FixVibe

// privacy

Imantt'asiñ amtawi

qhipa machaqachawi · 2026-05-17

Khitïpxtansa

FixVibe EGO HERO LLC ukampiw apnaqasi; aka amtawin qhanañchata persunala willayatakix data controladorax “nanaka”, “nanakaru” satawa. Imantt’asiñ jiskt’awinakataki, GDPR, UK GDPR jan ukax CCPA ukankir data sujeto mayiwinakatakisa, privacy@fixvibe.app ukar qillqaña. Yaqha kunatakis support@fixvibe.app ukar qillqaña.

Kuns apthapipxta, kunatakisa, ukat qhawqha pachas imapxta

  • Cuenta data

    Email dirección, OAuth uñt’ayiri (Google jan ukax GitHub ukamp mantañataki), ukat OAuth proveedoramata katuqapxta kuna sutis utjchi uka. Jumar autenticar lurañataki ukat cuentamat aruskipañataki apnaqasi. Cuentam activo ukhamañapkamaw imasi. Cuentam phuskuñäni ukhaxa, aka datax 30 p’unchunakan chhaqtayasi, nanakax imañataki obligata ukhaki jan chhaqtayasi (sarnaqäwi impuesto leynaka tuqit facturación qillqanakjama).

    legal yänaka · Contrato phuqhawi — Art. 6(1)(b) GDPR

  • Scan objetivo ukat hallaqanaka

    Scaneatam URL-naka, uka URL-nakar nanakax lurapxta uka mayiwinaka, ukat apsupkta uka hallaqanaka. Organizaciónamar chint’ataw imasi. Planan retención ventanapat nayraqatäxir qillqanakax automáticamente chhaqtayasi: 30 p’unchu (Hobby), 90 p’unchu (Pro), 365 p’unchu (Unlimited). Scan historialam kawkiri pachansa Cuenta → Imantt’asiñ ukan exportaña jan ukax phuskuña atasma.

    legal yänaka · Contrato phuqhawi — Art. 6(1)(b) GDPR

  • Jan sutin scan sesión

    Jan mantañampi scan lurañäni ukhaxa, HMAC-signed cookie (fixvibe_anon_session, 24 hora jakañani) churapxta, ukax mä opaco random ID imaski. Jan claim lurata anonymous scan qillqanakax 24 horat automáticamente chhaqtayasi. 24 hora ventanankasin qillqantaskäta ukhaxa, scanamax machaq cuentamaruw sarxi. Anonymous usuarios khitïpxisa ukx janiw yatipkti, qillqantasiñapkamaxa.

    legal yänaka · Chiqapun munasiña — ePrivacy Art. 5(3) exención

  • Facturación data

    Stripe ukaw pago procesadoraxa. Jupanakaw tarjeta detallanakam PCI-DSS infraestructura patxan imapxi; nanakax Stripe customer ID, suscripción estado, plan, periodo qallta/tukuya, ukat webhook eventos ukan mä jisk’a idempotency qillqa imapxta. Stripe privacidad yatiyawinakap stripe.com/privacy ukan uñjaña.

    legal yänaka · Contrato phuqhawi — Art. 6(1)(b) GDPR

  • Server logs ukat audit logs

    Short-lived API request logs may include IP address, user-agent, method, path, status, duration, request ID, user/org context, and error strings so we can debug the service and detect abuse. These request logs are automatically pruned after 72 hours by our retention cron, with up to 24 hours of cron scheduling slop. Audit logs for security-relevant actions (including sign in, scan started, token created/revoked, plan change, account deletion, and admin/support actions) may include IP address, user-agent, and request metadata. Audit logs are automatically pruned after 18 months, except where a longer period is required to comply with legal process or to defend a legal claim.

    legal yänaka · Legítimo interés — Art. 6(1)(f) GDPR

  • GitHub integración (opcional, Pro+ ukaki)

    Cuenta → Integraciones ukat GitHub cuenta chint’äta ukhaxa, organizaciónamatak mä cifrado OAuth access token, GitHub login + numérico user ID, ukat granted scopes imapxta. Token ukax juma scan qalltat repositorionak ullañatakiki apnaqasi. Source code sapa-scan ukaruw apanitaski, memoria ukan lurasi, ukat sapa hallaqañ evidence ukak persistasi (janiw full source dumps utjkiti). Disconnect luratat 30 p’unchunakan chhaqtayasi.

    legal yänaka · Contrato phuqhawi / iyawsawi — Art. 6(1)(b) + 6(1)(a) GDPR

  • API tokens + MCP server (opcional)

    Cuenta → API tokens ukan lurkta uka tokens SHA-256 hash ukhama, uñt’añatakix nayrïr 8 plaintext caracteres, churkta uka suti, ukat created/last-used/revoked timestamps ukanakamp imasi. Plaintext ukax lurat pachan mä kutiaki uñacht’ayasi ukat janipuniw persistasi. Tokens ukax bearer credentials satawa: valorani jaqix scans ukanakam ullañapa ukat machaqanak qalltañapa atispawa, revoke lurapkama. /api/mcp ukan MCP server ukax pachpa tokens ukamp autenticado, dashboard uñacht’ayir pachpa data uñacht’ayi, ukat janiw yaqha data categoría lurkiti.

    legal yänaka · Contrato phuqhawi — Art. 6(1)(b) GDPR

  • Outbound webhooks (optional, paid plans)

    If you create webhook endpoints from Account → Webhooks, we store the endpoint URL, selected event types, delivery status, short response excerpts, and an encrypted signing secret. We send scan, finding, monitor-alert, and scheduled-run metadata to the endpoints you configure. Those endpoints are recipients chosen by your organization, not FixVibe sub-processors.

    legal yänaka · Performance of contract — Art. 6(1)(b) GDPR

  • Live threat detection (opcional, Unlimited ukaki)

    Verificado dominio ukan monitoreo enabled ukhaxa, uka dominioatakix certificate-transparency log entries, DNS records, ukat threat-intel listings (Spamhaus DBL, URLhaus) periódicamente katupxta. Aka snapshots ukanakax scaneañatak autorizata hostnames ukat public lookups ukan público resultadonakap apani. End-users ukanakan personal datax janiw katutäkiti. 7 p’unchut jiläxir snapshots automáticamente chhaqtayasi; juk’amp machaq baseline sapa signal tipo ukarjam imasi.

    legal yänaka · Contrato phuqhawi — Art. 6(1)(b) GDPR

  • Programata re-scans (opcional, Pro+ ukaki)

    Verificado dominio ukan scheduled scans enabled luräta ukhaxa, cadence, qhipa run pacha, jutir run pacha, ukat kawkïr usuariox schedule enabled luräna uk qillqapxta. Sapa cron-triggered scan ukax dominio nayrïr verificado pachan lurata authorization-to-scan attestation ukaruw katuqi — sapa run ukan janiw wasitat attestar munaskiti. Kuna pachansa Dominios → Horario ukan disable luraña.

    legal yänaka · Contrato phuqhawi — Art. 6(1)(b) GDPR

  • Analytics (opcional, consentimientompiki)

    Analytics consent churäta ukat apnaqkta uka deploymentatak analytics configurado utjani ukhaxa, privacidad respetir product-analytics proveedor (nanakan dominio tuqiw proxied) apnaqapxta anonymous usage qillqañataki — kawkïr botones click lurasi, kuna checks jaqinakax run lurapxi, funnel ukan kawkhans usuarios jaqunukupxi. Scan lurkta uka URL-naka, evidence contenido, jan ukax personal data analytics eventos ukar janiw uchapkti. Consent kawkiri pachansa tuqi apaqaña.

    legal yänaka · Iyawsawi — Art. 6(1)(a) GDPR / ePrivacy Art. 5(3)

  • Promocional oferta redención

    Kunapachatï mä promo código, invite link, jan ukax referral crédito katuqkta, imantapxtxa campaña código, plan ukhamaraki duración churasta, trial qallta ukhamaraki tukuya pachanaka, trial nayraqat catawi plan, ukhamaraki mä HMAC-SHA256 hash IP direccionamat redención pachana (janiw kunpachas raw IP imantapxti — hash sapakipun utji ukhamatx mä-redención-sapa-network limites phuqhañataki, ukhamaraki HMAC clave turkayasaxa taqi imantat hashanaka invalidayi jan khitisars uñstayasaxa). Imantatawa campaña jakaña pacha mas 18 phaxsi contabilidad ukhamaraki fraude-investigación amtanakatakix, ukatx campaña registro ukamp warkutatawa.

    legal yänaka · Legitimo interés (fraude prevención, contabilidad) — Art. 6(1)(f) GDPR

  • Concursos, sorteos, ukhamaraki challenges

    Mä FixVibe Challenge (kunaymarja Seguridad Preflight Challenge) ukar mantta ukhaxa, imantapxtxa contacto email qillqaqkta (wakisiri, ukhamatx jumar jiktʼatma ganata ukjaxa), Reddit ukhamaraki Product Hunt usernames optional churasta, scan ID-mam ukhamaraki raíz dominio, self-reportada proyecto tipo, stack, ukhamaraki mä-kuna-yatiqäwi qillqa optional churasta, descubrimiento-canal valor optional ajllta, ukhamaraki kimsa wakisir consentimiento markanaka katuqasta (autorización, reglanaka, contacto). Optional featured-on-marketing consentimiento markasaxa, public puntajemax, calificación, stack, username, ukhamaraki qillqat qillqa uñacht'ayapxasna FixVibe homepage, challenge página, jan ukax recap post ukana — janiw kawkir yaqha campomp, ukhamaraki janiw uka opt-in jan utjki ukhaxa. Challenge mantawinakax imantatawa Challenge jakaña pacha mas 18 phaxsi verificación ukhamaraki disputa amtanakatakix. Featured-on-marketing consentimiento jaytawayspaw kuna pachasa privacy@fixvibe.app ukar emaileasaxa; jaytawayasinjam janiw layi procesamiento jaytawat nayraqata tukuykiti.

    legal yänaka · Contrato apnaqaña (Challenge irnaqayaña) ukhamaraki consentimiento (uñacht'ayaña) — Art. 6(1)(b) ukhamaraki 6(1)(a) GDPR

Kunanak janipuni apthapipkta

  • Data ukam janiw aljapkti.
  • Janiw third-party ad-tech, fingerprinting, jan ukax session-replay scripts uchapkti.
  • Scan objetivo URL-nakam jan ukax hallaqañ evidence analytics properties ukar janiw uchapkti — uka datax nanakan database ukanakiw jakaski, row-level security ukamp jark’ata.
  • Data ukam third parties ukar jupanakan marketingpatak janiw jaljapkti.

Sub-procesadores

FixVibe apnaqañatakix aka sub-procesadores ukanakaruw atinipxta:

  • Vercel Inc. (USA) — aplicación hosting ukat edge network. Privacidad yatiyawi: vercel.com/legal/privacy-policy.
  • Supabase Inc. (USA) — Postgres database, autenticación, file storage, Realtime. FixVibe producción database ukax AWS us-east-1 region ukan jikxatasi. Privacidad yatiyawi: supabase.com/privacy.
  • Stripe Inc. (USA) — paid plans ukanakataki pago processing. Privacidad yatiyawi: stripe.com/privacy.
  • Upstash, Inc. (USA, Vercel Marketplace tuqi) — Redis-backed rate limiting; jisk’a pachatak IP-based counters ukak imaski. Privacidad yatiyawi: upstash.com/privacy.
  • PostHog Inc. (USA) — product analytics, analytics consent churäta ukaki ukat apnaqkta uka deploymentatak analytics configurado ukhaki. Privacidad yatiyawi: posthog.com/privacy.
  • GitHub, Inc. (USA) — optional GitHub integración chint’äta ukhaki. GitHub API apnaqapxta juma scan qalltat repositorionak ullañataki. Privacidad yatiyawi: docs.github.com/site-policy/privacy-policies/github-general-privacy-statement.
  • Resend, Inc. (USA) — transactional email delivery. Scan-completed, scheduled-scan, live-threat alert, ukat weekly-digest emails apayañanakan email direcciónam ukat email cuerpo katuqi. Resend ukax delivery metadata (timestamps, status, bounce records) operativo amtamp imaski; Resend tuqix marketing email janipuniw apayapkti. Privacidad yatiyawi: resend.com/legal/privacy-policy.

Personal data EEA/UK anqäxar transfer lurañax European Commission Standard Contractual Clauses (jan ukax UK International Data Transfer Addendum) ukaruw atinisi, ukat aka “Seguridad” aynachan qhanañchata encryption-in-transit ukat encryption-at-rest medidanakamp phuqhachataki.

We will update this list and notify customers in-app if we add a new sub-processor that processes personal data on our behalf. Customer-configured outbound webhook endpoints are customer-selected recipients, not FixVibe sub-processors.

Derechonakama

GDPR, UK GDPR, ukat ukar uñtasir leynaka (CCPA/CPRA, LGPD, PIPEDA, Australian Privacy Act, juk’ampinak) ukarjamaxa, aka derechonakaw utjtama:

  • data ukaman mä copia uñjaña (aka lurañatakix Cuenta → Imantt’asiñ ukat self-serve luraskasma);
  • data ukam chiqañchayaña;
  • data ukam chhaqtayaña (self-serve ukhamaraki);
  • legítimo intereses ukarjam processing lurañataki objeción uñacht’ayaña;
  • analytics consent kawkiri pachansa tuqi apaqaña;
  • data portability — export ukamax JSON ukanwa;
  • local supervisory authority (EU/UK/EEA) jan ukax equivalente ukar queja uchaña.

Verificable derechos mayiwinakarux 30 p’unchunakan kutiyapxta. Self-serve tuqi jan phuqhayañ atipkta uka mayiwinakataki (jan uñacht’ayktan uka campo rectificación, processing restricción, objeción), support@fixvibe.app ukar “Privacy request” subject line ukamp email apayaña.

California markan jakirinaka (CCPA / CPRA)

Personal information ukam janiw aljapkti. Cross-context behavioral advertising ukatak personal information janiw jaljapkti. PostHog analytics ukax cookie banner ukan consent churäta ukatakiw sarnaqxi; uka consent kawkiri pachansa tuqi jan ukax footer ukan Imantt’asiñ Ajllinakama link click luras apaqasma.

California markan jakirïsta ukhaxa, aka derechonakampiw utjtama:

  • kuna personal information apthapipxta, kawkhats juti, kuna amtampisa, ukat kawkïr third parties ukampis jaljapxta uk yatiña (taqi ukanakax patan qhanañchatawa);
  • personal information ukaman chhaqtayawi mayiña (self-serve Cuenta → Imantt’asiñ tuqi jan ukax nanakar email apayasisa);
  • jan chiqap personal information chiqañchaña;
  • sensitive personal information apnaqawi ukat uñacht’awi limitaraña — autenticación credentials ukat session metadata ukat sipans janiw kuns apthapipkti, uka panpachaw servicio churañatak munasi;
  • sale jan ukax sharing ukat opt out — janiw aplicable, panpach janiw lurapkti;
  • aka derechonakat mayni apnaqasax jan discriminadoñataki.

Global Privacy Control (GPC) señales automáticamente respetapxta; GPC header apayañax visita ukam jutir analytics consent ukat expresamente opt out luratajama uñjayi.

Seguridad

We force row-level security on every database table; users only see records belonging to organizations they are members of. Authenticated-scan headers, when supplied, are encrypted at rest with AES-256-GCM and purged after the scan completes. Stripe webhook payloads are HMAC-verified before processing, and customer outbound webhook signing secrets are encrypted at rest. The service-role database credential is held only on the server runtime and is never exposed to the browser. All traffic between you and FixVibe, and between FixVibe and our sub-processors, uses TLS 1.2 or higher.

Janiw kuna seguridad programasa perfecto ukhamäkiti. FixVibe ukan mä vulnerability jikxatatam amuyäta ukhaxa, support@fixvibe.app ukar yatiyapxita.

Aka amtawin mayjt’awinaka

Material mayjt’awinak luräni ukhaxa — machaq sub-procesadores, machaq data categorías, machaq retención pacha — patankir fecha machaqachañäni ukat in-app yatiyañäni. Jisk’a arunak chiqañchawinakax janiw yatiyaw trigger lurkiti.

Aruskipaña

privacy@fixvibe.app — jaysawinakax jilpachax 5 negocio p’unchunakan puri, GDPR Art. 12(3) ukarjam 30 p’unchut janiw juk’ampïkiti.

Imantt'asiñ amtawi · FixVibe