FixVibe

// privacy

Politik Konfidansyalite

dènye mizajou · 2026-05-17

Kiyès nou ye

FixVibe opere pa EGO HERO LLC (“nou”, “nou menm”), kontwolè done pou done pèsonèl ki dekri nan politik sa a. Pou kesyon konfidansyalite, tankou demann sijè done anba GDPR, UK GDPR, oswa CCPA, kontakte privacy@fixvibe.app. Pou nenpòt lòt bagay, ekri support@fixvibe.app.

Sa nou kolekte, poukisa, ak konbyen tan nou kenbe li

  • Done kont

    Adrès imèl, OAuth identifier (si ou konekte ak Google oswa GitHub), ak nenpòt non nou resevwa nan OAuth provider ou. Yo itilize pou otantifye ou epi kontakte ou sou kont ou. Nou kenbe done sa yo pandan kont ou aktif. Lè ou efase kont ou, done sa yo retire nan 30 jou, eksepte kote nou oblije kenbe yo (pa egzanp, dosye faktirasyon anba lwa taks).

    baz legal · Egzekisyon kontra — Art. 6(1)(b) GDPR

  • Sib skan ak rezilta

    URL ou skane yo, demann nou fè bay URL sa yo, ak rezilta nou pwodwi yo. Yo estoke sou òganizasyon ou. Nou efase otomatikman dosye ki pi ansyen pase fenèt retansyon plan ou: 30 jou (Hobby), 90 jou (Pro), 365 jou (Unlimited). Ou ka ekspòte oswa efase istwa skan ou nenpòt ki lè nan Kont → Konfidansyalite.

    baz legal · Egzekisyon kontra — Art. 6(1)(b) GDPR

  • Sesyon skan anonim

    Si ou lanse yon skan san ou pa konekte, nou bay yon cookie HMAC-signed (fixvibe_anon_session, dire 24 èdtan) ki kenbe yon ID o aza opak. Nou efase otomatikman dosye skan anonim ki pa reklame apre 24 èdtan. Si ou enskri nan fenèt 24 èdtan an, skan ou migre nan nouvo kont ou. Nou pa konnen kiyès itilizatè anonim yo ye sof si yo enskri.

    baz legal · Estrikteman nesesè — egzanpsyon ePrivacy Art. 5(3)

  • Done faktirasyon

    Stripe se payment processor nou. Yo estoke detay kat ou sou enfrastrikti PCI-DSS; nou sèlman estoke yon Stripe customer ID, subscription status, plan, period start/end, ak yon ti idempotency record pou webhook events. Gade privacy notice Stripe la nan stripe.com/privacy.

    baz legal · Egzekisyon kontra — Art. 6(1)(b) GDPR

  • Jounal sèvè ak jounal odit

    Short-lived API request logs may include IP address, user-agent, method, path, status, duration, request ID, user/org context, and error strings so we can debug the service and detect abuse. These request logs are automatically pruned after 72 hours by our retention cron, with up to 24 hours of cron scheduling slop. Audit logs for security-relevant actions (including sign in, scan started, token created/revoked, plan change, account deletion, and admin/support actions) may include IP address, user-agent, and request metadata. Audit logs are automatically pruned after 18 months, except where a longer period is required to comply with legal process or to defend a legal claim.

    baz legal · Enterè lejitim — Art. 6(1)(f) GDPR

  • Entegrasyon GitHub (opsyonèl, Pro+ sèlman)

    Si ou konekte yon kont GitHub nan Kont → Entegrasyon, nou estoke yon encrypted OAuth access token pou òganizasyon ou, GitHub login + numeric user ID ou, ak granted scopes yo. Nou itilize token an sèlman pou li repositories ou kòmanse skan sou yo. Source code rale pou chak skan, trete nan memwa, epi sèlman prèv rezilta endividyèl yo pèsiste (pa gen full source dumps). Efase nan 30 jou apre dekoneksyon.

    baz legal · Egzekisyon kontra / konsantman — Art. 6(1)(b) + 6(1)(a) GDPR

  • API tokens + MCP server (opsyonèl)

    Tokens ou kreye nan Kont → API tokens estoke kòm yon SHA-256 hash, premye 8 plaintext characters yo (pou idantifikasyon), non ou bay la, plis timestamps created/last-used/revoked. Plaintext la montre ou egzakteman yon sèl fwa lè li kreye epi li pa janm pèsiste. Tokens yo se bearer credentials: nenpòt moun ki gen valè a ka li skan ou yo epi kòmanse nouvo jiskaske ou revoke li. MCP server nan /api/mcp otantifye ak menm tokens yo, ekspoze menm done dashboard la ta montre, epi li pa kreye okenn kategori done apa.

    baz legal · Egzekisyon kontra — Art. 6(1)(b) GDPR

  • Outbound webhooks (optional, paid plans)

    If you create webhook endpoints from Account → Webhooks, we store the endpoint URL, selected event types, delivery status, short response excerpts, and an encrypted signing secret. We send scan, finding, monitor-alert, and scheduled-run metadata to the endpoints you configure. Those endpoints are recipients chosen by your organization, not FixVibe sub-processors.

    baz legal · Performance of contract — Art. 6(1)(b) GDPR

  • Deteksyon menas an dirèk (opsyonèl, Unlimited sèlman)

    Si monitoring aktive sou yon domain verifye, nou pran peryodikman certificate-transparency log entries, DNS records, ak threat-intel listings (Spamhaus DBL, URLhaus) pou domain sa a. Snapshots sa yo gen hostnames ou deja otorize nou skane ak rezilta piblik rechèch piblik yo. Nou pa kaptire okenn done pèsonèl end-users ou yo. Snapshots ki gen plis pase 7 jou efase otomatikman; baseline ki pi resan an kenbe pou chak signal type.

    baz legal · Egzekisyon kontra — Art. 6(1)(b) GDPR

  • Re-skan pwograme (opsyonèl, Pro+ sèlman)

    Si ou aktive scheduled scans sou yon domain verifye, nou anrejistre cadence, last run time, next run time, ak ki user ki aktive schedule la. Chak cron-triggered scan eritye authorization-to-scan attestation ki te fèt lè domain nan te verifye premye fwa — ou pa re-attest pou chak run. Dezaktive nenpòt ki lè nan Domains → Schedule.

    baz legal · Egzekisyon kontra — Art. 6(1)(b) GDPR

  • Analytics (opsyonèl, anba konsantman)

    Si ou bay analytics consent epi nou gen analytics configured pou deployment w ap itilize a, nou sèvi ak yon product-analytics provider ki respekte konfidansyalite (proxied atravè pwòp domain nou) pou anrejistre itilizasyon anonim — ki buttons yo klike, ki checks moun yo kouri, kote users yo drop off nan funnel la. Nou pa mete URLs ou skane, evidence content, oswa personal data nan analytics events. Retire konsantman nenpòt ki lè via .

    baz legal · Konsantman — Art. 6(1)(a) GDPR / ePrivacy Art. 5(3)

  • Rechtraktif òf pwomosyonèl

    Lè w rechtraktif yon kòd promo, lyen envitasyon, oswa kredi referans, nou estoke kòd kanpay la, plan an ak dire nou te bay la, mak tan kòmansman ak fen esè a, plan ou te genyen anvan esè a, ak yon hash HMAC-SHA256 nan adrès IP ou nan moman rechtraktif la (nou pa janm estoke IP brit la — hash la egziste sèlman pou nou ka aplike limit yon-rechtraktif-pa-rezo, e wotasyon kle HMAC ki anba a envalide tout hash ki estoke san ekspoze pèsonn). Konsève pou lavi kanpay la plis 18 mwa pou rezon kontablite ak ankèt fwod, apresa efase ak rès dosye kanpay la.

    baz legal · Enterè lejitim (prevansyon fwod, kontablite) — Atik 6(1)(f) GDPR

  • Konkou, tiraj, ak defi

    Si w antre nan yon Defi FixVibe (tankou Defi Preflight Sekirite a), nou estoke imèl kontak ou soumèt la (obligatwa pou nou ka jwenn ou si ou genyen), non itilizatè Reddit ak Product Hunt ou opsyonèlman bay yo, Scan ID ou ak domèn rasin, kalite pwojè ou pwòp deklare, stack, ak tèks yon-bagay-mwen-aprann ou opsyonèlman bay yo, valè chan-dekouvèt ou opsyonèlman chwazi a, ak twa kaz konsantman obligatwa ou aksepte yo (otorizasyon, règ, kontak). Si ou separeman tcheke konsantman opsyonèl mete-an-valè-sou-maketing, nou ka montre nòt piblik ou, evalyasyon, stack, non itilizatè, ak sitasyon soumèt la sou paj akèy FixVibe, paj defi a, oswa yon pòs rezime — pa janm okenn lòt chan, e pa janm san opt-in sa a. Antre defi konsève pou lavi Defi a plis 18 mwa pou rezon verifikasyon ak diskisyon. Ou ka retire konsantman mete-an-valè-sou-maketing nenpòt lè pa imèl privacy@fixvibe.app; retire pa afekte pwosesis legal anvan retire a.

    baz legal · Pèfòmans kontra (kouri Defi a) ak konsantman (mete an valè) — Atik 6(1)(b) ak 6(1)(a) GDPR

Sa nou PA kolekte

  • Nou pa janm vann done ou.
  • Nou pa entegre third-party ad-tech, fingerprinting, oswa session-replay scripts.
  • Nou pa mete scan target URLs ou oswa finding evidence nan analytics properties — done sa yo rete sèlman nan database nou, pwoteje pa row-level security.
  • Nou pa pataje done ou ak third parties pou pwòp maketing pa yo.

Sub-pwosesè

Nou konte sou sub-pwosesè sa yo pou fè FixVibe mache:

  • Vercel Inc. (USA) — application hosting ak edge network. Avi konfidansyalite: vercel.com/legal/privacy-policy.
  • Supabase Inc. (USA) — Postgres database, authentication, file storage, Realtime. Database pwodiksyon FixVibe la nan rejyon AWS us-east-1. Avi konfidansyalite: supabase.com/privacy.
  • Stripe Inc. (USA) — payment processing pou paid plans. Avi konfidansyalite: stripe.com/privacy.
  • Upstash, Inc. (USA, via Vercel Marketplace) — Redis-backed rate limiting; sèlman estoke short-lived IP-based counters. Avi konfidansyalite: upstash.com/privacy.
  • PostHog Inc. (USA) — product analytics, sèlman si ou bay analytics consent epi sèlman lè analytics configured pou deployment w ap itilize a. Avi konfidansyalite: posthog.com/privacy.
  • GitHub, Inc. (USA) — sèlman si ou konekte entegrasyon GitHub opsyonèl la. Nou sèvi ak GitHub's API pou li repositories ou kòmanse skan sou yo. Avi konfidansyalite: docs.github.com/site-policy/privacy-policies/github-general-privacy-statement.
  • Resend, Inc. (USA) — livrezon imèl tranzaksyonèl. Resevwa adrès imèl ou ak kò imèl la lè nou voye scan-completed, scheduled-scan, live-threat alert, ak weekly-digest emails. Resend kenbe delivery metadata (timestamps, status, bounce records) pou rezon operasyonèl; nou pa janm voye marketing email atravè Resend. Avi konfidansyalite: resend.com/legal/privacy-policy.

Transfè done pèsonèl deyò EEA/UK konte sou European Commission's Standard Contractual Clauses (oswa UK's International Data Transfer Addendum), ak mezi encryption-in-transit ak encryption-at-rest ki dekri nan “Sekirite” anba a kòm sipò.

We will update this list and notify customers in-app if we add a new sub-processor that processes personal data on our behalf. Customer-configured outbound webhook endpoints are customer-selected recipients, not FixVibe sub-processors.

Dwa ou

Anba GDPR, UK GDPR, ak lwa ekivalan (CCPA/CPRA, LGPD, PIPEDA, Australian Privacy Act elatriye), ou gen dwa pou:

  • aksede yon kopi done ou (ou ka fè sa self-serve nan Kont → Konfidansyalite);
  • fè korije done ou;
  • fè efase done ou (tou self-serve);
  • opoze ak processing ki baze sou enterè lejitim;
  • retire konsantman pou analytics nenpòt ki lè via ;
  • data portability — ekspòtasyon ou nan JSON;
  • depoze yon plent ak otorite sipèvizyon lokal ou (EU/UK/EEA) oswa ekivalan.

Nou reponn demann dwa ki verifyab nan 30 jou. Pou demann nou pa ka satisfè via self-serve (rectification yon field nou pa ekspoze, restriction of processing, objection), voye imèl bay support@fixvibe.app ak subject line “Privacy request”.

Rezidan Kalifòni (CCPA / CPRA)

Nou pa vann enfòmasyon pèsonèl ou. Nou pa pataje personal information pou cross-context behavioral advertising. Analytics atravè PostHog sèlman kouri apre ou bay consent nan cookie banner nou; ou ka retire consent sa a nenpòt ki lè via oswa lè ou klike Chwa Konfidansyalite Ou nan footer la.

Si ou se rezidan Kalifòni, ou gen dwa tou pou:

  • konnen ki personal information nou kolekte, sous yo, objektif yo, ak nenpòt third parties nou pataje li avèk yo (tout detay yo pi wo a);
  • mande efasman personal information ou (self-serve via Kont → Konfidansyalite oswa pa voye imèl ban nou);
  • korije personal information ki pa egzak;
  • limite itilizasyon ak disclosure sensitive personal information — nou pa kolekte okenn bagay anplis authentication credentials ak session metadata, toude nesesè pou bay sèvis la;
  • opt out nan sale oswa sharing — pa aplikab paske nou pa fè ni youn ni lòt;
  • pa sibi diskriminasyon paske ou egzèse nenpòt nan dwa ki anwo yo.

Nou respekte Global Privacy Control (GPC) signals otomatikman; voye yon GPC header fè nou trete vizit ou kòm si ou te explicitement opt out nan nenpòt future analytics consent.

Sekirite

We force row-level security on every database table; users only see records belonging to organizations they are members of. Authenticated-scan headers, when supplied, are encrypted at rest with AES-256-GCM and purged after the scan completes. Stripe webhook payloads are HMAC-verified before processing, and customer outbound webhook signing secrets are encrypted at rest. The service-role database credential is held only on the server runtime and is never exposed to the browser. All traffic between you and FixVibe, and between FixVibe and our sub-processors, uses TLS 1.2 or higher.

Pa gen okenn security program ki pafè. Si ou kwè ou jwenn yon vulnerability nan FixVibe, tanpri rapòte li bay support@fixvibe.app.

Chanjman nan politik sa a

Si nou fè chanjman materyèl — nouvo sub-pwosesè, nouvo kategori done, nouvo peryòd retansyon — nou pral mete dat ki anwo a ajou epi avèti ou nan aplikasyon an. Ti koreksyon pawòl pa deklanche yon notifikasyon.

Kontakte nou

privacy@fixvibe.app — repons yo anjeneral vini nan 5 jou travay, pa janm pi lontan pase 30 jou jan GDPR Art. 12(3) mande sa.

Politik Konfidansyalite · FixVibe