FixVibe

// privacy

Tekoñemi Mbo'esyry

ipahaite ñembohekopyahu · 2026-05-17

Máva ore

FixVibe oisãmbyhy EGO HERO LLC (“ore”, “oréve”), ha'e data controller ko política-pe oñemombe'úva marandu nemba'éva rehegua. Tekoñemi porandukuéra, oĩhápe data subject requests GDPR, UK GDPR térã CCPA guýpe, eñe'ẽ privacy@fixvibe.app-pe. Ambue mba'erã, ehai support@fixvibe.app-pe.

Mba'épa rombyaty, mba'erãpa, ha mboýpa ára roñongatu

  • Cuenta renda

    Dirección email, OAuth identifier (Google térã GitHub rupive reike ramo), ha oimeraẽ téra oroguerúva nde OAuth provider-gui. Ojeporu nde autenticación-pe ha nde cuenta rehe roñe'ẽ hag̃ua. Roñongatu nde cuenta oikové aja. Nde cuenta rembogue jave, ko marandu oñembogue 30 ára ryepýpe, ndaha'éiramo roñongatu va'erãhápe (techapyrã, billing records impuesto ley guýpe).

    fundamento legal · Contrato ñemomba'apo — Art. 6(1)(b) GDPR

  • Scan objetivo ha hallazgo-kuéra

    Umi URL rescanéava, umi requests rojapóva umi URL-pe, ha umi findings rojapóva. Oñongatu nde organización rehe. Automáticamente rombogue records nde plan retention window-gui itujavéva: 30 ára (Hobby), 90 ára (Pro), 365 ára (Unlimited). Ikatu export térã delete nde scan historia opa ára Cuenta → Tekoñemi guive.

    fundamento legal · Contrato ñemomba'apo — Art. 6(1)(b) GDPR

  • Scan sesión anónima

    Rejapo ramo scan reike'ỹre, romoĩ HMAC-signed cookie (fixvibe_anon_session, 24 aravo oikóva) oguerekóva opaque random ID. Automáticamente rombogue anonymous scan records ndojeclaiméi rire 24 aravo. Reñeregistra ramo pe 24-hour window ryepýpe, nde scan ova nde cuenta pyahúpe. Ndoroikuaái mávapa anonymous users ha'ekuéra oñeregistra peve.

    fundamento legal · Añetehápe tekotevẽva — ePrivacy Art. 5(3) exemption

  • Billing renda

    Stripe ha'e ore payment processor. Ha'ekuéra oñongatu nde card details PCI-DSS infrastructure-pe; ore roñongatu añoite Stripe customer ID, subscription status, plan, period start/end, ha webhook events idempotency record michĩva. Ehecha Stripe privacy notice stripe.com/privacy-pe.

    fundamento legal · Contrato ñemomba'apo — Art. 6(1)(b) GDPR

  • Server logs ha audit logs

    Short-lived API request logs may include IP address, user-agent, method, path, status, duration, request ID, user/org context, and error strings so we can debug the service and detect abuse. These request logs are automatically pruned after 72 hours by our retention cron, with up to 24 hours of cron scheduling slop. Audit logs for security-relevant actions (including sign in, scan started, token created/revoked, plan change, account deletion, and admin/support actions) may include IP address, user-agent, and request metadata. Audit logs are automatically pruned after 18 months, except where a longer period is required to comply with legal process or to defend a legal claim.

    fundamento legal · Interés legítimo — Art. 6(1)(f) GDPR

  • GitHub integración (opcional, Pro+ añoite)

    Rembojoaju ramo GitHub account Cuenta → Integraciones guive, roñongatu encrypted OAuth access token nde organización-pe g̃uarã, nde GitHub login + numeric user ID, ha granted scopes. Roiporu token añoite repositories rescanéava omoñe'ẽ hag̃ua. Source code ojegueru scan sapa, oñemba'apo memory-pe, ha oñongatu individual finding evidence añoite (ndaipóri full source dumps). Oñembogue 30 ára ryepýpe disconnect rire.

    fundamento legal · Contrato ñemomba'apo / consentimiento — Art. 6(1)(b) + 6(1)(a) GDPR

  • API tokens + MCP server (opcional)

    Tokens rejapóva Cuenta → API tokens-pe oñongatu SHA-256 hash ramo, umi 8 plaintext characters tenondegua (identificación-pe g̃uarã), téra remoĩva, ha created/last-used/revoked timestamps. Plaintext ojehechauka ndéve peteĩ jeýnte creación-pe ha araka'eve noñongatúi. Tokens ha'e bearer credentials: oimeraẽ oguerekóva pe value ikatu omoñe'ẽ nde scans ha omoñepyrũ pyahu revoke rejapo peve. MCP server /api/mcp-pe authenticated umi token peteĩchagua rupive, ohechauka data dashboard ohechaukátava, ha ndojapói data category ambuéva.

    fundamento legal · Contrato ñemomba'apo — Art. 6(1)(b) GDPR

  • Outbound webhooks (optional, paid plans)

    If you create webhook endpoints from Account → Webhooks, we store the endpoint URL, selected event types, delivery status, short response excerpts, and an encrypted signing secret. We send scan, finding, monitor-alert, and scheduled-run metadata to the endpoints you configure. Those endpoints are recipients chosen by your organization, not FixVibe sub-processors.

    fundamento legal · Performance of contract — Art. 6(1)(b) GDPR

  • Amenaza jehecha en vivo (opcional, Unlimited añoite)

    Monitoring oñembojurujáramo verified domain-pe, sapy'apy'a rocapture certificate-transparency log entries, DNS records, ha threat-intel listings (Spamhaus DBL, URLhaus) upe domain-pe g̃uarã. Ko snapshots oguereko hostnames reautorizáma va'ekue orescanear hag̃ua ha public lookups resultado público. Nde end-users personal data ndojecapturái. Snapshots 7 ára rasáva oñembogue automáticamente; baseline ipyahuvéva oñongatu signal type sapa rehe.

    fundamento legal · Contrato ñemomba'apo — Art. 6(1)(b) GDPR

  • Re-scan programado (opcional, Pro+ añoite)

    Rembojurujáramo scheduled scans verified domain-pe, rograva cadence, last run time, next run time, ha máva user ombojurujára schedule. Cron-triggered scan sapa ohupyty authorization-to-scan attestation ojejapo va'ekue domain ojeverify ypy ramo — nere-attest-i run sapa. Embogue oimeraẽ ára Domains → Schedule-pe.

    fundamento legal · Contrato ñemomba'apo — Art. 6(1)(b) GDPR

  • Analytics (opcional, consentimiento guýpe)

    Reme'ẽ ramo analytics consent ha ore analytics configured nde deployment reiporúvape, roiporu privacy-respecting product-analytics provider (ore domain rupive proxied) anonymous usage rograva hag̃ua — mba'e buttons oñeclick, mba'e checks tapichakuéra orrun, moõpa users odrop off funnel-pe. Ndoromoĩri URLs rescanéava, evidence content, térã personal data analytics events-pe. Eipe'a consentimiento oimeraẽ ára rupive.

    fundamento legal · Consentimiento — Art. 6(1)(a) GDPR / ePrivacy Art. 5(3)

  • Ñemoherakuã jopói ñepyhy

    Repyhývo peteĩ promo código, invite link, térã mbohapy crédito, roñongatu pe campaña código, plan ha pukukue rome'ẽva, trial ñepyrũ ha opa aravo techaukaha, plan reguerekova'ekue trial mboyve, ha peteĩ HMAC-SHA256 hash ne IP oñongatúvape ñepyhy aravópe (araka'eve noroñongatúi IP nguemby — pe hash oĩnte rombohape hag̃ua peteĩ-ñepyhy-peteĩ-network límite, ha pe HMAC clave ymaguarégua omoambuévo opa hash oñongatúva ohejá tapicha okañy'ỹre). Oñongatu campaña pukukue + 18 jasy peve contabilidad ha ñemboyke ñehesa'ỹijo rehegua, upéi oñembogue ambue campaña marandu ndive.

    fundamento legal · Interés añetegua (ñemboyke ñembohovaike, contabilidad) — Art. 6(1)(f) GDPR

  • Ñemyaña, sweepstake, ha joha'ã

    Reike ramo peteĩ FixVibe Joha'ãme (oĩva Tekorosã Preflight Joha'ã), roñongatu pe email mbohasaha remog̃uahẽva (oikotevẽ roñe'ẽ hag̃ua ndéve rejaha ramo), Reddit ha Product Hunt usuario réra remoĩva ojeporavoháicha, ne scan ID ha domínio rapo, ne ñe'ẽ'ã tembiapo ñemoĩ, stack, ha peteĩ-mba'e-aikuaa jehaipy remoĩva ojeporavoháicha, juhukáha rape tepy reiporavóva ojeporavoháicha, ha umi mbohapy ñehecharã oikotevẽva reñemoneĩva (ñemoneĩ, mbojojaha, mbohasaha). Eñemoneĩjeýrõ pe ojeporavokuaa marketing-pe ojehechaukáva ñemoneĩ, ikatu rohechauka ne puntaje público, mbojaha, stack, usuario, ha ne ñe'ẽ omog̃uahẽva FixVibe homepage, joha'ã rogue, térã recap kuatiápe — ndaipóri ambue kuatia, ha araka'eve pe opt-in'ỹre. Joha'ã ñembyaty oñongatu Joha'ã pukukue + 18 jasy peve ñehecharã ha jejavy ñeporanduguarã. Ikatu eipe'a marketing-pe ojehechaukáva ñemoneĩ oimerãva aravópe emondóvo email privacy@fixvibe.app; jeipe'a nombyaíri lei rupive oikóva ñembohape jeipe'a mboyve.

    fundamento legal · Contrato ojejapo (Joha'ã ñemboapo) ha ñemoneĩ (jehechauka) — Art. 6(1)(b) ha 6(1)(a) GDPR

Mba'épa NDOrobyatýi

  • Araka'eve ndorovendéi nde data.
  • Ndoromoingei third-party ad-tech, fingerprinting, térã session-replay scripts.
  • Ndoromoĩri nde scan target URLs térã finding evidence analytics properties-pe — upe data oiko ore database-pe añoite, row-level security guýpe.
  • Ndorombojoguái nde data third parties ndive ha'ekuéra marketing tee hag̃ua.

Sub-mba'apoharakuéra

FixVibe omba'apo hag̃ua rojerovia ko sub-mba'apoharakuéra rehe:

  • Vercel Inc. (USA) — application hosting ha edge network. Tekoñemi marandu: vercel.com/legal/privacy-policy.
  • Supabase Inc. (USA) — Postgres database, authentication, file storage, Realtime. FixVibe production database oĩ AWS us-east-1 region-pe. Tekoñemi marandu: supabase.com/privacy.
  • Stripe Inc. (USA) — payment processing paid plans-pe g̃uarã. Tekoñemi marandu: stripe.com/privacy.
  • Upstash, Inc. (USA, Vercel Marketplace rupive) — Redis-backed rate limiting; oñongatu short-lived IP-based counters añoite. Tekoñemi marandu: upstash.com/privacy.
  • PostHog Inc. (USA) — product analytics, analytics consent reme'ẽramo añoite ha analytics configured ramo nde deployment reiporúvape. Tekoñemi marandu: posthog.com/privacy.
  • GitHub, Inc. (USA) — optional GitHub integration rembojoajúramo añoite. Roiporu GitHub's API omoñe'ẽ hag̃ua repositories rescanéava. Tekoñemi marandu: docs.github.com/site-policy/privacy-policies/github-general-privacy-statement.
  • Resend, Inc. (USA) — transactional email delivery. Ohupyty nde email address ha email body romondo jave scan-completed, scheduled-scan, live-threat alert, ha weekly-digest emails. Resend oñongatu delivery metadata (timestamps, status, bounce records) operational purposes-pe g̃uarã; araka'eve ndoromondói marketing email Resend rupive. Tekoñemi marandu: resend.com/legal/privacy-policy.

Personal data oñembohasáva EEA/UK okápe ojerovia European Commission's Standard Contractual Clauses rehe (térã UK's International Data Transfer Addendum rehe), ha oñembojoapy encryption-in-transit ha encryption-at-rest measures reheve oñemombe'úva “Seguridad” guýpe.

We will update this list and notify customers in-app if we add a new sub-processor that processes personal data on our behalf. Customer-configured outbound webhook endpoints are customer-selected recipients, not FixVibe sub-processors.

Nde derécho-kuéra

GDPR, UK GDPR, ha lei ojoajúva (CCPA/CPRA, LGPD, PIPEDA, Australian Privacy Act etc.) guýpe, reguereko derecho:

  • rehupyty hag̃ua nde data copia (ikatu rejapo self-serve Cuenta → Tekoñemi-gui);
  • nde data oñemyatyrõ hag̃ua;
  • nde data oñembogue hag̃ua (avei self-serve);
  • eñemoĩ hag̃ua processing rehe legitimate interests rehe oñemopyendáva;
  • eipe'a hag̃ua analytics consentimiento oimeraẽ ára rupive;
  • data portability — nde export oĩ JSON-pe;
  • remoĩ hag̃ua queja nde local supervisory authority (EU/UK/EEA) térã equivalente-pe.

Rombohovái verifiable rights requests 30 ára ryepýpe. Requests ndaikatúiva rojapo self-serve rupive (field ndorohechaukáiva rectification, restriction of processing, objection), emondo email support@fixvibe.app-pe subject line “Privacy request” reheve.

California resident-kuéra (CCPA / CPRA)

Ndorovendéi nde personal information. Ndorombojoguái personal information cross-context behavioral advertising-pe g̃uarã. Analytics PostHog rupive oguata cookie banner-pe consent reme'ẽ rire añoite; ikatu eipe'a upe consent oimeraẽ ára rupive térã footer-pe Nde Tekoñemi Jeporavo rehe eclickvo.

California resident ramo, reguereko avei derecho:

  • reikuaa hag̃ua mba'e personal information rombyaty, source-kuéra, purposes, ha oimeraẽ third parties romboja'o hendive (opa mba'e oñemombe'u yvate);
  • rejerure hag̃ua nde personal information deletion (self-serve Cuenta → Tekoñemi rupive térã oreve email remondóvo);
  • remyatyrõ hag̃ua personal information hendape'ỹva;
  • remombyky hag̃ua sensitive personal information use ha disclosure — ndorobyatýi mba'eve authentication credentials ha session metadata rire, mokõivéva tekotevẽ service ome'ẽ hag̃ua;
  • opt out sale térã sharing-gui — ndojeporúi, ndorojapói rupi ni peteĩva;
  • ani hag̃ua oñediscrimina nderehe reiporu haguére umi derecho yvatepegua.

Rorespeta automáticamente Global Privacy Control (GPC) signals; GPC header remondóramo, nde visit roguereko reopt out haguéicha oimeraẽ future analytics consent-gui.

Seguridad

We force row-level security on every database table; users only see records belonging to organizations they are members of. Authenticated-scan headers, when supplied, are encrypted at rest with AES-256-GCM and purged after the scan completes. Stripe webhook payloads are HMAC-verified before processing, and customer outbound webhook signing secrets are encrypted at rest. The service-role database credential is held only on the server runtime and is never exposed to the browser. All traffic between you and FixVibe, and between FixVibe and our sub-processors, uses TLS 1.2 or higher.

Ndaipóri security program iperfectóva. Eguerovia ramo rejuhu hague vulnerability FixVibe-pe, emombe'u support@fixvibe.app-pe.

Ko política ñemoambue

Rojapóramo material changes — sub-processors pyahu, data categories pyahu, retention periods pyahu — rombopyahúta fecha yvatepegua ha roikuaaukáta ndéve in-app. Minor wording fixes nomboajéi notificación.

Ñembohovái

privacy@fixvibe.app — ñembohovái ou jepi 5 business days ryepýpe, ha araka'eve ndohasái 30 ára GDPR Art. 12(3) ojeruréicha.

Tekoñemi Mbo'esyry · FixVibe