FixVibe

// privacy

Politika momba ny Tsiambaratelo

nohavaozina farany · 2026-05-17

Iza izahay

FixVibe dia tantanin’ny EGO HERO LLC (“izahay”, “anay”), izay data controller ho an’ny angona manokana voalaza ato amin’ity politika ity. Ho an’ny fanontaniana momba ny tsiambaratelo, anisan’izany ny fangatahan’ny data subject eo ambanin’ny GDPR, UK GDPR, na CCPA, mifandraisa amin’ny privacy@fixvibe.app. Ho an’ny zavatra hafa rehetra, manorata amin’ny support@fixvibe.app.

Izay angoninay, ny antony, ary hafiriana no itazonanay azy

  • Angona kaonty

    Adiresy mailaka, OAuth identifier (raha miditra amin’ny Google na GitHub ianao), ary izay anarana azonay avy amin’ny OAuth provider anao. Ampiasaina hanamarinana anao sy hifandraisana aminao momba ny kaontinao. Tazonina raha mbola mavitrika ny kaontinao. Rehefa mamafa ny kaontinao ianao dia esorina ao anatin’ny 30 andro ity angona ity, afa-tsy raha takiana hitazonana azy izahay (ohatra, firaketana billing eo ambanin’ny lalànan-ketra).

    fototra ara-dalàna · Fanatanterahana fifanarahana — Art. 6(1)(b) GDPR

  • Tanjona scan sy hita

    Ny URL izay asianao scan, ny fangatahana ataonay amin’ireo URL ireo, ary ny hita vokarinay. Tehirizina amin’ny fikambananao izany. Fafantsika ho azy ny firaketana antitra noho ny varavarankelin’ny fitazonana an’ny planinao: 30 andro (Hobby), 90 andro (Pro), 365 andro (Unlimited). Afaka manondrana na mamafa ny tantaran’ny scan-nao amin’ny fotoana rehetra ianao avy amin’ny Kaonty → Tsiambaratelo.

    fototra ara-dalàna · Fanatanterahana fifanarahana — Art. 6(1)(b) GDPR

  • Fotoam-piasana scan tsy mitonona anarana

    Raha manao scan tsy miditra ianao, dia mamoaka cookie nosoniavina HMAC izahay (fixvibe_anon_session, maharitra 24 ora) izay mitahiry ID kisendrasendra maizina. Fafantsika ho azy ireo firaketana scan tsy mitonona anarana tsy noraisina aorian’ny 24 ora. Raha misoratra anarana ao anatin’ny varavarankely 24 ora ianao, dia afindra ao amin’ny kaontinao vaovao ny scan-nao. Tsy fantatray hoe iza ireo mpampiasa tsy mitonona anarana raha tsy misoratra anarana izy ireo.

    fototra ara-dalàna · Ilaina tanteraka — ePrivacy Art. 5(3) exemption

  • Angona billing

    Stripe no mpikirakira fandoavam-bola anay. Izy ireo no mitahiry ny antsipirian’ny karatrao amin’ny fotodrafitrasa PCI-DSS; izahay kosa mitahiry Stripe customer ID, satan’ny famandrihana, planina, fiandohana/faran’ny fe-potoana, ary firaketana idempotency kely momba ny webhook events. Jereo ny privacy notice an’i Stripe ao amin’ny stripe.com/privacy.

    fototra ara-dalàna · Fanatanterahana fifanarahana — Art. 6(1)(b) GDPR

  • Server logs sy audit logs

    Short-lived API request logs may include IP address, user-agent, method, path, status, duration, request ID, user/org context, and error strings so we can debug the service and detect abuse. These request logs are automatically pruned after 72 hours by our retention cron, with up to 24 hours of cron scheduling slop. Audit logs for security-relevant actions (including sign in, scan started, token created/revoked, plan change, account deletion, and admin/support actions) may include IP address, user-agent, and request metadata. Audit logs are automatically pruned after 18 months, except where a longer period is required to comply with legal process or to defend a legal claim.

    fototra ara-dalàna · Tombontsoa ara-dalàna — Art. 6(1)(f) GDPR

  • GitHub integration (tsy voatery, Pro+ ihany)

    Raha mampifandray kaonty GitHub avy amin’ny Kaonty → Integrations ianao, dia mitahiry OAuth access token voaaro amin’ny encryption ho an’ny fikambananao izahay, ny GitHub login + numeric user ID anao, ary ireo scopes nomena. Ampiasainay irery ny token hamakiana repository izay atombokao asiana scan. Alaina isaky ny scan ny source code, karakaraina ao anaty memory, ary porofo hita tsirairay ihany no tazonina (tsy misy full source dumps). Fafaina ao anatin’ny 30 andro aorian’ny disconnect.

    fototra ara-dalàna · Fanatanterahana fifanarahana / fankatoavana — Art. 6(1)(b) + 6(1)(a) GDPR

  • API tokens + MCP server (tsy voatery)

    Ny tokens foroninao ao amin’ny Kaonty → API tokens dia tehirizina ho SHA-256 hash, ireo litera 8 voalohany amin’ny plaintext (ho famantarana), ny anarana nomenao, ary timestamps noforonina/nampiasaina farany/nofoanana. Aseho aminao indray mandeha monja ny plaintext rehefa foronina ary tsy tazonina mihitsy. Bearer credentials ny tokens: izay manana ilay sanda dia afaka mamaky ny scans-nao sy manomboka vaovao mandra-panafoanana azy. Ny MCP server ao amin’ny /api/mcp dia amarinin’ireo token ireo ihany, mampiseho angona mitovy amin’izay asehon’ny dashboard, ary tsy mamorona sokajy angona misaraka.

    fototra ara-dalàna · Fanatanterahana fifanarahana — Art. 6(1)(b) GDPR

  • Outbound webhooks (optional, paid plans)

    If you create webhook endpoints from Account → Webhooks, we store the endpoint URL, selected event types, delivery status, short response excerpts, and an encrypted signing secret. We send scan, finding, monitor-alert, and scheduled-run metadata to the endpoints you configure. Those endpoints are recipients chosen by your organization, not FixVibe sub-processors.

    fototra ara-dalàna · Performance of contract — Art. 6(1)(b) GDPR

  • Live threat detection (tsy voatery, Unlimited ihany)

    Raha mandeha ny monitoring amin’ny domain voamarinao, dia maka tsindraindray certificate-transparency log entries, DNS records, ary threat-intel listings (Spamhaus DBL, URLhaus) ho an’io domain io izahay. Ireo snapshots ireo dia ahitana hostnames efa nomenao alalana hoasianay scan sy valim-bahoaka avy amin’ny public lookups. Tsy misy angona manokan’ny end-users anao angonina. Fafaina ho azy ny snapshots antitra noho ny 7 andro; tazonina isaky ny signal type ny baseline farany indrindra.

    fototra ara-dalàna · Fanatanterahana fifanarahana — Art. 6(1)(b) GDPR

  • Re-scans voalahatra (tsy voatery, Pro+ ihany)

    Raha mampandeha scheduled scans amin’ny domain voamarina ianao, dia mirakitra ny cadence, fotoana nihazakazaka farany, fotoana manaraka, ary izay mpampiasa nampandeha ny fandaharam-potoana izahay. Ny scan rehetra ateraky ny cron dia mandova ny authorization-to-scan attestation natao rehefa nohamarinina voalohany ilay domain — tsy mila manao attestation indray isaky ny fihazakazahana ianao. Atsaharo amin’ny fotoana rehetra ao amin’ny Domains → Schedule.

    fototra ara-dalàna · Fanatanterahana fifanarahana — Art. 6(1)(b) GDPR

  • Analytics (tsy voatery, fehezin’ny fankatoavana)

    Raha manome fankatoavana analytics ianao ary voarindra ho an’ny deployment ampiasainao ny analytics, dia mampiasa mpamatsy product-analytics manaja tsiambaratelo izahay (ampandalovina amin’ny domain anay) handraketana fampiasana tsy mitonona anarana — bokotra inona no tsindriana, checks inona no ataon’ny olona, aiza amin’ny funnel no miala ny mpampiasa. Tsy apetrakay ao amin’ny analytics events ny URL asianao scan, votoatin’ny porofo, na angona manokana. Esory amin’ny fotoana rehetra ny fankatoavana amin’ny alalan’ny .

    fototra ara-dalàna · Fankatoavana — Art. 6(1)(a) GDPR / ePrivacy Art. 5(3)

  • Fangatahana tolotra fampiroboroboana

    Rehefa mangataka kaody promo, rohy fiantsoana, na crédit fanasokajiana ianao, dia mitahiry ny kaodin'ny fampielezan-kevitra izahay, ny drafitra sy faharetana nomenay, ny marika fotoana fanombohana sy faran'ny fitsapan-toetra, ny drafitra notazoninao talohan'ny fitsapan-toetra, ary ny hash HMAC-SHA256 amin'ny adiresy IP-nao amin'ny fotoana fangatahana (tsy mitahiry ny IP manta mihitsy izahay — misy ny hash mba ahafahanay manery ny fetra iray-fangatahana-isan-tamba-jotra ihany, ary ny famindrana ny lakile HMAC fototra dia manafoana ny hash voatahiry rehetra tsy mampiharihary na iza na iza). Tazonina mandritra ny fiainan'ny fampielezan-kevitra miampy 18 volana ho an'ny tanjon'ny fitanan-kaonty sy fanadihadiana fitaka, dia voafafa miaraka amin'ny ambin'ny rakitry ny fampielezan-kevitra.

    fototra ara-dalàna · Tombontsoa ara-dalàna (fisorohana ny fitaka, fitanan-kaonty) — And. 6(1)(f) GDPR

  • Fifaninanana, sweepstakes, ary fanamby

    Raha miditra amin'ny Fanamby FixVibe ianao (toy ny Fanamby Preflight Fiarovana), dia mitahiry ny mailaka fifandraisana alefanao izahay (takiana mba ahafahanay mifandray aminao raha mandresy ianao), ny anaram-pampiasa Reddit sy Product Hunt omenao tsy voatery, ny scan ID-nao sy sehatra fototra, ny karazan'ny tetikasa nolazaina, stack, ary lahatsoratra zavatra-iray-nianarako omenao tsy voatery, ny sanda discovery-channel nofidinao tsy voatery, ary ny boaty fanamarinana takiana telo izay ekenao (fahazoan-dalana, fitsipika, fifandraisana). Raha marihinao mitokana ny faneken-tena tsy voatery featured-on-marketing, dia mety hampiseho ny isanao ampahibemaso, tomban'ezaka, stack, anaram-pampiasa, ary teny voatonona nalefa amin'ny pejy fandraisana FixVibe, ny pejin'ny fanamby, na lahatsoratra famintinana izahay — tsy saha hafa mihitsy, ary tsy misy ny opt-in. Tazonina mandritra ny fiainan'ny Fanamby miampy 18 volana ho an'ny tanjon'ny fanamarinana sy ny ady ny fidirana amin'ny Fanamby. Afaka manesotra ny faneken-tena featured-on-marketing na oviana na oviana ianao amin'ny alalan'ny fandefasana mailaka any amin'ny privacy@fixvibe.app; ny fanesorana dia tsy misy fiantraikany amin'ny fanodinana ara-dalàna talohan'ny fanesorana.

    fototra ara-dalàna · Fanatanterahana ny fifanarahana (fampandehanana ny Fanamby) sy faneken-tena (fasongadinana) — And. 6(1)(b) sy 6(1)(a) GDPR

Izay TSY angoninay

  • Tsy mivarotra ny angonao mihitsy izahay.
  • Tsy mampiditra third-party ad-tech, fingerprinting, na session-replay scripts izahay.
  • Tsy apetrakay ao amin’ny analytics properties ny URL tanjona scan-nao na porofo hita — miaina ao amin’ny database anay ihany izany angona izany, voaaro amin’ny row-level security.
  • Tsy mizara ny angonao amin’ny antoko fahatelo ho an’ny marketing-ny manokana izahay.

Sub-processors

Miantehitra amin’ireto Sub-processors ireto izahay hampandehanana FixVibe:

  • Vercel Inc. (USA) — application hosting sy edge network. Privacy notice: vercel.com/legal/privacy-policy.
  • Supabase Inc. (USA) — Postgres database, authentication, file storage, Realtime. Ny database production an’i FixVibe dia ao amin’ny faritra AWS us-east-1. Privacy notice: supabase.com/privacy.
  • Stripe Inc. (USA) — fikarakarana fandoavam-bola ho an’ny planina misy vola. Privacy notice: stripe.com/privacy.
  • Upstash, Inc. (USA, via the Vercel Marketplace) — rate limiting tohanan’ny Redis; mitahiry counters mifototra amin’ny IP sy fohy andro ihany. Privacy notice: upstash.com/privacy.
  • PostHog Inc. (USA) — product analytics, raha manome fankatoavana analytics ihany ianao ary rehefa voarindra ho an’ny deployment ampiasainao ny analytics. Privacy notice: posthog.com/privacy.
  • GitHub, Inc. (USA) — raha mampifandray ny GitHub integration tsy voatery ihany ianao. Mampiasa ny API an’i GitHub izahay hamakiana repositories izay atombokao asiana scan. Privacy notice: docs.github.com/site-policy/privacy-policies/github-general-privacy-statement.
  • Resend, Inc. (USA) — fandefasana mailaka transactional. Mandray ny adiresy mailakao sy ny vatan’ny mailaka rehefa mandefa mailaka scan-completed, scheduled-scan, live-threat alert, ary weekly-digest izahay. Mitahiry delivery metadata (timestamps, status, bounce records) ho an’ny tanjona operational i Resend; tsy mandefa mailaka marketing amin’ny alalan’i Resend mihitsy izahay. Privacy notice: resend.com/legal/privacy-policy.

Ny famindrana angona manokana ivelan’ny EEA/UK dia miantehitra amin’ny Standard Contractual Clauses an’ny European Commission (na International Data Transfer Addendum an’ny UK), miaraka amin’ny fepetra encryption-in-transit sy encryption-at-rest voalaza ao amin’ny “Security” etsy ambany.

We will update this list and notify customers in-app if we add a new sub-processor that processes personal data on our behalf. Customer-configured outbound webhook endpoints are customer-selected recipients, not FixVibe sub-processors.

Ny zonao

Eo ambanin’ny GDPR, UK GDPR, ary lalàna mitovy aminy (CCPA/CPRA, LGPD, PIPEDA, Australian Privacy Act sns.), manana zo ianao:

  • hiditra amin’ny kopian’ny angonao (azonao atao amin’ny self-serve avy amin’ny Kaonty → Tsiambaratelo izany);
  • hanitsy ny angonao;
  • hamafa ny angonao (azo atao amin’ny self-serve koa);
  • hanoherana processing mifototra amin’ny tombontsoa ara-dalàna;
  • hisintona ny fankatoavana analytics amin’ny fotoana rehetra amin’ny alalan’ny ;
  • data portability — amin’ny JSON ny export-nao;
  • hametraka fitarainana amin’ny manampahefana mpanara-maso eo an-toerana (EU/UK/EEA) na mitovy aminy.

Mamaly fangatahana zo azo hamarinina ao anatin’ny 30 andro izahay. Ho an’ny fangatahana tsy azonay tanterahina amin’ny self-serve (fanitsiana saha tsy asehonay, fameperana processing, fanoherana), mandefasa mailaka amin’ny support@fixvibe.app miaraka amin’ny lohateny “Privacy request”.

Mponina any California (CCPA / CPRA)

Tsy mivarotra ny fampahalalana manokana anao izahay. Tsy mizara fampahalalana manokana ho an’ny cross-context behavioral advertising izahay. Analytics amin’ny alalan’ny PostHog dia mandeha ihany rehefa manome fankatoavana ao amin’ny cookie banner anay ianao; azonao esorina amin’ny fotoana rehetra izany fankatoavana izany amin’ny alalan’ny na amin’ny fikitihana Your Privacy Choices ao amin’ny footer.

Raha mponina any California ianao dia manana zo koa:

  • hahafantatra izay fampahalalana manokana angoninay, ireo loharano, tanjona, ary antoko fahatelo rehetra izaranay azy (voalaza amin’ny antsipiriany etsy ambony);
  • hangataka famafana ny fampahalalana manokana anao (self-serve amin’ny Kaonty → Tsiambaratelo na amin’ny fandefasana mailaka aminay);
  • hanitsy fampahalalana manokana tsy marina;
  • hametra ny fampiasana sy famoahana fampahalalana manokana saro-pady — tsy manangona izahay afa-tsy credentials authentication sy session metadata, izay samy ilaina hanomezana ny service;
  • hiala amin’ny sale na sharing — tsy mihatra satria tsy manao na iray aza izahay;
  • tsy hiharan’ny fanavakavahana noho ny fampiasana iray amin’ireo zo etsy ambony.

Hajainay ho azy ny famantarana Global Privacy Control (GPC); ny fandefasana GPC header dia mitovy amin’ny hoe nisafidy hiala mazava amin’ny fankatoavana analytics ho avy ianao.

Fiarovana

We force row-level security on every database table; users only see records belonging to organizations they are members of. Authenticated-scan headers, when supplied, are encrypted at rest with AES-256-GCM and purged after the scan completes. Stripe webhook payloads are HMAC-verified before processing, and customer outbound webhook signing secrets are encrypted at rest. The service-role database credential is held only on the server runtime and is never exposed to the browser. All traffic between you and FixVibe, and between FixVibe and our sub-processors, uses TLS 1.2 or higher.

Tsy misy programa fiarovana tonga lafatra. Raha mino ianao fa nahita vulnerability ao amin’ny FixVibe, azafady tatitrao amin’ny support@fixvibe.app.

Fiovana amin’ity politika ity

Raha manao fiovana manan-danja izahay — Sub-processors vaovao, sokajy angona vaovao, fe-potoana fitazonana vaovao — havaozinay ny daty etsy ambony ary hampandre anao ao anaty app. Fanitsiana teny madinika dia tsy miteraka fampandrenesana.

Mifandraisa

privacy@fixvibe.app — matetika mamaly ao anatin’ny 5 andro fiasana, ary tsy mihoatra ny 30 andro araka ny takian’ny GDPR Art. 12(3).

Politika momba ny Tsiambaratelo · FixVibe