Tuvanivakatulewa ni Vakatabu

E qaravi na FixVibe mai vei EGO HERO LLC (“keitou”, “neitou”), na dauvakatulewa ni data me baleta na itukutuku vakatamata e vakamacalataki ena policy oqo. Mo taro ni vakatabu, me vaka tale ga na kerekere ni daudata ena ruku ni GDPR, UK GDPR, se CCPA, veitaratara ki privacy@fixvibe.app. Mo na veika tale eso, vola ki support@fixvibe.app.

• Data ni akauniti

  Tuatusi imeli, OAuth identifier (kevaka o curu mai ena Google se GitHub), kei na yaca kece keitou ciqoma mai vua na nomu OAuth provider. E vakayagataki me vakadeitaki iko ka me veitaratara kei iko me baleta na nomu akauniti. E maroroi ni se bula tiko na nomu akauniti. Ni o bokoca na nomu akauniti, e kau laivi na data oqo ena loma ni 30 na siga, vakavo ga ni gadrevi vakalawa me keitou maroroya (me vaka na ivolatukutuku ni bili ena lawa ni ivakacavacava).

  yavu vakalawa · Vakayacori ni veidinadinati — Art. 6(1)(b) GDPR

• Itavita ni sikeni kei na ka e kunei

  Na URL o sikena, na kerekere keitou cakava ki na URL oqori, kei na ka keitou kunea. E maroroi ena ruku ni nomu isoqosoqo. Keitou bokoca vakataki koya na ivolatukutuku sa sivia na gauna ni maroroi ni nomu plan: 30 na siga (Hobby), 90 na siga (Pro), 365 na siga (Unlimited). O rawa ni export se bokoca na nomu itukutuku ni sikeni ena gauna kece mai Account → Privacy.

  yavu vakalawa · Vakayacori ni veidinadinati — Art. 6(1)(b) GDPR

• Sikeni sega ni kilai na tamata

  Kevaka o cakava e dua na sikeni ka sega ni curu, keitou solia e dua na kuki HMAC-signed (fixvibe_anon_session, bula tiko 24 na aua) e tu kina e dua na ID sega ni kilai ka digitaki vakataki. Keitou bokoca vakataki koya na ivolatukutuku ni sikeni sega ni tauri ni oti na 24 na aua. Kevaka o sainitaka ena loma ni 24 na aua, ena toki na nomu sikeni ki na nomu akauniti vou. Keitou sega ni kila se o cei na dauvakayagataki anonymous me yacova ni ra sainitaka.

  yavu vakalawa · E gadrevi dina — veivagalalataki ePrivacy Art. 5(3)

• Data ni bili

  O Stripe na neitou dauqarava ni sausaumi. Era maroroya na nomu itukutuku ni card ena infrastructure PCI-DSS; keitou maroroya ga e dua na Stripe customer ID, subscription status, plan, tekivu/oti ni gauna, kei na dua na ivolatukutuku lailai ni idempotency ni webhook events. Raica na privacy notice nei Stripe ena stripe.com/privacy.

  yavu vakalawa · Vakayacori ni veidinadinati — Art. 6(1)(b) GDPR

• Server logs kei na audit logs

  Short-lived API request logs may include IP address, user-agent, method, path, status, duration, request ID, user/org context, and error strings so we can debug the service and detect abuse. These request logs are automatically pruned after 72 hours by our retention cron, with up to 24 hours of cron scheduling slop. Audit logs for security-relevant actions (including sign in, scan started, token created/revoked, plan change, account deletion, and admin/support actions) may include IP address, user-agent, and request metadata. Audit logs are automatically pruned after 18 months, except where a longer period is required to comply with legal process or to defend a legal claim.

  yavu vakalawa · Gadrevi dodonu ni bisinisi — Art. 6(1)(f) GDPR

• GitHub integration (digitaki ga, Pro+ ga)

  Kevaka o semata e dua na GitHub account mai Account → Integrations, keitou maroroya e dua na OAuth access token e encrypted me baleta na nomu isoqosoqo, na nomu GitHub login + numeric user ID, kei na scopes sa soli. Keitou vakayagataka na token me wiliki ga na repositories o tekivuna na sikeni kina. E kau mai na source code ena sikeni yadua, e tukuni e memory, ka maroroi ga na ivakadinadina ni finding yadua (sega na full source dumps). E bokoci ena loma ni 30 na siga ni oti na disconnect.

  yavu vakalawa · Vakayacori ni veidinadinati / veivakadonui — Art. 6(1)(b) + 6(1)(a) GDPR

• API tokens + MCP server (digitaki ga)

  Na tokens o bulia mai Account → API tokens e maroroi me SHA-256 hash, na imatai ni 8 na matanivola plaintext (me kilai kina), na yaca o solia, kei na gauna ni buli/oti ni vakayagataki/bokoci. Na plaintext e vakaraitaki vei iko vakadua ga ena gauna ni buli ka sega ni maroroi tale. Na tokens oqo e bearer credentials: o koya kece e taura na kena value e rawa ni wilika na nomu sikeni ka tekivuna e vou me yacova ni o revoke. Na MCP server ena /api/mcp e vakadeitaki ena tokens vata ga, e vakaraitaka na data vata ga e vakaraitaka na dashboard, ka sega ni bulia e dua tale na iwasewase ni data.

  yavu vakalawa · Vakayacori ni veidinadinati — Art. 6(1)(b) GDPR

• Outbound webhooks (optional, paid plans)

  If you create webhook endpoints from Account → Webhooks, we store the endpoint URL, selected event types, delivery status, short response excerpts, and an encrypted signing secret. We send scan, finding, monitor-alert, and scheduled-run metadata to the endpoints you configure. Those endpoints are recipients chosen by your organization, not FixVibe sub-processors.

  yavu vakalawa · Performance of contract — Art. 6(1)(b) GDPR

• Live threat detection (digitaki ga, Unlimited ga)

  Kevaka sa enabled na monitoring ena domain sa vakadeitaki, keitou dau kumuna ena gauna eso na certificate-transparency log entries, DNS records, kei na threat-intel listings (Spamhaus DBL, URLhaus) me baleta na domain oya. Na snapshots oqo e tiko kina na hostnames o sa vakadonuya oti me keitou sikena kei na macala raraba ni public lookups. E sega ni tauri na itukutuku vakatamata ni nomu end-users. Na snapshots sa sivia na 7 na siga e bokoci vakataki koya; na baseline vou duadua e maroroi ena mataqali signal yadua.

  yavu vakalawa · Vakayacori ni veidinadinati — Art. 6(1)(b) GDPR

• Scheduled re-scans (digitaki ga, Pro+ ga)

  Kevaka o enabled scheduled scans ena domain sa vakadeitaki, keitou volai na cadence, gauna ni run sa oti, gauna ni run tarava, kei na user cava e enabled na schedule. Na sikeni yadua e tekivutaki mai na cron e taura vata na attestation ni vakadonui me sikeni ena gauna a vakadeitaki taumada kina na domain — o sega ni attest tale ena run yadua. Bokoca ena gauna kece mai Domains → Schedule.

  yavu vakalawa · Vakayacori ni veidinadinati — Art. 6(1)(b) GDPR

• Analytics (digitaki ga, gadrevi na veivakadonui)

  Kevaka o solia na analytics consent ka sa configured na analytics me baleta na deployment o vakayagataka, keitou vakayagataka e dua na product-analytics provider e dokai kina na vakatabu (e proxied ena neitou domain) me volai kina na anonymous usage — na buttons cava e clicked, na checks cava era run kina na tamata, kei na vanua era biuta kina na funnel na users. Keitou sega ni biuta na URL o sikena, evidence content, se personal data ki na analytics events. Kauta lesu na consent ena gauna kece ena Cookie settings.

  yavu vakalawa · Veivakadonui — Art. 6(1)(a) GDPR / ePrivacy Art. 5(3)

• Veilawaki ni isolisoli ni veisureti

  Ni o veilawaki ena dua na promo code, isemati ni veisureti, se referral credit, keimami maroroya na campaign code, na plan kei na gauna keimami solia, na gauna ni tekivu kei na oti ni trial, na plan o tu kina ni bera ni trial, kei na HMAC-SHA256 hash ni nomu IP address ena gauna ni veilawaki (keimami sega ni maroroya na IP dina — na hash e tu ga me rawa ni keimami vakaitavutaka na dua-ni-veilawaki-vei-network na tarova, ka na vakavoui ni HMAC key e vakalecava na hashes kece sega na vakaraitaki ni dua). Maroroi ni gauna ni campaign kuria na 18 na vula me baleta na ivolatukutuku kei na vakadidike ni veivakaisini, oti na deletetaki kei na ka kece ni campaign record.

  yavu vakalawa · Veivuke dodonu (taqomaki mai na veivakaisini, ivolatukutuku) — Art. 6(1)(f) GDPR

• Veiqaqavi, sweepstakes, kei na veisaqasaqa

  Ke o curu ki na FixVibe Challenge (vaka na Veisaqasaqa ni Vakatovolei ni Veivakarurugi), keimami maroroya na imeli ni veidinadinati o vakauta (gadrevi me rawa ni keimami sotavi iko ke o rawa), na yaca ni Reddit kei na Product Hunt o solia ena sega ni gadrevi, na nomu scan ID kei na vakawai ni domain, na mataqali ni cakacaka, stack, kei na ivola ni dua-na-ka-au-vulica o solia ena sega ni gadrevi, na discovery-channel value o digia ena sega ni gadrevi, kei na tolu na veivakadonui o vakadeitaka (veivakadonui, lawa, veitaratara). Ke o vakadeitaka tale ga na sega ni gadrevi featured-on-marketing veivakadonui, rawa ni keimami vakaraitaka na nomu vakatakilakila vakamatanalevu, vakanananu, stack, yaca, kei na ivakamacala o vakauta ena FixVibe homepage, tabana ni veisaqasaqa, se ivola ni vakasama — sega ni dua tale na sasa, sega ni vakavo ke sega ni opt-in. Na veicuru ki na Veisaqasaqa e maroroi ena gauna ni Veisaqasaqa kuria na 18 na vula me baleta na vakadinadina kei na veiba. Rawa mo kauta tani na featured-on-marketing veivakadonui ena dua na gauna ena imeli ki na privacy@fixvibe.app; na kauti tani e sega ni cakacakataki na cakacaka vakalawa ena bera ni kauti tani.

  yavu vakalawa · Cakacaka ni isemati (vakayacori ni Veisaqasaqa) kei na veivakadonui (vakaraitaki) — Art. 6(1)(b) kei na 6(1)(a) GDPR

• Keitou sega ni volitaka na nomu data.
• Keitou sega ni embed third-party ad-tech, fingerprinting, se session-replay scripts.
• Keitou sega ni biuta na nomu scan target URLs se finding evidence ki na analytics properties — na data oya e tiko ga ena neitou database, e taqomaki ena row-level security.
• Keitou sega ni wasea na nomu data vei ira na third parties me baleta na nodra marketing.

Keitou nuitaka na dauveitukinitaki-i-lalo oqo me vakacuruma na FixVibe:

• Vercel Inc. (USA) — application hosting kei na edge network. Privacy notice: vercel.com/legal/privacy-policy.
• Supabase Inc. (USA) — Postgres database, authentication, file storage, Realtime. Na FixVibe production database e tiko ena AWS us-east-1 region. Privacy notice: supabase.com/privacy.
• Stripe Inc. (USA) — payment processing me baleta na paid plans. Privacy notice: stripe.com/privacy.
• Upstash, Inc. (USA, via na Vercel Marketplace) — Redis-backed rate limiting; e maroroya ga na IP-based counters lekaleka. Privacy notice: upstash.com/privacy.
• PostHog Inc. (USA) — product analytics, kevaka ga o solia na analytics consent ka sa configured na analytics me baleta na deployment o vakayagataka. Privacy notice: posthog.com/privacy.
• GitHub, Inc. (USA) — kevaka ga o semata na optional GitHub integration. Keitou vakayagataka na GitHub API me wilika na repositories o tekivuna na sikeni kina. Privacy notice: docs.github.com/site-policy/privacy-policies/github-general-privacy-statement.
• Resend, Inc. (USA) — transactional email delivery. E ciqoma na nomu email address kei na email body ni keitou vakauta na scan-completed, scheduled-scan, live-threat alert, kei na weekly-digest emails. E maroroya o Resend na delivery metadata (timestamps, status, bounce records) me baleta na cakacaka; keitou sega ni vakauta na marketing email ena Resend. Privacy notice: resend.com/legal/privacy-policy.

Na vovo ni personal data ki taudaku ni EEA/UK e nuitaka na Standard Contractual Clauses ni European Commission (se na UK International Data Transfer Addendum), ka tokoni tale ena encryption-in-transit kei na encryption-at-rest measures e vakamacalataki ena “Security” e ra.

We will update this list and notify customers in-app if we add a new sub-processor that processes personal data on our behalf. Customer-configured outbound webhook endpoints are customer-selected recipients, not FixVibe sub-processors.

Ena ruku ni GDPR, UK GDPR, kei na lawa tautauvata (CCPA/CPRA, LGPD, PIPEDA, Australian Privacy Act kei na so tale), e tiko vei iko na dodonu mo:

• raica e dua na ilavelave ni nomu data (o rawa ni cakava ga mai Account → Privacy);
• vakadodonutaki na nomu data;
• bokoci na nomu data (e rawa tale ga ena self-serve);
• saqata na processing e yavutaki ena legitimate interests;
• kauta lesu na consent ni analytics ena gauna kece ena Cookie settings;
• data portability — na nomu export e tiko ena JSON;
• solia e dua na kudru ki na nomu local supervisory authority (EU/UK/EEA) se dua na isoqosoqo tautauvata.

Keitou sauma na verifiable rights requests ena loma ni 30 na siga. Mo na kerekere e sega ni rawa ni keitou vakayacora ena self-serve (vakadodonutaki ni dua na field keitou sega ni vakaraitaka, restriction of processing, objection), vola ki support@fixvibe.app ena subject line “Privacy request”.

Keitou sega ni volitaka na nomu personal information. Keitou sega ni wasea na personal information me baleta na cross-context behavioral advertising. Na analytics ena PostHog e caka ga ni o solia na consent ena neitou cookie banner; o rawa ni kauta lesu na consent oya ena gauna kece ena Cookie settings se ena nomu tabaka Your Privacy Choices ena footer.

Kevaka o lewe i California, e tiko tale ga vei iko na dodonu mo:

• kila na personal information keitou kumuna, na ivurevure, na inaki, kei ira na third parties keitou wasea kina (sa vakamatatataki kece e cake);
• kerea me bokoci na nomu personal information (self-serve mai Account → Privacy se ena nomu imeli mai vei keitou);
• vakadodonutaka na personal information e cala;
• vakalailaitaka na vakayagataki kei na vakaraitaki ni sensitive personal information — keitou sega ni kumuna e dua na ka sivia na authentication credentials kei na session metadata, ka rau gadrevi ruarua me soli kina na veiqaravi;
• opt out mai na sale se sharing — e sega ni yaco baleta keitou sega ni cakava e dua vei rau;
• me kakua ni caka vei iko na veivakaduiduitaki ena nomu vakayagataka e dua vei ira e cake.

Keitou dokai ira na Global Privacy Control (GPC) signals vakataki koya; na kena vakau e dua na GPC header e vaka me o sa opt out vakamatata mai na analytics consent ena gauna mai muri.

We force row-level security on every database table; users only see records belonging to organizations they are members of. Authenticated-scan headers, when supplied, are encrypted at rest with AES-256-GCM and purged after the scan completes. Stripe webhook payloads are HMAC-verified before processing, and customer outbound webhook signing secrets are encrypted at rest. The service-role database credential is held only on the server runtime and is never exposed to the browser. All traffic between you and FixVibe, and between FixVibe and our sub-processors, uses TLS 1.2 or higher.

E sega ni dua na security program e vinaka vakaoti. Kevaka o nanuma ni o kunea e dua na vulnerability ena FixVibe, yalovinaka ripotetaka ki support@fixvibe.app.

Kevaka keitou cakava na veisau bibi — dauveitukinitaki-i-lalo vou, iwasewase data vou, gauna ni maroroi vou — keitou na vakavouya na tikinisiga e cake ka vakaraitaka vei iko ena loma ni app. Na veisau lailai ni vosa e sega ni vakaraitaki kina e dua na itukutuku.

privacy@fixvibe.app — e dau saumi ena loma ni 5 na siga ni cakacaka, ka sega ni sivia na 30 na siga me vaka e gadreva na GDPR Art. 12(3).