Privacy Policy

FixVibe is operated by EGO HERO LLC (“we”, “us”), the data controller for the personal data described in this policy. For privacy questions, including data subject requests under GDPR, UK GDPR, or CCPA, contact privacy@fixvibe.app. For anything else, write to support@fixvibe.app.

• Account data

  Email address, OAuth identifier (if you sign in with Google or GitHub), and any name we receive from your OAuth provider. Used to authenticate you and contact you about your account. Retained while your account is active. When you delete your account, this data is removed within 30 days, except where we are required to retain it (e.g., billing records under tax law).

  lawful basis · Performance of contract — Art. 6(1)(b) GDPR

• Scan targets and findings

  The URLs you scan, the requests we make to those URLs, and the findings we produce. Stored against your organization. We automatically delete records older than your plan's retention window: 30 days (Hobby), 90 days (Pro), 365 days (Unlimited). You can export or delete your scan history at any time from Account → Privacy.

  lawful basis · Performance of contract — Art. 6(1)(b) GDPR

• Anonymous scan sessions

  If you run a scan without signing in, we issue an HMAC-signed cookie (fixvibe_anon_session, 24-hour lifetime) holding an opaque random ID. We automatically delete unclaimed anonymous scan records after 24 hours. If you sign up within the 24-hour window, your scan migrates into your new account. We don't know who anonymous users are unless they sign up.

  lawful basis · Strictly necessary — ePrivacy Art. 5(3) exemption

• Billing data

  Stripe is our payment processor. They store your card details on PCI-DSS infrastructure; we only store a Stripe customer ID, subscription status, plan, period start/end, and a small idempotency record of webhook events. See Stripe's privacy notice at stripe.com/privacy.

  lawful basis · Performance of contract — Art. 6(1)(b) GDPR

• Server logs and audit logs

  Short-lived API request logs may include IP address, user-agent, method, path, status, duration, request ID, user/org context, and error strings so we can debug the service and detect abuse. These request logs are automatically pruned after 72 hours by our retention cron, with up to 24 hours of cron scheduling slop. Audit logs for security-relevant actions (including sign in, scan started, token created/revoked, plan change, account deletion, and admin/support actions) may include IP address, user-agent, and request metadata. Audit logs are automatically pruned after 18 months, except where a longer period is required to comply with legal process or to defend a legal claim.

  lawful basis · Legitimate interest — Art. 6(1)(f) GDPR

• GitHub integration (optional, Pro+ only)

  If you connect a GitHub account from Account → Integrations, we store an encrypted OAuth access token for your organization, your GitHub login + numeric user ID, and the granted scopes. We use the token solely to read repositories you initiate scans against. Source code is fetched per-scan, processed in memory, and only individual finding evidence is persisted (no full source dumps). Deleted within 30 days of disconnect.

  lawful basis · Performance of contract / consent — Art. 6(1)(b) + 6(1)(a) GDPR

• API tokens + MCP server (optional)

  Tokens you create at Account → API tokens are stored as a SHA-256 hash, the first 8 plaintext characters (for identification), the name you assigned, plus created/last-used/revoked timestamps. The plaintext is shown to you exactly once on creation and never persisted. Tokens are bearer credentials: anyone with the value can read your scans and start new ones until you revoke. The MCP server at /api/mcp is authenticated by the same tokens, exposes the same data the dashboard would, and creates no separate data category.

  lawful basis · Performance of contract — Art. 6(1)(b) GDPR

• Outbound webhooks (optional, paid plans)

  If you create webhook endpoints from Account → Webhooks, we store the endpoint URL, selected event types, delivery status, short response excerpts, and an encrypted signing secret. We send scan, finding, monitor-alert, and scheduled-run metadata to the endpoints you configure. Those endpoints are recipients chosen by your organization, not FixVibe sub-processors.

  lawful basis · Performance of contract — Art. 6(1)(b) GDPR

• Live threat detection (optional, Unlimited only)

  If you have monitoring enabled on a verified domain, we periodically capture certificate-transparency log entries, DNS records, and threat-intel listings (Spamhaus DBL, URLhaus) for that domain. These snapshots contain hostnames you have already authorised us to scan and the public results of public lookups. No personal data of your end-users is captured. Snapshots older than 7 days are automatically deleted; the most recent baseline is retained per signal type.

  lawful basis · Performance of contract — Art. 6(1)(b) GDPR

• Scheduled re-scans (optional, Pro+ only)

  If you enable scheduled scans on a verified domain, we record the cadence, last run time, next run time, and which user enabled the schedule. Each cron-triggered scan inherits the authorization-to-scan attestation made when the domain was first verified — you do not re-attest per run. Disable any time at Domains → Schedule.

  lawful basis · Performance of contract — Art. 6(1)(b) GDPR

• Analytics (optional, consent-gated)

  If you grant analytics consent and we have analytics configured for the deployment you are using, we use a privacy-respecting product-analytics provider (proxied through our own domain) to record anonymous usage — which buttons get clicked, which checks people run, where in the funnel users drop off. We do not put URLs you scan, evidence content, or personal data into analytics events. Revoke consent any time via Cookie settings.

  lawful basis · Consent — Art. 6(1)(a) GDPR / ePrivacy Art. 5(3)

• Promotional offer redemption

  When you redeem a promo code, invite link, or referral credit, we store the campaign code, the plan and duration we granted, the trial start and end timestamps, the plan you held before the trial, and an HMAC-SHA256 hash of your IP address at the time of redemption (we never store the raw IP — the hash exists only so we can enforce one-redemption-per-network limits, and rotating the underlying HMAC key invalidates all stored hashes without exposing anyone). Retained for the life of the campaign plus 18 months for accounting and fraud-investigation purposes, then deleted with the rest of the campaign record.

  lawful basis · Legitimate interest (fraud prevention, accounting) — Art. 6(1)(f) GDPR

• Contests, sweepstakes, and challenges

  If you enter a FixVibe Challenge (such as the Security Preflight Challenge), we store the contact email you submit (required so we can reach you if you win), the Reddit and Product Hunt usernames you optionally provide, your scan ID and root domain, the self-reported project type, stack, and one-thing-I-learned text you optionally provide, the discovery-channel value you optionally select, and the three required consent checkboxes you accept (authorization, rules, contact). If you separately tick the optional featured-on-marketing consent, we may display your public score, rating, stack, username, and submitted quote on the FixVibe homepage, the challenge page, or a recap post — never any other field, and never without that opt-in. Challenge entries are retained for the life of the Challenge plus 18 months for verification and dispute purposes. You can withdraw the featured-on-marketing consent any time by emailing privacy@fixvibe.app; withdrawing does not affect lawful processing before the withdrawal.

  lawful basis · Performance of contract (running the Challenge) and consent (featuring) — Art. 6(1)(b) and 6(1)(a) GDPR

• We never sell your data.
• We don't embed third-party ad-tech, fingerprinting, or session-replay scripts.
• We don't put your scan target URLs or finding evidence into analytics properties — that data lives only in our database, gated by row-level security.
• We don't share your data with third parties for their own marketing.

We rely on the following sub-processors to run FixVibe:

• Vercel Inc. (USA) — application hosting and edge network. Privacy notice: vercel.com/legal/privacy-policy.
• Supabase Inc. (USA) — Postgres database, authentication, file storage, Realtime. The FixVibe production database is in the AWS us-east-1 region. Privacy notice: supabase.com/privacy.
• Stripe Inc. (USA) — payment processing for paid plans. Privacy notice: stripe.com/privacy.
• Upstash, Inc. (USA, via the Vercel Marketplace) — Redis-backed rate limiting; stores only short-lived IP-based counters. Privacy notice: upstash.com/privacy.
• PostHog Inc. (USA) — product analytics, only if you grant analytics consent and only when analytics is configured for the deployment you are using. Privacy notice: posthog.com/privacy.
• GitHub, Inc. (USA) — only if you connect the optional GitHub integration. We use GitHub's API to read repositories you initiate scans against. Privacy notice: docs.github.com/site-policy/privacy-policies/github-general-privacy-statement.
• Resend, Inc. (USA) — transactional email delivery. Receives your email address and the email body when we send scan-completed, scheduled-scan, live-threat alert, and weekly-digest emails. Resend retains delivery metadata (timestamps, status, bounce records) for operational purposes; we never send marketing email through Resend. Privacy notice: resend.com/legal/privacy-policy.

Transfers of personal data outside the EEA/UK rely on the European Commission's Standard Contractual Clauses (or the UK's International Data Transfer Addendum), supplemented by the encryption-in-transit and encryption-at-rest measures described in “Security” below.

We will update this list and notify customers in-app if we add a new sub-processor that processes personal data on our behalf. Customer-configured outbound webhook endpoints are customer-selected recipients, not FixVibe sub-processors.

Under GDPR, UK GDPR, and equivalent laws (CCPA/CPRA, LGPD, PIPEDA, Australian Privacy Act etc.), you have the right to:

• access a copy of your data (you can do this self-serve from Account → Privacy);
• have your data corrected;
• have your data deleted (also self-serve);
• object to processing based on legitimate interests;
• withdraw consent for analytics at any time via Cookie settings;
• data portability — your export is in JSON;
• lodge a complaint with your local supervisory authority (EU/UK/EEA) or equivalent.

We respond to verifiable rights requests within 30 days. For requests we cannot satisfy via self-serve (rectification of a field we don't expose, restriction of processing, objection), email support@fixvibe.app with subject line “Privacy request”.

We do not sell your personal information. We do not share personal information for cross-context behavioral advertising. Analytics through PostHog only runs after you grant consent in our cookie banner; you can withdraw that consent at any time via Cookie settings or by clicking Your Privacy Choices in the footer.

If you are a California resident, you also have the right to:

• know what personal information we collect, the sources, the purposes, and any third parties with which we share it (all detailed above);
• request deletion of your personal information (self-serve via Account → Privacy or by emailing us);
• correct inaccurate personal information;
• limit the use and disclosure of sensitive personal information — we collect none beyond authentication credentials and session metadata, both of which are required to provide the service;
• opt out of sale or sharing — not applicable since we do neither;
• not be discriminated against for exercising any of the above.

We honor Global Privacy Control (GPC) signals automatically; sending a GPC header treats your visit as if you had explicitly opted out of any future analytics consent.

We force row-level security on every database table; users only see records belonging to organizations they are members of. Authenticated-scan headers, when supplied, are encrypted at rest with AES-256-GCM and purged after the scan completes. Stripe webhook payloads are HMAC-verified before processing, and customer outbound webhook signing secrets are encrypted at rest. The service-role database credential is held only on the server runtime and is never exposed to the browser. All traffic between you and FixVibe, and between FixVibe and our sub-processors, uses TLS 1.2 or higher.

No security program is perfect. If you believe you have found a vulnerability in FixVibe, please report it to support@fixvibe.app.

If we make material changes — new sub-processors, new categories of data, new retention periods — we'll update the date above and notify you in-app. Minor wording fixes don't trigger a notification.

privacy@fixvibe.app — replies usually within 5 business days, never longer than 30 days as required by GDPR Art. 12(3).