FixVibe

// privacy

Manufar Sirri

an sabunta ƙarshe · 2026-05-17

Mu waye

FixVibe na gudanarwa ta EGO HERO LLC (“mu”, “namu”), mai kula da bayanan sirri da aka bayyana a wannan manufa. Don tambayoyin sirri, gami da buƙatun mai bayanai ƙarƙashin GDPR, UK GDPR, ko CCPA, tuntuɓi privacy@fixvibe.app. Don komai dabam, rubuta zuwa support@fixvibe.app.

Abin da muke tattarawa, dalili, da tsawon lokacin da muke riƙe shi

  • Bayanan asusu

    Adireshin imel, mai gane OAuth (idan ka shiga da Google ko GitHub), da kowane suna da muka karɓa daga mai ba da OAuth ɗinka. Ana amfani da su don tabbatar da kai da tuntuɓarka game da asusunka. Ana riƙe su yayin da asusunka yake aiki. Lokacin da ka share asusunka, ana cire wannan bayanai cikin kwanaki 30, sai dai inda ake buƙatar mu riƙe su (misali, bayanan biyan kuɗi ƙarƙashin dokar haraji).

    tushen doka · Aiwatar da kwangila — Art. 6(1)(b) GDPR

  • Manufofin skan da sakamako

    URL-ɗin da kake skan, buƙatun da muke yi zuwa waɗannan URL-ɗin, da sakamakon da muke samarwa. Ana adana su a ƙarƙashin ƙungiyarka. Muna share rikodin da suka wuce taga riƙewa ta shirinka ta atomatik: kwanaki 30 (Hobby), kwanaki 90 (Pro), kwanaki 365 (Unlimited). Kana iya fitarwa ko share tarihin skan ɗinka a kowane lokaci daga Asusu → Sirri.

    tushen doka · Aiwatar da kwangila — Art. 6(1)(b) GDPR

  • Zaman skan ba tare da suna ba

    Idan ka gudanar da skan ba tare da shiga ba, muna bayar da cookie mai sa hannun HMAC (fixvibe_anon_session, rayuwar awanni 24) wanda ke riƙe da ID bazuwar da ba ta bayyana kai tsaye ba. Muna share rikodin skan na ba tare da suna da ba a karɓa ba bayan awanni 24 ta atomatik. Idan ka yi rajista cikin taga awanni 24, skan ɗinka yana ƙaura zuwa sabon asusunka. Ba mu san ko su waye masu amfani ba tare da suna ba sai sun yi rajista.

    tushen doka · Wajibi ƙwarai — keɓewar ePrivacy Art. 5(3)

  • Bayanan biyan kuɗi

    Stripe ne mai sarrafa biyan kuɗinmu. Suna adana bayanan katinka a kan tsarin PCI-DSS; mu kuwa muna adana kawai Stripe customer ID, matsayin biyan kuɗi, tsari, farkon/ƙarshen lokaci, da ƙaramin rikodin idempotency na abubuwan webhook. Duba sanarwar sirrin Stripe a stripe.com/privacy.

    tushen doka · Aiwatar da kwangila — Art. 6(1)(b) GDPR

  • Rikodin uwar garke da rikodin bincike

    Short-lived API request logs may include IP address, user-agent, method, path, status, duration, request ID, user/org context, and error strings so we can debug the service and detect abuse. These request logs are automatically pruned after 72 hours by our retention cron, with up to 24 hours of cron scheduling slop. Audit logs for security-relevant actions (including sign in, scan started, token created/revoked, plan change, account deletion, and admin/support actions) may include IP address, user-agent, and request metadata. Audit logs are automatically pruned after 18 months, except where a longer period is required to comply with legal process or to defend a legal claim.

    tushen doka · Sha’awa ta halatta — Art. 6(1)(f) GDPR

  • Haɗin GitHub (na zaɓi, Pro+ kawai)

    Idan ka haɗa asusun GitHub daga Asusu → Haɗe-haɗe, muna adana token ɗin shiga OAuth da aka rufa masa asiri don ƙungiyarka, login ɗinka na GitHub + ID mai lamba, da scopes da aka bayar. Muna amfani da token ɗin ne kawai don karanta repositories da ka fara skan a kansu. Ana ɗauko source code kowane skan, a sarrafa shi a ƙwaƙwalwa, kuma ana adana shaidar sakamako ɗaya-ɗaya kawai (ba cikakken zubar da source ba). Ana sharewa cikin kwanaki 30 bayan cire haɗin.

    tushen doka · Aiwatar da kwangila / yarda — Art. 6(1)(b) + 6(1)(a) GDPR

  • API tokens + MCP server (na zaɓi)

    Tokens da ka ƙirƙira a Asusu → API tokens ana adana su a matsayin SHA-256 hash, haruffa 8 na farko na plaintext (don ganewa), sunan da ka ba su, tare da timestamps na ƙirƙira/ƙarshen amfani/soke. Ana nuna maka plaintext sau ɗaya tak a lokacin ƙirƙira kuma ba a taɓa adana shi ba. Tokens su ne bearer credentials: duk wanda yake da ƙimar zai iya karanta skan ɗinka da fara sababbi har sai ka soke. MCP server a /api/mcp yana amfani da waɗannan tokens don tabbatarwa, yana fallasa bayanai iri ɗaya da dashboard zai nuna, kuma baya ƙirƙirar wani rukunin bayanai dabam.

    tushen doka · Aiwatar da kwangila — Art. 6(1)(b) GDPR

  • Outbound webhooks (optional, paid plans)

    If you create webhook endpoints from Account → Webhooks, we store the endpoint URL, selected event types, delivery status, short response excerpts, and an encrypted signing secret. We send scan, finding, monitor-alert, and scheduled-run metadata to the endpoints you configure. Those endpoints are recipients chosen by your organization, not FixVibe sub-processors.

    tushen doka · Performance of contract — Art. 6(1)(b) GDPR

  • Gano barazana kai tsaye (na zaɓi, Unlimited kawai)

    Idan an kunna sa ido a kan domain da aka tabbatar, lokaci-lokaci muna ɗaukar bayanan certificate-transparency log, rikodin DNS, da jerin threat-intel (Spamhaus DBL, URLhaus) na wannan domain. Waɗannan hotunan lokaci suna ƙunshe da hostnames da ka riga ka ba mu izinin skan da sakamakon jama’a na binciken jama’a. Ba a ɗaukar bayanan sirri na masu amfani na ƙarshe ba. Ana share hotunan lokaci da suka wuce kwanaki 7 ta atomatik; ana riƙe sabon baseline na kowane nau’in signal.

    tushen doka · Aiwatar da kwangila — Art. 6(1)(b) GDPR

  • Sake skan da aka tsara (na zaɓi, Pro+ kawai)

    Idan ka kunna skan da aka tsara a kan domain da aka tabbatar, muna rikodin cadence, lokacin gudu na ƙarshe, lokacin gudu na gaba, da wane mai amfani ya kunna jadawalin. Kowane skan da cron ya kunna yana gado attestation na izinin-skan da aka yi lokacin da aka fara tabbatar da domain — ba ka sake attestation a kowane gudu. Kashe a kowane lokaci a Domains → Schedule.

    tushen doka · Aiwatar da kwangila — Art. 6(1)(b) GDPR

  • Analytics (na zaɓi, da yarda ake buƙata)

    Idan ka ba da yardar analytics kuma mun saita analytics don deployment ɗin da kake amfani da shi, muna amfani da mai ba da product-analytics mai girmama sirri (an proxy ta domain ɗinmu) don rikodin amfani ba tare da suna ba — waɗanne maɓalli ake dannawa, waɗanne gwaje-gwaje mutane ke gudanarwa, inda masu amfani ke fita daga funnel. Ba mu saka URL-ɗin da kake skan, abun shaidar sakamako, ko bayanan sirri cikin abubuwan analytics. Janye yarda a kowane lokaci ta .

    tushen doka · Yarda — Art. 6(1)(a) GDPR / ePrivacy Art. 5(3)

  • Karɓar tayin tallace-tallace

    Lokacin da kuka karɓi lambar tallace-tallace, hanyar gayyata, ko kuɗin tura wasu, muna ajiye lambar yaƙin neman zaɓe, tsarin da lokacin da muka ba, lokacin farawa da ƙarewa na gwaji, tsarin da kuke da shi kafin gwajin, da HMAC-SHA256 hash na adireshin IP ɗinku a lokacin karɓa (ba mu taɓa ajiye danyen IP ba — hash ɗin ya wanzu ne kawai don mu iya tilasta iyakar karɓa-ɗaya-kowace-hanyar sadarwa, kuma juya maɓallin HMAC na asali yana banza duk hashes da aka adana ba tare da bayyana wani ba). An ajiye don rayuwar yaƙin neman zaɓe ɗari da watanni 18 don dalilai na lissafi da binciken zamba, sannan a goge tare da sauran rikodin yaƙin neman zaɓe.

    tushen doka · Sha'awa ta halal (rigakafin zamba, lissafi) — Mataki na 6(1)(f) GDPR

  • Gasa, ciye-ciye, da ƙalubale

    Idan kun shiga Ƙalubalen FixVibe (kamar Ƙalubalen Binciken Tsaro na Farko), muna ajiye imel ɗin lamba da kuke gabatar (da ake buƙata don mu iya tuntuɓar ku idan kun ci), sunaye masu amfani na Reddit da Product Hunt da kuka bayar na zaɓi, scan ID ɗinku da yankin tushe, nau'in aikin da kuka bayar da kanku, stack, da rubutun abu-ɗaya-da-na-koya da kuka bayar na zaɓi, ƙimar tashar ganowa da kuka zaɓa na zaɓi, da rukunan tabbatarwa uku da ake buƙata da kuka karɓa (izini, dokoki, tuntuɓa). Idan kun yi alama dabam na zaɓi nuna-akan-tallace-tallace izini, muna iya nuna makin jama'a, ƙima, stack, suna mai amfani, da maganar da aka gabatar a shafin gida na FixVibe, shafin ƙalubalen, ko post ɗin sake duba — ba wani filin ba, kuma ba tare da wannan zaɓi ba. An ajiye shigar ƙalubalen don rayuwar Ƙalubalen ɗari da watanni 18 don dalilai na tabbatarwa da takaddama. Kuna iya janye izinin nuna-akan-tallace-tallace a kowane lokaci ta hanyar aika imel zuwa privacy@fixvibe.app; janyewa ba ya shafar sarrafawa na halal kafin janyewar.

    tushen doka · Aiwatar da kwangila (gudanar da Ƙalubalen) da yarda (nunawa) — Mataki na 6(1)(b) da 6(1)(a) GDPR

Abin da BA mu tattarawa

  • Ba mu taɓa sayar da bayananka ba.
  • Ba mu saka ad-tech na ɓangare na uku, fingerprinting, ko session-replay scripts ba.
  • Ba mu saka URL-ɗin skan ɗinka ko shaidar sakamako cikin kayan analytics ba — wannan bayanai yana rayuwa ne kawai a database ɗinmu, ƙarƙashin row-level security.
  • Ba mu raba bayananka da ɓangarori na uku don tallan kansu ba.

Sub-processors

Muna dogaro da waɗannan sub-processors don gudanar da FixVibe:

  • Vercel Inc. (USA) — hosting na aikace-aikace da edge network. Sanarwar sirri: vercel.com/legal/privacy-policy.
  • Supabase Inc. (USA) — Postgres database, authentication, file storage, Realtime. Database na production na FixVibe yana yankin AWS us-east-1. Sanarwar sirri: supabase.com/privacy.
  • Stripe Inc. (USA) — sarrafa biyan kuɗi don tsare-tsaren da ake biya. Sanarwar sirri: stripe.com/privacy.
  • Upstash, Inc. (USA, via Vercel Marketplace) — rate limiting da Redis ke tallafawa; yana adana ƙididdigar IP masu gajeren rai kawai. Sanarwar sirri: upstash.com/privacy.
  • PostHog Inc. (USA) — product analytics, kawai idan ka ba da yardar analytics kuma kawai lokacin da analytics aka saita don deployment ɗin da kake amfani da shi. Sanarwar sirri: posthog.com/privacy.
  • GitHub, Inc. (USA) — kawai idan ka haɗa GitHub integration na zaɓi. Muna amfani da API na GitHub don karanta repositories da ka fara skan a kansu. Sanarwar sirri: docs.github.com/site-policy/privacy-policies/github-general-privacy-statement.
  • Resend, Inc. (USA) — isar da imel na ciniki. Yana karɓar adireshin imel ɗinka da jikin imel lokacin da muke aika imel na skan-ya-ƙare, skan-da-aka-tsara, faɗakarwar live-threat, da weekly-digest. Resend yana riƙe metadata na isarwa (timestamps, status, bounce records) don dalilan aiki; ba mu taɓa aika imel na talla ta Resend ba. Sanarwar sirri: resend.com/legal/privacy-policy.

Canja wurin bayanan sirri zuwa wajen EEA/UK yana dogara da Standard Contractual Clauses na European Commission (ko International Data Transfer Addendum na UK), tare da ƙarin matakan encryption-in-transit da encryption-at-rest da aka bayyana a “Tsaro” a ƙasa.

We will update this list and notify customers in-app if we add a new sub-processor that processes personal data on our behalf. Customer-configured outbound webhook endpoints are customer-selected recipients, not FixVibe sub-processors.

Haƙƙoƙinka

Ƙarƙashin GDPR, UK GDPR, da dokoki makamanta (CCPA/CPRA, LGPD, PIPEDA, Australian Privacy Act da sauransu), kana da haƙƙin:

  • samun kwafin bayananka (kana iya yin haka da kanka daga Asusu → Sirri);
  • a gyara bayananka;
  • a share bayananka (shima da kanka);
  • ƙin sarrafawa bisa sha’awa ta halatta;
  • janye yardar analytics a kowane lokaci ta ;
  • data portability — fitarwarka tana cikin JSON;
  • kai ƙara ga hukumar kulawa ta gida (EU/UK/EEA) ko makamancinta.

Muna amsa buƙatun haƙƙoƙi da za a iya tabbatarwa cikin kwanaki 30. Don buƙatun da ba za mu iya biyan su ta hanyar self-serve ba (gyara filin da ba mu fallasa ba, takaita sarrafawa, ƙin yarda), aika imel zuwa support@fixvibe.app da subject line “Privacy request”.

Mazaunan California (CCPA / CPRA)

Ba mu sayar da bayananka na sirri. Ba mu raba bayanan sirri don tallan halayya na cross-context. Analytics ta PostHog tana gudana ne kawai bayan ka ba da yarda a cookie banner ɗinmu; kana iya janye wannan yarda a kowane lokaci ta ko ta danna Zaɓuɓɓukan Sirrinka a footer.

Idan kai mazaunin California ne, kana kuma da haƙƙin:

  • sanin wane bayanin sirri muke tattarawa, madogara, manufofi, da kowane ɓangare na uku da muke rabawa da su (duk an bayyana a sama);
  • nemi share bayananka na sirri (self-serve ta Asusu → Sirri ko ta imel zuwa gare mu);
  • gyara bayanan sirri da ba daidai ba;
  • takaita amfani da bayyana bayanan sirri masu hankali — ba mu tattara komai fiye da authentication credentials da session metadata ba, dukkansu ana buƙata don samar da sabis;
  • fita daga sayarwa ko rabawa — bai shafi ba saboda ba mu yin ko ɗaya;
  • kada a nuna maka bambanci saboda amfani da kowanne daga cikin abubuwan da ke sama.

Muna girmama alamomin Global Privacy Control (GPC) ta atomatik; aika GPC header yana sa mu ɗauki ziyararka kamar ka bayyana fita daga kowane yardar analytics na gaba.

Tsaro

We force row-level security on every database table; users only see records belonging to organizations they are members of. Authenticated-scan headers, when supplied, are encrypted at rest with AES-256-GCM and purged after the scan completes. Stripe webhook payloads are HMAC-verified before processing, and customer outbound webhook signing secrets are encrypted at rest. The service-role database credential is held only on the server runtime and is never exposed to the browser. All traffic between you and FixVibe, and between FixVibe and our sub-processors, uses TLS 1.2 or higher.

Babu shirin tsaro da yake cikakke. Idan ka yi imani ka gano rauni a FixVibe, don Allah ka kai rahoto zuwa support@fixvibe.app.

Canje-canje ga wannan manufa

Idan muka yi manyan canje-canje — sabbin sub-processors, sabbin rukunan bayanai, sabbin lokutan riƙewa — za mu sabunta kwanan watan da ke sama kuma mu sanar da kai a cikin app. Ƙananan gyaran kalmomi ba sa haifar da sanarwa.

Tuntuɓi

privacy@fixvibe.app — yawanci amsa cikin kwanakin aiki 5, ba zai taɓa wuce kwanaki 30 kamar yadda GDPR Art. 12(3) ya buƙata ba.

Manufar Sirri · FixVibe