subscribe to a paid plan, payment is processed by Razorpay. We do not directly store your full credit card number or bank account details. We receive and store transaction identifiers, subscription status, and billing metadata from Razorpay.
• Scan Targets: URLs of web applications you submit for security scanning.
• Support Communications: Any information you provide when contacting us for support at hello@nivo.run.

2.2 Information Collected Through GitHub Integration

If you connect your GitHub account, we collect and store:

• Your GitHub user ID, username, and avatar URL;
• An OAuth access token, which permits us to read repository contents, create branches, commit files, and create pull requests on your behalf;
• Repository metadata (names, visibility status, language) for repositories you grant access to; and
• Source code file contents, which are transmitted to third-party AI providers for analysis and are not permanently stored after processing.

2.3 Information Collected Automatically

• Usage Data: We collect information about how you interact with the Service, including pages viewed, features used, scan history, timestamps, and referral URLs.
• Device and Browser Information: IP address, browser type and version, operating system, device type, and screen resolution.
• Cookies and Similar Technologies: We use essential cookies for session management and authentication. We may use analytics cookies (e.g., Vercel Analytics) to understand usage patterns. You can manage cookie preferences through your browser settings.

We use the information we collect for the following purposes:

• Service Delivery: To provide, maintain, and improve the Service, including performing security scans, generating reports, conducting AI code reviews, and creating pull requests;
• Account Management: To create and manage your account, authenticate your identity, and process subscription payments;
• Communication: To send you service-related notices, respond to support inquiries, and provide information about your account or subscription;
• Security and Fraud Prevention: To detect, prevent, and address technical issues, security incidents, and fraudulent or abusive activity;
• Analytics and Improvement: To analyze usage trends and improve the functionality, reliability, and user experience of the Service; and
• Legal Compliance: To comply with applicable laws, regulations, legal processes, or enforceable governmental requests.

We do not sell your personal information. We may share your information in the following circumstances:

4.1 Third-Party Service Providers

We engage trusted third-party providers to perform services on our behalf, including:

• Supabase: Database hosting and user authentication;
• Vercel: Application hosting and deployment;
• Anthropic (Claude): AI-powered code analysis and fix generation — source code snippets may be transmitted to Anthropic's API for processing;
• Razorpay: Payment processing;
• GitHub: Repository access and pull request creation (only with your explicit authorization).

These providers are contractually obligated to use your information only for the purposes of providing their services to us and are required to maintain reasonable security measures.

4.2 Legal Requirements

We may disclose your information if required to do so by law, or in the good-faith belief that such action is necessary to: (a) comply with a legal obligation; (b) protect and defend our rights or property; (c) prevent or investigate possible wrongdoing in connection with the Service; (d) protect the personal safety of users or the public; or (e) protect against legal liability.

4.3 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email or prominent notice on the Service of any change in ownership or use of your personal information.

We retain your personal information for as long as your account is active or as needed to provide the Service. Specifically:

• Account data: Retained until you delete your account;
• Scan results and reports: Retained for the lifetime of your account to enable access to historical scan data;
• Source code: Transmitted to AI providers for real-time analysis only; NOT permanently stored on our servers after processing is complete;
• GitHub access tokens: Stored securely until you disconnect your GitHub account or revoke access;
• Payment records: Retained as required by applicable tax and accounting regulations; and
• Server logs: Retained for up to ninety (90) days for security and debugging purposes.

Upon account deletion, we will delete or anonymize your personal information within thirty (30) days, except where retention is required by law.

We implement industry-standard technical and organizational measures to protect your information, including:

• Encryption of data in transit using TLS/HTTPS;
• Encryption of sensitive data at rest, including GitHub access tokens;
• Row-level security policies on database tables;
• Secure session management with HTTP-only cookies;
• Rate limiting on all API endpoints; and
• Regular security scanning of our own infrastructure.

Despite these measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security and shall not be liable for any breach of security beyond our reasonable control.

Depending on your jurisdiction, you may have the following rights regarding your personal information:

• Access: You may request a copy of the personal information we hold about you;
• Correction: You may request correction of inaccurate or incomplete personal information;
• Deletion: You may request deletion of your personal information by deleting your account through the Settings page or by contacting us;
• Data Portability: You may request your data in a structured, commonly used, machine-readable format;
• Withdrawal of Consent: Where processing is based on consent, you may withdraw consent at any time;
• Revoke GitHub Access: You may disconnect your GitHub account at any time through your VibeSafe account settings, which will delete the stored access token; and
• Opt-Out of Analytics: You may disable analytics cookies through your browser settings.

To exercise any of these rights, please contact us at hello@nivo.run. We will respond to verified requests within thirty (30) days.

Your information may be transferred to and processed in countries other than the country in which you reside, including the United States (where our infrastructure and AI providers are located) and India (where our company is based). These countries may have data protection laws that differ from those in your jurisdiction. By using the Service, you consent to such transfers.

The Service is not directed to individuals under the age of eighteen (18). We do not knowingly collect personal information from children. If we become aware that a child has provided us with personal information, we will take steps to delete such information promptly. If you believe a child has provided us with personal information, please contact us at hello@nivo.run.

The Service may contain links to third-party websites or services that are not owned or controlled by VibeSafe. We are not responsible for the privacy practices of such third parties. We encourage you to review the privacy policies of any third-party service you access through the Service.

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated Policy on this page and updating the "Last updated" date. For significant changes, we may also send notice via email. Your continued use of the Service after such changes constitutes acceptance of the revised Policy.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at: