FixVibe

// privacy

Ittiisa Iccitii

yeroo dhumaa fooyya’e · 2026-05-17

Nuti eenyu

FixVibe kan gaggeeffamu EGO HERO LLC dha (“nuti”, “nu”), data controller kan personal data policy kana keessatti ibsameef. Gaaffii iccitii, data subject requests GDPR, UK GDPR, ykn CCPA jalatti dabalatee, privacy@fixvibe.app qunnami. Waan biraa hundaaf, support@fixvibe.apptti barreessi.

Waan walitti qabnu, maaliif, fi yeroo hammamii eegnu

  • Daata herreegaa

    Teessoo email, OAuth identifier (Google ykn GitHub’n yoo seente), fi maqaa OAuth provider kee irraa argannu kamiyyuu. Si mirkaneessuuf fi herreega kee ilaalchisee si qunnamuuf itti fayyadamna. Herreegni kee hojjataa jiru hanga ta’eetti ni eegama. Herreega kee yoo haqxe, daataan kun guyyoota 30 keessatti ni haqama, bakka eeguun nu irraa barbaadamu malee (fkn, billing records seera gibiraa jalatti).

    bu’uura seeraa · Waliigaltee raawwachuu — Art. 6(1)(b) GDPR

  • Kaayyoo skanii fi argannoolee

    URL ati skaanu, gaaffiiwwan nuti URL sanaaf goonu, fi argannoolee nuti uumru. Dhaabbata kee jalatti ni kuufama. Records retention window karoora kee caalan ofumaan ni haqna: guyyoota 30 (Hobby), guyyoota 90 (Pro), guyyoota 365 (Unlimited). Scan history kee yeroo kamiyyuu Herreega → Iccitii irraa export ykn haquu dandeessa.

    bu’uura seeraa · Waliigaltee raawwachuu — Art. 6(1)(b) GDPR

  • Sessions skanii maqaa-dhoksaa

    Seenuu malee skan yoo gaggeessite, cookie HMAC-signed (fixvibe_anon_session, umurii sa’aatii 24) kan opaque random ID qabu ni kennina. Anonymous scan records hin claim goone sa’aatii 24 booda ofumaan ni haqna. Sa’aatii 24 keessatti yoo galmoofte, skan kee gara herreega haaraa keetti ni ce’a. Anonymous users eenyu akka ta’an hin beeknu, yoo isaan galmaa’an malee.

    bu’uura seeraa · Sirriitti barbaachisaa — ePrivacy Art. 5(3) exemption

  • Daata billing

    Stripe payment processor keenya. Isaan card details kee infrastructure PCI-DSS irratti kuusu; nuti Stripe customer ID, subscription status, plan, period start/end, fi idempotency record xiqqaa webhook events qofa kuusna. Privacy notice Stripe stripe.com/privacy irratti ilaali.

    bu’uura seeraa · Waliigaltee raawwachuu — Art. 6(1)(b) GDPR

  • Server logs fi audit logs

    Short-lived API request logs may include IP address, user-agent, method, path, status, duration, request ID, user/org context, and error strings so we can debug the service and detect abuse. These request logs are automatically pruned after 72 hours by our retention cron, with up to 24 hours of cron scheduling slop. Audit logs for security-relevant actions (including sign in, scan started, token created/revoked, plan change, account deletion, and admin/support actions) may include IP address, user-agent, and request metadata. Audit logs are automatically pruned after 18 months, except where a longer period is required to comply with legal process or to defend a legal claim.

    bu’uura seeraa · Faayidaa seera-qabeessa — Art. 6(1)(f) GDPR

  • GitHub integration (filannoo, Pro+ qofa)

    Herreega GitHub Herreega → Integrations irraa yoo walqabsiifte, OAuth access token encrypted kan dhaabbata keetii, GitHub login kee + numeric user ID, fi scopes kenname ni kuusna. Token sana repositories ati skan irratti jalqabdu dubbisuuf qofa itti fayyadamna. Source code per-scan ni fudhatama, memory keessatti processed ta’a, individual finding evidence qofa ni kuufama (full source dumps hin jiru). Disconnect booda guyyoota 30 keessatti ni haqama.

    bu’uura seeraa · Waliigaltee raawwachuu / hayyama — Art. 6(1)(b) + 6(1)(a) GDPR

  • API tokens + MCP server (filannoo)

    Tokens ati Herreega → API tokens irratti uumtu akka SHA-256 hash, plaintext characters 8 jalqabaa (adda baasuuf), maqaa ati kennite, fi created/last-used/revoked timestamps waliin kuufamu. Plaintext yeroo uumamu siif al tokko qofa agarsiifama, hin kuufamu. Tokens bearer credentials dha: namni value sana qabu skan kee dubbisuu fi haaraa jalqabuu danda’a hanga ati revoke gootutti. MCP server /api/mcp irratti tokens wal fakkaatan kanaan authenticated ta’a, data dashboard agarsiisu wal fakkaatu ni saaxila, data category adda hin uumu.

    bu’uura seeraa · Waliigaltee raawwachuu — Art. 6(1)(b) GDPR

  • Outbound webhooks (optional, paid plans)

    If you create webhook endpoints from Account → Webhooks, we store the endpoint URL, selected event types, delivery status, short response excerpts, and an encrypted signing secret. We send scan, finding, monitor-alert, and scheduled-run metadata to the endpoints you configure. Those endpoints are recipients chosen by your organization, not FixVibe sub-processors.

    bu’uura seeraa · Performance of contract — Art. 6(1)(b) GDPR

  • Live threat detection (filannoo, Unlimited qofa)

    Monitoring verified domain irratti yoo dandeessifame, certificate-transparency log entries, DNS records, fi threat-intel listings (Spamhaus DBL, URLhaus) domain sanaaf yeroo yerootti qabna. Snapshots kun hostnames ati akka nuti skaanu hayyamte duraanii fi public results public lookups of keessaa qabu. Personal data end-users kee hin qabamu. Snapshots guyyoota 7 caalan ofumaan ni haqamu; baseline haaraan signal type hundumaaf ni eegama.

    bu’uura seeraa · Waliigaltee raawwachuu — Art. 6(1)(b) GDPR

  • Scheduled re-scans (filannoo, Pro+ qofa)

    Verified domain irratti scheduled scans yoo dandeessifte, cadence, last run time, next run time, fi user schedule dandeessise ni galmeessina. Skan cron-triggered hundi authorization-to-scan attestation yeroo domain jalqabatti verified ta’e godhame dhaala — run hundaaf irra deebitee attest hin gootu. Yeroo kamiyyuu Domains → Schedule irratti disable gochuu dandeessa.

    bu’uura seeraa · Waliigaltee raawwachuu — Art. 6(1)(b) GDPR

  • Analytics (filannoo, consent-gated)

    Analytics consent yoo kennite fi deployment ati fayyadamtuu irratti analytics configured yoo qabaanne, product-analytics provider iccitii kabaju (proxied through our own domain) fayyadamuun anonymous usage galmeessina — buttons kamtu cuqaafama, checks kamtu namoonni gaggeessu, users funnel keessaa eessatti kufu. URL ati skaanu, evidence content, ykn personal data analytics events keessa hin galchinu. Yeroo kamiyyuu irraa consent revoke gochuu dandeessa.

    bu’uura seeraa · Hayyama — Art. 6(1)(a) GDPR / ePrivacy Art. 5(3)

  • Fudhatama dhiyeessii promotional

    Yeroo koodii promo, hidhaa afeerraa, ykn kireeditii referraal fudhatte, koodii kaampaayinii, karoora fi turtii kennine, timestamps yaalii eegalaa fi xumuraa, karoora yaalii dura qabaatte, fi hash HMAC-SHA256 teessoo IP kee yeroo fudhatama (gonkumaa IP qulqulluu hin tursiisnu — hashichi qofti tooftaa daangaa fudhatama-tokkof-neetwerkii akka cimsinuuf jira, akkasumas kiyii HMAC bu'uuraa naannessuun hash kuufamaa hunda osoo nama kamiyyuu hin saaxilin ni balleessa). Umurii kaampaayinii dabalataan ji'a 18 herregaa fi qorannoo gowwoomsaaf tursifama, ergasii galmee kaampaayinii waliin ni balleeffama.

    bu’uura seeraa · Fedhii seera-qabeessa (ittisa gowwoomsaa, herrega) — Art. 6(1)(f) GDPR

  • Dorgommii, sweepstakes, fi qormaatota

    Yoo Qormaata FixVibe seente (akka Qormaata Preflight Nageenyaa), imeelii qunnamtii dhiyeessite (yoo moote isin qunnamuu dandeenyu barbaachisaa), maqaa fayyadamaa Reddit fi Product Hunt filannoodhaan kennite, ID iskaanii kee fi domain hidda, akaakuu pirojektii ofuma-gabaase, stack, fi barreeffama wanta-tokko-baradhe filannoodhaan kennite, gatii sarara-argachuu filannoodhaan filattee, fi sanduuqota mirkaneessa sadan barbaachisoo fudhatte (eyyama, seera, qunnamtii) tursiifna. Yoo eyyama dabalataa fuula-gabaa-irratti-ifoomfame filannoo mirkaneessite, qabxii ummataa, sadarkaa, stack, maqaa fayyadamaa, fi fakkii dhiyeessite fuula seenaa FixVibe, fuula qormaataa, ykn maxxansa cuunfaa irratti agarsiisuu dandeenya — gonkumaa dirree biraa, akkasumas gonkumaa eyyama sana malee miti. Galmee Qormaataa umurii Qormaataa dabalataan ji'a 18 mirkaneessaa fi falmiif tursifamu. Eyyama fuula-gabaa-irratti-ifoomfame yeroo barbaaddetti privacy@fixvibe.app irratti imeelii erguudhaan fudhachuu dandeessa; fudhachuun adeemsa seera-qabeessa eyyama fudhachuu duraa hin tuqu.

    bu’uura seeraa · Raawwii kontiraataa (Qormaata fiigsisuu) fi eyyama (ifoomsuu) — Art. 6(1)(b) fi 6(1)(a) GDPR

Waan nuti HIN walitti qabne

  • Daata kee matumaa hin gurgurru.
  • Third-party ad-tech, fingerprinting, ykn session-replay scripts hin embed goonu.
  • Scan target URLs kee ykn finding evidence analytics properties keessa hin galchinu — daataan sun database keenya keessa qofa jira, row-level security’n eegama.
  • Daata kee third parties marketing mataa isaaniitiif hin qoodnu.

Sub-processors

FixVibe gaggeessuuf sub-processors armaan gadii irratti hirkanna:

  • Vercel Inc. (USA) — application hosting fi edge network. Privacy notice: vercel.com/legal/privacy-policy.
  • Supabase Inc. (USA) — Postgres database, authentication, file storage, Realtime. FixVibe production database region AWS us-east-1 keessa jira. Privacy notice: supabase.com/privacy.
  • Stripe Inc. (USA) — payment processing paid plans’f. Privacy notice: stripe.com/privacy.
  • Upstash, Inc. (USA, via Vercel Marketplace) — Redis-backed rate limiting; short-lived IP-based counters qofa kuusa. Privacy notice: upstash.com/privacy.
  • PostHog Inc. (USA) — product analytics, analytics consent yoo kennite qofa fi deployment ati fayyadamtuu irratti analytics configured yeroo ta’e qofa. Privacy notice: posthog.com/privacy.
  • GitHub, Inc. (USA) — optional GitHub integration yoo walqabsiifte qofa. Repositories ati skan irratti jalqabdu dubbisuuf API GitHub fayyadamna. Privacy notice: docs.github.com/site-policy/privacy-policies/github-general-privacy-statement.
  • Resend, Inc. (USA) — transactional email delivery. Scan-completed, scheduled-scan, live-threat alert, fi weekly-digest emails yeroo erginu teessoo email kee fi email body ni argata. Resend operational purposes’f delivery metadata (timestamps, status, bounce records) ni tursa; marketing email Resend’n hin erginu. Privacy notice: resend.com/legal/privacy-policy.

Transfers personal data EEA/UK ala gara bakka biraatti European Commission’s Standard Contractual Clauses (ykn UK’s International Data Transfer Addendum) irratti hirkatu, encryption-in-transit fi encryption-at-rest measures “Security” armaan gaditti ibsameen dabalatamu.

We will update this list and notify customers in-app if we add a new sub-processor that processes personal data on our behalf. Customer-configured outbound webhook endpoints are customer-selected recipients, not FixVibe sub-processors.

Mirgoota kee

GDPR, UK GDPR, fi seerota walfakkaatan (CCPA/CPRA, LGPD, PIPEDA, Australian Privacy Act kkf.) jalatti, mirga kana qabda:

  • copy daata kee argachuu (kana Herreega → Iccitii irraa self-serve gochuu dandeessa);
  • daata kee akka sirreeffamu gochuu;
  • daata kee akka haqamu gochuu (kunis self-serve);
  • processing legitimate interests irratti hundaa’e mormuu;
  • analytics consent yeroo kamiyyuu irraa withdraw gochuu;
  • data portability — export kee JSON keessatti jira;
  • local supervisory authority kee (EU/UK/EEA) ykn walfakkaataatti komii galchuu.

Verifiable rights requests guyyoota 30 keessatti deebisna. Requests self-serve’n guutuu hin dandeenyeef (rectification of a field nuti hin expose goone, restriction of processing, objection), subject line “Privacy request” jedhuun support@fixvibe.apptti email ergi.

Jiraattota California (CCPA / CPRA)

Personal information kee hin gurgurru. Cross-context behavioral advertising’f personal information hin qoodnu. Analytics through PostHog cookie banner keenya keessatti consent kennitee booda qofa hojjeta; consent sana yeroo kamiyyuu irraa withdraw gochuu dandeessa ykn footer keessatti Filannoowwan Iccitii Kee cuqaasuun.

Jiraataa California yoo taate, mirgoota kana dabalataan qabda:

  • personal information nuti walitti qabnu, sources, purposes, fi third parties ittiin qoodnu kamiyyuu beekuu (hundumtuu armaan olitti ibsameera);
  • personal information kee akka haqamu gaafachuu (self-serve Herreega → Iccitii irraa ykn email nuuf erguun);
  • personal information dogoggoraa sirreessuu;
  • sensitive personal information fayyadamuu fi disclosure daangessuu — authentication credentials fi session metadata tajaajila kennuuf barbaachisan lamaan malee homaa hin walitti qabnu;
  • sale ykn sharing keessaa opt out gochuu — hin ilaallatu, lamaan isaanii hin goonu waan ta’eef;
  • mirgoota armaan olii keessaa kamiyyuu fayyadamuuf addaan hin baafamin.

Global Privacy Control (GPC) signals ofumaan kabajna; GPC header erguun, daawwannaa kee akka ati analytics consent gara fuulduraa kamirraayyuu ifatti opt out gooteetti ilaalla.

Security

We force row-level security on every database table; users only see records belonging to organizations they are members of. Authenticated-scan headers, when supplied, are encrypted at rest with AES-256-GCM and purged after the scan completes. Stripe webhook payloads are HMAC-verified before processing, and customer outbound webhook signing secrets are encrypted at rest. The service-role database credential is held only on the server runtime and is never exposed to the browser. All traffic between you and FixVibe, and between FixVibe and our sub-processors, uses TLS 1.2 or higher.

Security program guutuu ta’e hin jiru. FixVibe keessatti vulnerability argite jettee yoo amante, maaloo support@fixvibe.apptti gabaasi.

Jijjiirama policy kana irratti

Material changes yoo goone — sub-processors haaraa, categories data haaraa, retention periods haaraa — guyyaa armaan olii ni haaromsina, in-app si beeksifna. Minor wording fixes notification hin kakaasan.

Quunnamtii

privacy@fixvibe.app — deebiin yeroo baay’ee business days 5 keessatti, GDPR Art. 12(3) akka gaafatutti guyyaa 30 hin caalu.

Ittiisa Iccitii · FixVibe