Te Kaupapa Here Tūmataitinga

Ka whakahaerehia a FixVibe e EGO HERO LLC (“mātou”, “mātou”), te data controller mō ngā personal data kua whakaahuatia i tēnei kaupapa here. Mō ngā pātai tūmataitinga, tae atu ki ngā tono data subject i raro i te GDPR, UK GDPR, CCPA rānei, whakapā atu ki privacy@fixvibe.app. Mō ērā atu mea katoa, tuhia ki support@fixvibe.app.

• Raraunga pūkete

  Te wāhitau īmēra, te OAuth identifier (mēnā ka takiuru koe mā Google, GitHub rānei), me tētahi ingoa ka riro mai i tō OAuth provider. Ka whakamahia hei authenticate i a koe, hei whakapā hoki ki a koe mō tō pūkete. Ka pupuritia i te wā e hohe ana tō pūkete. Ina mukua e koe tō pūkete, ka tangohia ēnei raraunga i roto i te 30 rā, hāunga ngā wā e herea ana mātou kia pupuri tonu (hei tauira, billing records i raro i te ture tāke).

  lawful basis · Performance of contract — Art. 6(1)(b) GDPR

• Ngā whāinga scan me ngā kitenga

  Ngā URLs ka scan koe, ngā requests ka tukuna e mātou ki aua URLs, me ngā findings ka hangaia e mātou. Ka rokirokitia ki tō organization. Ka muku aunoa mātou i ngā records kua pakeke ake i te retention window o tō plan: 30 rā (Hobby), 90 rā (Pro), 365 rā (Unlimited). Ka taea e koe te export, te delete rānei i tō scan history i ngā wā katoa mai i Account → Privacy.

  lawful basis · Performance of contract — Art. 6(1)(b) GDPR

• Ngā anonymous scan sessions

  Mēnā ka whakahaere koe i tētahi scan me te kore takiuru, ka tuku mātou i tētahi HMAC-signed cookie (fixvibe_anon_session, 24-hour lifetime) e mau ana i tētahi opaque random ID. Ka muku aunoa mātou i ngā anonymous scan records kāore anō kia claimed i muri i te 24 haora. Mēnā ka sign up koe i roto i te 24-hour window, ka migrate tō scan ki tō account hou. Kāore mātou e mōhio ko wai ngā anonymous users kia sign up rā anō rātou.

  lawful basis · Strictly necessary — ePrivacy Art. 5(3) exemption

• Billing data

  Ko Stripe tō mātou payment processor. Ka rokiroki rātou i ō card details ki runga PCI-DSS infrastructure; ko tā mātou anake ka rokiroki he Stripe customer ID, subscription status, plan, period start/end, me tētahi idempotency record iti mō ngā webhook events. Tirohia te privacy notice a Stripe ki stripe.com/privacy.

  lawful basis · Performance of contract — Art. 6(1)(b) GDPR

• Server logs me audit logs

  Short-lived API request logs may include IP address, user-agent, method, path, status, duration, request ID, user/org context, and error strings so we can debug the service and detect abuse. These request logs are automatically pruned after 72 hours by our retention cron, with up to 24 hours of cron scheduling slop. Audit logs for security-relevant actions (including sign in, scan started, token created/revoked, plan change, account deletion, and admin/support actions) may include IP address, user-agent, and request metadata. Audit logs are automatically pruned after 18 months, except where a longer period is required to comply with legal process or to defend a legal claim.

  lawful basis · Legitimate interest — Art. 6(1)(f) GDPR

• GitHub integration (optional, Pro+ only)

  Mēnā ka connect koe i tētahi GitHub account mai i Account → Integrations, ka rokiroki mātou i tētahi encrypted OAuth access token mō tō organization, tō GitHub login + numeric user ID, me ngā granted scopes. Ka whakamahia te token anake hei read i ngā repositories ka tīmata koe ki te scan. Ka fetch te source code mō ia scan, ka process ki memory, ā, ko ngā individual finding evidence anake ka persist (kāore he full source dumps). Ka delete i roto i te 30 rā i muri i te disconnect.

  lawful basis · Performance of contract / consent — Art. 6(1)(b) + 6(1)(a) GDPR

• API tokens + MCP server (optional)

  Ko ngā tokens ka waihangatia e koe i Account → API tokens ka rokirokitia hei SHA-256 hash, ngā first 8 plaintext characters (mō te identification), te name i whakaritea e koe, me ngā created/last-used/revoked timestamps. Ka whakaaturia te plaintext ki a koe kotahi noa iho i te creation, ā, kāore rawa e persist. He bearer credentials ngā tokens: ka taea e te tangata kei a ia te value te read i ō scans me te start i ētahi hou kia revoke rā anō koe. Ka authenticated te MCP server i /api/mcp mā aua tokens anō, ka expose i ngā data ōrite ki te dashboard, ā, kāore e hanga data category motuhake.

  lawful basis · Performance of contract — Art. 6(1)(b) GDPR

• Outbound webhooks (optional, paid plans)

  If you create webhook endpoints from Account → Webhooks, we store the endpoint URL, selected event types, delivery status, short response excerpts, and an encrypted signing secret. We send scan, finding, monitor-alert, and scheduled-run metadata to the endpoints you configure. Those endpoints are recipients chosen by your organization, not FixVibe sub-processors.

  lawful basis · Performance of contract — Art. 6(1)(b) GDPR

• Live threat detection (optional, Unlimited only)

  Mēnā kua enabled te monitoring ki tētahi verified domain, ka capture mātou i ia wā i ngā certificate-transparency log entries, DNS records, me threat-intel listings (Spamhaus DBL, URLhaus) mō taua domain. Kei roto i ēnei snapshots ngā hostnames kua authorise kē koe kia scan mātou, me ngā public results o ngā public lookups. Kāore e capture te personal data o ō end-users. Ka delete aunoa ngā snapshots kua pakeke ake i te 7 rā; ka retain te most recent baseline mō ia signal type.

  lawful basis · Performance of contract — Art. 6(1)(b) GDPR

• Scheduled re-scans (optional, Pro+ only)

  Mēnā ka enable koe i ngā scheduled scans ki tētahi verified domain, ka record mātou i te cadence, last run time, next run time, me te user nāna i enable te schedule. Ka inherit ia cron-triggered scan i te authorization-to-scan attestation i mahia i te wā i verified tuatahitia te domain — kāore koe e re-attest mō ia run. Disable i ngā wā katoa ki Domains → Schedule.

  lawful basis · Performance of contract — Art. 6(1)(b) GDPR

• Analytics (optional, consent-gated)

  Mēnā ka grant koe i te analytics consent, ā, kua configured te analytics mō te deployment e whakamahia ana e koe, ka whakamahi mātou i tētahi privacy-respecting product-analytics provider (proxied mā tō mātou ake domain) hei record i te anonymous usage — ko ēhea buttons ka clicked, ko ēhea checks ka run e te tangata, kei hea ngā users ka drop off i te funnel. Kāore mātou e tuku i ngā URLs ka scan koe, evidence content, personal data rānei ki roto i analytics events. Revoke consent i ngā wā katoa mā Cookie settings.

  lawful basis · Consent — Art. 6(1)(a) GDPR / ePrivacy Art. 5(3)

• Tononga whakaaturanga whakatairanga

  Inā tono koe i tētahi waehere whakaaturanga, hononga pōhiri, nama tohutoro rānei, ka rongoatia e mātou te waehere kāmupene, te mahere me te roanga i tukuna, ngā tāima tīmata me te mutunga o te whakamātautau, te mahere i mau koe i mua i te whakamātautau, me te hash HMAC-SHA256 o tō wāhitau IP i te wā o te tono (kāore mātou e penapena i te IP ohia — kei te noho te hash kia taea ai e mātou te whakatinana i ngā tepe kotahi-tononga-ia-whatunga, ā, ko te hurihuri i te kī HMAC pakiaka ka whakakore i ngā hash kua rongoatia katoatia kāore he whakaatu i tētahi). Ka mauhia mō te oranga o te kāmupene me te 18 marama tāpiri mō ngā take kaute me te tūhura hangarī, ka mukua i muri me te toenga o te rēkoata kāmupene.

  lawful basis · Pānga tika (ārai hangarī, kaute) — Art. 6(1)(f) GDPR

• Whakataetae, riu, me ngā wero

  Mēnā ka uru koe ki tētahi Wero FixVibe (pērā me te Wero Whakarite Haumaru), ka rongoatia e mātou te īmēra whakapā i tukuna e koe (e hiahiatia ana kia taea e mātou te whakapā atu ki a koe mēnā ka toa koe), ngā ingoa kaiwhakamahi Reddit me Product Hunt i tukuna kōwhiri e koe, tō scan ID me tō rohe pakiaka, te momo kaupapa, te paewhā, me te kuputuhi-kotahi-mea-i-akona kua tukuna kōwhiri e koe, te uara hongere kitenga kua tīpakohia kōwhiri e koe, me ngā pouaka tirohanga whakaaetanga e toru e hiahiatia ana ka whakaaetia e koe (whakamana, ture, whakapā). Mēnā ka tiki motuhake koe i te whakaaetanga whakaatu-i-runga-i-te-hokohoko kōwhiringa, tērā pea ka whakaatu mātou i tō piro tūmatanui, tō whakatauranga, tō paewhā, tō ingoa kaiwhakamahi, me tō kupu kua tukuna ki te whārangi kāinga FixVibe, te whārangi wero, te tuhinga whakarāpopoto rānei — kāore ētahi atu mata, kāore hoki me te kore i tērā urunga. Ka mauhia ngā urunga Wero mō te oranga o te Wero me te 18 marama tāpiri mō ngā take whakaū me te tautohetohe. Ka taea e koe te whakakore i te whakaaetanga whakaatu-i-runga-i-te-hokohoko i ngā wā katoa mā te īmēra ki privacy@fixvibe.app; kāore te whakakorenga e pā ki te tukatuka tika i mua i te whakakorenga.

  lawful basis · Whakatutukinga o te kirimana (whakahaere i te Wero) me te whakaaetanga (whakaatu) — Art. 6(1)(b) me te 6(1)(a) GDPR

• Kāore rawa mātou e hoko i ō raraunga.
• Kāore mātou e embed i third-party ad-tech, fingerprinting, session-replay scripts rānei.
• Kāore mātou e tuku i ō scan target URLs, finding evidence rānei ki analytics properties — ka noho aua data ki tō mātou database anake, kua gated e row-level security.
• Kāore mātou e share i ō data ki third parties mō ā rātou ake marketing.

Ka whakawhirinaki mātou ki ēnei sub-processors hei whakahaere i a FixVibe:

• Vercel Inc. (USA) — application hosting me edge network. Privacy notice: vercel.com/legal/privacy-policy.
• Supabase Inc. (USA) — Postgres database, authentication, file storage, Realtime. Kei te AWS us-east-1 region te FixVibe production database. Privacy notice: supabase.com/privacy.
• Stripe Inc. (USA) — payment processing mō paid plans. Privacy notice: stripe.com/privacy.
• Upstash, Inc. (USA, via the Vercel Marketplace) — Redis-backed rate limiting; ka rokiroki i ngā short-lived IP-based counters anake. Privacy notice: upstash.com/privacy.
• PostHog Inc. (USA) — product analytics, mēnā anake ka grant koe i te analytics consent, ā, mēnā anake kua configured te analytics mō te deployment e whakamahia ana e koe. Privacy notice: posthog.com/privacy.
• GitHub, Inc. (USA) — mēnā anake ka connect koe i te optional GitHub integration. Ka whakamahi mātou i te GitHub API hei read i ngā repositories ka tīmata koe ki te scan. Privacy notice: docs.github.com/site-policy/privacy-policies/github-general-privacy-statement.
• Resend, Inc. (USA) — transactional email delivery. Ka whiwhi i tō email address me te email body ina tuku mātou i ngā scan-completed, scheduled-scan, live-threat alert, me weekly-digest emails. Ka retain a Resend i te delivery metadata (timestamps, status, bounce records) mō ngā operational purposes; kāore mātou e tuku marketing email mā Resend. Privacy notice: resend.com/legal/privacy-policy.

Ko ngā transfers o personal data ki waho o te EEA/UK e whakawhirinaki ana ki ngā European Commission Standard Contractual Clauses (ki te UK International Data Transfer Addendum rānei), kua supplemented e ngā encryption-in-transit me encryption-at-rest measures kua whakaahuatia i raro iho i “Security”.

We will update this list and notify customers in-app if we add a new sub-processor that processes personal data on our behalf. Customer-configured outbound webhook endpoints are customer-selected recipients, not FixVibe sub-processors.

I raro i te GDPR, UK GDPR, me ngā ture ōrite (CCPA/CPRA, LGPD, PIPEDA, Australian Privacy Act etc.), kei a koe te motika ki te:

• access i tētahi copy o ō data (ka taea tēnei self-serve mai i Account → Privacy);
• whakatika i ō data;
• muku i ō data (self-serve anō hoki);
• object ki te processing e hāngai ana ki legitimate interests;
• withdraw i te consent mō analytics i ngā wā katoa mā Cookie settings;
• data portability — kei te JSON tō export;
• lodge i tētahi complaint ki tō local supervisory authority (EU/UK/EEA) ki tētahi equivalent rānei.

Ka respond mātou ki ngā verifiable rights requests i roto i te 30 rā. Mō ngā requests kāore e taea e mātou te satisfy mā self-serve (rectification o tētahi field kāore mātou e expose, restriction of processing, objection), īmēratia support@fixvibe.app me te subject line “Privacy request”.

Kāore mātou e hoko i tō personal information. Kāore mātou e share i personal information mō cross-context behavioral advertising. Ka run te analytics mā PostHog i muri anake i tō grant consent ki tō mātou cookie banner; ka taea e koe te withdraw i taua consent i ngā wā katoa mā Cookie settings, mā te pāwhiri rānei i Your Privacy Choices i te footer.

Mēnā he California resident koe, kei a koe hoki te motika ki te:

• mōhio he aha te personal information ka collect mātou, ngā sources, ngā purposes, me ngā third parties ka share mātou ki a rātou (kua whakaahuatia katoatia i runga ake);
• request deletion o tō personal information (self-serve mā Account → Privacy, mā te īmēra rānei ki a mātou);
• correct i te inaccurate personal information;
• limit i te use me te disclosure o sensitive personal information — kāore mātou e collect i tua atu i authentication credentials me session metadata, ā, e hiahiatia ana ēnei e rua hei tuku i te service;
• opt out i te sale, sharing rānei — kāore e hāngai nā te mea kāore mātou e mahi i ēnei;
• kāore e discriminated against mō te exercising i tētahi o runga ake.

Ka honor aunoa mātou i ngā Global Privacy Control (GPC) signals; mā te tuku GPC header ka treat mātou i tō visit me te mea kua explicit opted out koe i tētahi future analytics consent.

We force row-level security on every database table; users only see records belonging to organizations they are members of. Authenticated-scan headers, when supplied, are encrypted at rest with AES-256-GCM and purged after the scan completes. Stripe webhook payloads are HMAC-verified before processing, and customer outbound webhook signing secrets are encrypted at rest. The service-role database credential is held only on the server runtime and is never exposed to the browser. All traffic between you and FixVibe, and between FixVibe and our sub-processors, uses TLS 1.2 or higher.

Kāore he security program e perfect. Mēnā e whakapono ana koe kua kitea e koe tētahi vulnerability i FixVibe, tēnā report ki support@fixvibe.app.

Mēnā ka mahi mātou i ngā material changes — new sub-processors, new categories of data, new retention periods — ka update mātou i te date i runga ake, ka notify hoki i a koe in-app. Kāore ngā minor wording fixes e trigger i tētahi notification.

privacy@fixvibe.app — ko te tikanga ka reply i roto i te 5 business days, kāore rawa e roa ake i te 30 days e hiahiatia ana e GDPR Art. 12(3).