FixVibe

// privacy

Iwu Nzuzo

mmelite ikpeazụ · 2026-05-17

Onye anyị bụ

FixVibe na-arụ ọrụ n’okpuru EGO HERO LLC (“anyị”, “anyị”), onye na-achịkwa data maka data nkeonwe akọwara na iwu a. Maka ajụjụ nzuzo, gụnyere arịrịọ data subject n’okpuru GDPR, UK GDPR, ma ọ bụ CCPA, kpọtụrụ privacy@fixvibe.app. Maka ihe ọ bụla ọzọ, dee na support@fixvibe.app.

Ihe anyị na-anakọta, ihe kpatara ya, na ogologo oge anyị na-ejide ya

  • Data akaụntụ

    Adreesị email, OAuth identifier (ọ bụrụ na i jiri Google ma ọ bụ GitHub banye), na aha ọ bụla anyị natara n’aka OAuth provider gị. A na-eji ya nyochaa gị ma kpọtụrụ gị gbasara akaụntụ gị. A na-ejide ya mgbe akaụntụ gị ka na-arụ ọrụ. Mgbe i hichapụ akaụntụ gị, a na-ewepụ data a n’ime ụbọchị 30, ma e wezụga ebe iwu chọrọ ka anyị debe ya (dịka, billing records n’okpuru iwu ụtụ isi).

    ntọala iwu · Imezu nkwekọrịta — Art. 6(1)(b) GDPR

  • Ebumnuche skan na nchọpụta

    URL ndị ị na-skan, arịrịọ anyị na-eziga na URL ndị ahụ, na nchọpụta anyị na-emepụta. A na-echekwa ha n’okpuru òtù gị. Anyị na-ehichapụ records karịrị retention window nke plan gị ozugbo: ụbọchị 30 (Hobby), ụbọchị 90 (Pro), ụbọchị 365 (Unlimited). Ị nwere ike export ma ọ bụ hichapụ scan history gị mgbe ọ bụla site na Akaụntụ → Nzuzo.

    ntọala iwu · Imezu nkwekọrịta — Art. 6(1)(b) GDPR

  • Oge skan na-enweghị aha

    Ọ bụrụ na ị gbaa skan n’ebughị ụzọ banye, anyị na-enye cookie HMAC-signed (fixvibe_anon_session, ndụ awawa 24) nke nwere opaque random ID. Anyị na-ehichapụ anonymous scan records a na-azọrọghị mgbe awawa 24 gafere ozugbo. Ọ bụrụ na ị debanye aha n’ime window awawa 24 ahụ, skan gị na-akwaga n’akaụntụ ọhụrụ gị. Anyị anaghị ama onye anonymous users bụ ma ọ bụrụ na ha edebanyeghị aha.

    ntọala iwu · Dị mkpa kpamkpam — mwepụ ePrivacy Art. 5(3)

  • Data billing

    Stripe bụ payment processor anyị. Ha na-echekwa nkọwa kaadị gị na infrastructure PCI-DSS; anyị na-echekwa naanị Stripe customer ID, subscription status, plan, period start/end, na obere idempotency record nke webhook events. Lee privacy notice nke Stripe na stripe.com/privacy.

    ntọala iwu · Imezu nkwekọrịta — Art. 6(1)(b) GDPR

  • Server logs na audit logs

    Short-lived API request logs may include IP address, user-agent, method, path, status, duration, request ID, user/org context, and error strings so we can debug the service and detect abuse. These request logs are automatically pruned after 72 hours by our retention cron, with up to 24 hours of cron scheduling slop. Audit logs for security-relevant actions (including sign in, scan started, token created/revoked, plan change, account deletion, and admin/support actions) may include IP address, user-agent, and request metadata. Audit logs are automatically pruned after 18 months, except where a longer period is required to comply with legal process or to defend a legal claim.

    ntọala iwu · Mmasị ziri ezi — Art. 6(1)(f) GDPR

  • GitHub integration (nhọrọ, naanị Pro+)

    Ọ bụrụ na ị jikọọ akaụntụ GitHub site na Akaụntụ → Integrations, anyị na-echekwa OAuth access token e zoro ezo maka òtù gị, GitHub login gị + numeric user ID, na scopes e nyere. Anyị na-eji token ahụ naanị iji gụọ repositories ị malitere skan megide ha. A na-eweta source code kwa skan, na-arụ ya na memory, ma a na-echekwa naanị individual finding evidence (enweghị full source dumps). A na-ehichapụ ya n’ime ụbọchị 30 mgbe ị kwụsịrị njikọ.

    ntọala iwu · Imezu nkwekọrịta / nkwenye — Art. 6(1)(b) + 6(1)(a) GDPR

  • API tokens + MCP server (nhọrọ)

    Tokens ị na-emepụta na Akaụntụ → API tokens na-echekwa dịka SHA-256 hash, character plaintext 8 mbụ (maka njirimara), aha i nyere, tinyere timestamps nke created/last-used/revoked. A na-egosi gị plaintext naanị otu ugboro mgbe a na-emepụta ya, a naghị echekwa ya. Tokens bụ bearer credentials: onye ọ bụla nwere uru ahụ nwere ike ịgụ skan gị ma malite ndị ọhụrụ ruo mgbe ị revoke. MCP server na /api/mcp na-eji otu tokens ahụ maka authentication, na-egosi otu data dashboard ga-egosi, ma ọ naghị emepụta data category ọzọ.

    ntọala iwu · Imezu nkwekọrịta — Art. 6(1)(b) GDPR

  • Outbound webhooks (optional, paid plans)

    If you create webhook endpoints from Account → Webhooks, we store the endpoint URL, selected event types, delivery status, short response excerpts, and an encrypted signing secret. We send scan, finding, monitor-alert, and scheduled-run metadata to the endpoints you configure. Those endpoints are recipients chosen by your organization, not FixVibe sub-processors.

    ntọala iwu · Performance of contract — Art. 6(1)(b) GDPR

  • Live threat detection (nhọrọ, naanị Unlimited)

    Ọ bụrụ na monitoring arụ ọrụ na verified domain, anyị na-ejide certificate-transparency log entries, DNS records, na threat-intel listings (Spamhaus DBL, URLhaus) maka domain ahụ mgbe ụfọdụ. Snapshots ndị a nwere hostnames i nyere anyị ikike ị-skan na public results nke public lookups. A naghị ejide personal data nke end-users gị. A na-ehichapụ snapshots karịrị ụbọchị 7 ozugbo; a na-ejide baseline kacha ọhụrụ kwa signal type.

    ntọala iwu · Imezu nkwekọrịta — Art. 6(1)(b) GDPR

  • Scheduled re-scans (nhọrọ, naanị Pro+)

    Ọ bụrụ na ị gbanye scheduled scans na verified domain, anyị na-edekọ cadence, last run time, next run time, na onye ọrụ gbanyere schedule ahụ. Skan ọ bụla cron-triggered na-erite authorization-to-scan attestation emere mgbe a verification domain ahụ mbụ — ị naghị eme attestation ọzọ kwa run. Gbanyụọ mgbe ọ bụla na Domains → Schedule.

    ntọala iwu · Imezu nkwekọrịta — Art. 6(1)(b) GDPR

  • Analytics (nhọrọ, consent-gated)

    Ọ bụrụ na ị nyere analytics consent ma anyị nwere analytics configured maka deployment ị na-eji, anyị na-eji product-analytics provider na-asọpụrụ nzuzo (proxied through our own domain) iji dekọọ anonymous usage — bọtịnụ ndị a pịrị, checks ndị mmadụ na-agba, ebe users na-apụ na funnel. Anyị anaghị etinye URL ị na-skan, evidence content, ma ọ bụ personal data n’ime analytics events. Wepụ nkwenye mgbe ọ bụla site na .

    ntọala iwu · Nkwenye — Art. 6(1)(a) GDPR / ePrivacy Art. 5(3)

  • Mgbapụta onyinye mkpọsa

    Mgbe ị na-anata koodu mkpọsa, njikọ ọkpụkpọ, ma ọ bụ kredit nzọrọ, anyị na-echekwa koodu mkpọsa, atụmatụ na ogologo oge anyị nyere, akara oge mmalite na njedebe nnwale, atụmatụ ị nwere tupu nnwale, na HMAC-SHA256 hash nke adreesị IP gị n'oge mgbapụta (anyị anaghị echekwa IP esepụtaghị — hash dị naanị ka anyị nwee ike imanye oke otu-mgbapụta-n'netwọk, ma ịgbanwe igodo HMAC dị n'okpuru na-eme ka hash niile echekwara ghara ịdị irè na-enweghị ikpughe onye ọ bụla). E debe ya maka ndụ mkpọsa gbakwunyere ọnwa 18 maka ebumnuche ndekọ ego na nyocha aghụghọ, mgbe ahụ ehichapụrụ ya na ndekọ mkpọsa ndị ọzọ.

    ntọala iwu · Mmasị ziri ezi (mgbochi aghụghọ, ndekọ ego) — Art. 6(1)(f) GDPR

  • Asọmpi, sweepstakes, na aịa

    Ọ bụrụ na ị banye n'Aịa FixVibe (dị ka Aịa Nchekwa Preflight), anyị na-echekwa email kọntaktị ị nyefere (achọrọ ka anyị wee ruo gị ma ọ bụrụ na ị merie), aha onye ọrụ Reddit na Product Hunt ị na-enye nhọrọ, ID nyocha gị na ngalaba mgbọrọgwụ, ụdị ọrụ akọrọ-onwe, stack, na otu-ihe-m-mụtara ederede ị na-enye nhọrọ, uru ọwa-nchọpụta ị na-ahọrọ nhọrọ, na igbe nrịba ama nkwenye atọ achọrọ ị nabatara (ikikere, iwu, kọntaktị). Ọ bụrụ na ị họọrọ nhọrọ nhọrọ akọwapụtara-na-ahịa, anyị nwere ike igosipụta akara ọha gị, ọkwa, stack, aha onye ọrụ, na ihe e nyefere e kwuru na ibe mmalite FixVibe, ibe aịa, ma ọ bụ nchịkọta — ọ dịghị ubi ọ bụla ọzọ, ọ dịghịkwa enweghị nhọrọ ahụ. A na-edebe ntinye Aịa maka ndụ Aịa gbakwunyere ọnwa 18 maka ebumnuche nkwenye na esemokwu. Ị nwere ike iwepụ ikike akọwapụtara-na-ahịa oge ọ bụla site na ezigara privacy@fixvibe.app; iwepụ anaghị emetụta nhazi iwu kwadoro tupu mwepụ.

    ntọala iwu · Arụmọrụ nke nkwekọrịta (na-arụ Aịa) na ikike (akọwapụtara) — Art. 6(1)(b) na 6(1)(a) GDPR

Ihe anyị ANAGHỊ anakọta

  • Anyị anaghị ere data gị ma ọlị.
  • Anyị anaghị etinye third-party ad-tech, fingerprinting, ma ọ bụ session-replay scripts.
  • Anyị anaghị etinye scan target URL gị ma ọ bụ finding evidence n’ime analytics properties — data ahụ na-adị naanị na database anyị, nke row-level security na-eche.
  • Anyị anaghị ekekọrịta data gị na third parties maka marketing nke ha.

Sub-processors

Anyị na-adabere na sub-processors ndị a iji mee ka FixVibe rụọ ọrụ:

  • Vercel Inc. (USA) — application hosting na edge network. Privacy notice: vercel.com/legal/privacy-policy.
  • Supabase Inc. (USA) — Postgres database, authentication, file storage, Realtime. FixVibe production database dị na region AWS us-east-1. Privacy notice: supabase.com/privacy.
  • Stripe Inc. (USA) — payment processing maka paid plans. Privacy notice: stripe.com/privacy.
  • Upstash, Inc. (USA, via Vercel Marketplace) — rate limiting nke Redis kwadoro; na-echekwa naanị short-lived IP-based counters. Privacy notice: upstash.com/privacy.
  • PostHog Inc. (USA) — product analytics, naanị ma ọ bụrụ na ị nyere analytics consent ma naanị mgbe analytics configured maka deployment ị na-eji. Privacy notice: posthog.com/privacy.
  • GitHub, Inc. (USA) — naanị ma ọ bụrụ na ị jikọọ optional GitHub integration. Anyị na-eji API nke GitHub gụọ repositories ị malitere skan megide ha. Privacy notice: docs.github.com/site-policy/privacy-policies/github-general-privacy-statement.
  • Resend, Inc. (USA) — transactional email delivery. Na-anata adreesị email gị na email body mgbe anyị na-eziga scan-completed, scheduled-scan, live-threat alert, na weekly-digest emails. Resend na-ejide delivery metadata (timestamps, status, bounce records) maka operational purposes; anyị anaghị eziga marketing email site na Resend. Privacy notice: resend.com/legal/privacy-policy.

Transfers nke personal data n’èzí EEA/UK na-adabere na Standard Contractual Clauses nke European Commission (ma ọ bụ International Data Transfer Addendum nke UK), tinyere encryption-in-transit na encryption-at-rest measures akọwara na “Security” n’okpuru.

We will update this list and notify customers in-app if we add a new sub-processor that processes personal data on our behalf. Customer-configured outbound webhook endpoints are customer-selected recipients, not FixVibe sub-processors.

Ikike gị

N’okpuru GDPR, UK GDPR, na iwu kwekọrọ (CCPA/CPRA, LGPD, PIPEDA, Australian Privacy Act wdg.), ị nwere ikike:

  • ịnweta oyiri data gị (ị nwere ike ime nke a self-serve site na Akaụntụ → Nzuzo);
  • ka e dozie data gị;
  • ka e hichapụ data gị (nke a nwekwara self-serve);
  • ịjụ processing dabere na legitimate interests;
  • iwepụ consent maka analytics mgbe ọ bụla site na ;
  • data portability — export gị dị na JSON;
  • itinye mkpesa n’aka local supervisory authority gị (EU/UK/EEA) ma ọ bụ ihe kwekọrọ.

Anyị na-aza verifiable rights requests n’ime ụbọchị 30. Maka requests anyị enweghị ike imezu via self-serve (rectification of a field anyị anaghị expose, restriction of processing, objection), zipu email na support@fixvibe.app nwere subject line “Privacy request”.

Ndị bi na California (CCPA / CPRA)

Anyị anaghị ere personal information gị. Anyị anaghị ekekọrịta personal information maka cross-context behavioral advertising. Analytics site na PostHog na-agba naanị mgbe ị nyere consent na cookie banner anyị; ị nwere ike withdraw consent ahụ mgbe ọ bụla site na ma ọ bụ site n’ịpị Nhọrọ Nzuzo Gị na footer.

Ọ bụrụ na ị bụ onye bi na California, ị nwekwara ikike:

  • ịma personal information anyị na-anakọta, sources ya, purposes ya, na third parties ọ bụla anyị na-ekekọrịta ya (akọwara ha niile n’elu);
  • ịrịọ ka ehichapụ personal information gị (self-serve via Akaụntụ → Nzuzo ma ọ bụ site n’izitere anyị email);
  • idozi personal information na-ezighị ezi;
  • ịbelata ojiji na disclosure nke sensitive personal information — anyị anaghị anakọta ihe ọ bụla karịrị authentication credentials na session metadata, ha abụọ dị mkpa iji nye service;
  • ịpụ na sale ma ọ bụ sharing — nke a anaghị emetụta n’ihi na anyị anaghị eme nke ọ bụla;
  • ka a ghara ịkpa gị oke maka iji nke ọ bụla n’ime ikike ndị dị n’elu.

Anyị na-asọpụrụ Global Privacy Control (GPC) signals ozugbo; iziga GPC header na-eme ka anyị were nleta gị dịka ịpụ kpọmkwem n’ime analytics consent ọ bụla n’ọdịnihu.

Security

We force row-level security on every database table; users only see records belonging to organizations they are members of. Authenticated-scan headers, when supplied, are encrypted at rest with AES-256-GCM and purged after the scan completes. Stripe webhook payloads are HMAC-verified before processing, and customer outbound webhook signing secrets are encrypted at rest. The service-role database credential is held only on the server runtime and is never exposed to the browser. All traffic between you and FixVibe, and between FixVibe and our sub-processors, uses TLS 1.2 or higher.

Ọ dịghị security program zuru oke. Ọ bụrụ na i chere na ịchọtala vulnerability na FixVibe, biko kọọrọ ya na support@fixvibe.app.

Mgbanwe na iwu a

Ọ bụrụ na anyị mee material changes — sub-processors ọhụrụ, data categories ọhụrụ, retention periods ọhụrụ — anyị ga-emelite ụbọchị dị n’elu ma gwa gị n’ime app. Minor wording fixes anaghị akpalite notification.

Kpọtụrụ anyị

privacy@fixvibe.app — azịza na-abịakarị n’ime business days 5, ọ gaghị agafe ụbọchị 30 dịka GDPR Art. 12(3) chọrọ.

Iwu Nzuzo · FixVibe