Pakaspa Kamachikuynin

FixVibeqa EGO HERO LLCpa rurasqanmi (“ñuqayku”, “ñuqaykuta”), kay policypi nisqa personal data paq data controller. GDPR, UK GDPR, utaq CCPA ukhupi data subject requests nisqakunapas chaywan kuska privacy tapuykunapaq privacy@fixvibe.appman rimay. Wakin imapaqpas support@fixvibe.appman qillqay.

• Cuenta data

  Email address, OAuth identifier (Google utaq GitHubwan sign in ruwaspayki), hinallataq OAuth providerniykimanta mayqan sutita chaskisqayku. Qam authenticate ruwanapaq, cuentaykimanta qamwan rimarinapaqpas apayku. Cuentayki activo kaptinqa waqaychakun. Cuentaykita delete ruwaptiyki, kay data 30 p’unchaw ukhupi anchuchikun, kamachikuy waqaychanaykuta mañaptinlla mana chaychu (ejemplo, tax law ukhupi billing records).

  legal basis · Contract hunt’ay — Art. 6(1)(b) GDPR

• Scan targets hinallataq findings

  Qam scan ruwasqayki URLs, chay URLsman ñuqayku ruwasqayku requests, hinallataq paqarichisqayku findings. Organizationniykiwan waqaychasqa. Plan-niykipa retention window nisqamanta aswan machu records kikinmanta delete ruwanchik: 30 p’unchaw (Hobby), 90 p’unchaw (Pro), 365 p’unchaw (Unlimited). Scan historyniykita Account → Privacy nisqamanta may pachas export utaq delete ruwayta atinki.

  legal basis · Contract hunt’ay — Art. 6(1)(b) GDPR

• Anonymous scan sessions

  Sign in mana ruwaspa scan purichiptiykiqa, ñuqayku HMAC-signed cookie (fixvibe_anon_session, 24-hour lifetime) quykiku, opaque random ID hap’iq. Mana claim ruwasqa anonymous scan records 24 horas qhipaman kikinmanta delete ruwanchik. 24-hour window ukhupi sign up ruwaptiykiqa, scanni yki musuq accountniykiman migrate ruwan. Anonymous users sign up mana ruwaptinkuqa, pikuna kasqankuta mana yachaykuchu.

  legal basis · Cheqaqtapuni necesario — ePrivacy Art. 5(3) exemption

• Billing data

  Stripeqa ñuqaykup payment processor. Paykuna card detailsniykita PCI-DSS infrastructurepi waqaychanku; ñuqaykuqa Stripe customer ID, subscription status, plan, period start/end, hinallataq webhook eventspaq huch’uy idempotency recordlla waqaychayku. Stripe privacy notice stripe.com/privacy nisqapi qhaway.

  legal basis · Contract hunt’ay — Art. 6(1)(b) GDPR

• Server logs hinallataq audit logs

  Short-lived API request logs may include IP address, user-agent, method, path, status, duration, request ID, user/org context, and error strings so we can debug the service and detect abuse. These request logs are automatically pruned after 72 hours by our retention cron, with up to 24 hours of cron scheduling slop. Audit logs for security-relevant actions (including sign in, scan started, token created/revoked, plan change, account deletion, and admin/support actions) may include IP address, user-agent, and request metadata. Audit logs are automatically pruned after 18 months, except where a longer period is required to comply with legal process or to defend a legal claim.

  legal basis · Legitimate interest — Art. 6(1)(f) GDPR

• GitHub integration (opcional, Pro+ sapallan)

  Account → Integrations nisqamanta GitHub account connect ruwaptiykiqa, organizationniykipaq encrypted OAuth access token, GitHub loginniyki + numeric user ID, hinallataq granted scopes waqaychayku. Tokenqa qam scans initiate ruwasqayki repositories leerinallapaqmi apakun. Source code sapa scanpaq fetched, memorypi processed, hinallataq individual finding evidence sapallan persisted (full source dumps mana). Disconnect qhipaman 30 p’unchaw ukhupi delete.

  legal basis · Contract hunt’ay / consentimiento — Art. 6(1)(b) + 6(1)(a) GDPR

• API tokens + MCP server (opcional)

  Account → API tokens nisqapi qam ruwasqayki tokensqa SHA-256 hash hina, ñawpaq 8 plaintext characters (identificaciónpaq), churaykusqayki name, hinallataq created/last-used/revoked timestamps hina waqaychasqa. Plaintextqa kamarisqa kutipi huk kutilla qamwan rikuchisqa, mana hayk’aq persisted. Tokensqa bearer credentials: value hap’iq mayqanpas scansniykita leeriyta, musuq scans qallariyta atinqa qam revoke ruwanaykikama. /api/mcp nisqapi MCP serverqa kikin tokenswan authenticated, dashboard qhawachinman kaq data kikin expose ruwan, mana huk data category paqarichinchu.

  legal basis · Contract hunt’ay — Art. 6(1)(b) GDPR

• Outbound webhooks (optional, paid plans)

  If you create webhook endpoints from Account → Webhooks, we store the endpoint URL, selected event types, delivery status, short response excerpts, and an encrypted signing secret. We send scan, finding, monitor-alert, and scheduled-run metadata to the endpoints you configure. Those endpoints are recipients chosen by your organization, not FixVibe sub-processors.

  legal basis · Performance of contract — Art. 6(1)(b) GDPR

• Live threat detection (opcional, Unlimited sapallan)

  Verified domainpi monitoring enabled kaptinqa, chay domainpaq certificate-transparency log entries, DNS records, hinallataq threat-intel listings (Spamhaus DBL, URLhaus) pacha pachapi capture ruwanchik. Kay snapshotsqa scan ruwanaykupaq ñawpaqta authorise ruwasqayki hostnames, public lookups nisqapa public results ima hap’in. End-usersniykipa personal data mana capture ruwakunchu. 7 p’unchawmanta aswan machu snapshots kikinmanta delete ruwakun; sapa signal typepaq aswan musuq baseline waqaychasqa.

  legal basis · Contract hunt’ay — Art. 6(1)(b) GDPR

• Scheduled re-scans (opcional, Pro+ sapallan)

  Verified domainpi scheduled scans enable ruwaptiykiqa, cadence, last run time, next run time, hinallataq schedule enable ruwaq userta qillqayku. Sapa cron-triggered scanqa domain ñawpaq verified kaptin ruwasqa authorization-to-scan attestation nisqata inherit ruwan — sapa runpaq mana wakmanta attest ruwanaykichu. May pachas Domains → Schedule nisqapi disable ruwanki.

  legal basis · Contract hunt’ay — Art. 6(1)(b) GDPR

• Analytics (opcional, consent-gated)

  Analytics consent quykuptiyki, hinaspa apasqayki deploymentpaq analytics configured kaptinqa, privacy-respecting product-analytics provider (kikiykup domainninwan proxied) apayku anonymous usage record ruwanapaq — may buttons clicked, may checks run ruwanku runakuna, funnel ukhupi users maypi drop off ruwanku. Scan ruwasqayki URLs, evidence content, utaq personal data analytics eventsman mana churaykuchu. May pachas Cookie settings nisqawan consent revoke ruway.

  legal basis · Consentimiento — Art. 6(1)(a) GDPR / ePrivacy Art. 5(3)

• Promocional oferta redención

  Promo códigota, invitación linkta, utaq referidos crediton redimiqtiyki, campaña códigota, qurqayku plan hinaspa duracionta, prueba qallariy hinaspa tukukuy timestampkunata, prueba ñawpaqta hap'isqayki planta, hinaspa redención pachapi IP direccionniykiq HMAC-SHA256 hashninta hallch'ayku (mana hayk'aqpas raw IPta hallch'aykuchu — hashqa huk-redención-sapa-network límitekunata obligana atinaykullapaq kachan, hinaspa underlying HMAC llaveta rotaqtinqa llapan hallch'asqa hashkunata invalidamun mana piqtapas exponespalla). Campaña kausayninpaq mas 18 killakuna contabilidad hinaspa fraude-investigación propósitokunapaq retenisqa, chaymanta campaña recordniqpa qhawanwan kuska borrasqa.

  legal basis · Legítimo interés (fraude prevención, contabilidad) — Art. 6(1)(f) GDPR

• Concursokuna, sweepstakekuna, hinaspa tinkuykuna

  FixVibe Tinkuyman yaykuqtiyki (Seguridad Preflight Tinkuy hina), apachisqayki contacto emailta hallch'ayku (llalliqtiykiqa aypanaykupaq munasqa), optional qusqayki Reddit hinaspa Product Hunt usuario sutinkunata, scan ID hinaspa root domainniykita, optional qusqayki self-reportasqa proyecto laya, stack, hinaspa huk-imata-yachakurqani qillqayta, optional ajllasqayki discovery-channel valorta, hinaspa hap'isqayki kimsa munasqa consentimiento checkboxkunata (autorización, reglakuna, contacto). Optional featured-on-marketing consentimientota markaqtiykiqa, público puntajeykita, calificacionniykita, stackta, usuario sutiykita, hinaspa apachisqayki citaykita FixVibe homepagepi, tinkuy paginapi, utaq recap postpi rikuchiyman atisaqku — mana hayk'aqpas waq campota, hinaspa mana hayk'aqpas chay opt-in mana kaqtin. Tinkuy yaykuykuna Tinkuy kausayninpaq mas 18 killakuna verificación hinaspa disputa propósitokunapaq retenisqa. Featured-on-marketing consentimientota hayk'aqpas hurquyta atinki privacy@fixvibe.app-man emailta apachispa; hurquy hurquymanta ñawpaq legal procesamientota mana cambianchu.

  legal basis · Contrato ruway (Tinkuyta ruway) hinaspa consentimiento (featuring) — Art. 6(1)(b) hinaspa 6(1)(a) GDPR

• Data-niykita hayk’aqpas mana vendeykuchu.
• Third-party ad-tech, fingerprinting, utaq session-replay scripts mana embed ruwanchikchu.
• Scan target URLsniykita utaq finding evidence analytics propertiesman mana churaykuchu — chay dataqa database-niykupi sapallan kawsan, row-level securitywan gated.
• Data-niykita third partieswan paykunap propio marketingpaq mana share ruwanchikchu.

FixVibe purichinapaq kay sub-processors nisqakunapi hap’ikuniku:

• Vercel Inc. (USA) — application hosting hinallataq edge network. Privacy notice: vercel.com/legal/privacy-policy.
• Supabase Inc. (USA) — Postgres database, authentication, file storage, Realtime. FixVibe production databaseqa AWS us-east-1 regionpi kachkan. Privacy notice: supabase.com/privacy.
• Stripe Inc. (USA) — paid planspaq payment processing. Privacy notice: stripe.com/privacy.
• Upstash, Inc. (USA, Vercel Marketplace nisqawan) — Redis-backed rate limiting; short-lived IP-based counters sapallan waqaychan. Privacy notice: upstash.com/privacy.
• PostHog Inc. (USA) — product analytics, analytics consent quptiyki sapallan, hinaspa apasqayki deploymentpaq analytics configured kaptinlla. Privacy notice: posthog.com/privacy.
• GitHub, Inc. (USA) — optional GitHub integration connect ruwaptiyki sapallan. Qam scans initiate ruwasqayki repositories leerinapaq GitHub API apayku. Privacy notice: docs.github.com/site-policy/privacy-policies/github-general-privacy-statement.
• Resend, Inc. (USA) — transactional email delivery. Scan-completed, scheduled-scan, live-threat alert, hinallataq weekly-digest emails apachiptiyku email addressniykita email bodytawan chaskin. Resendqa operational purposespaq delivery metadata (timestamps, status, bounce records) waqaychan; Resendwan marketing email hayk’aq mana apachiykuchu. Privacy notice: resend.com/legal/privacy-policy.

EEA/UK hawaman personal data transfersqa European Commissionpa Standard Contractual Clauses (utaq UKpa International Data Transfer Addendum) nisqapi hap’ikun, uraypi “Security” nisqapi willasqa encryption-in-transit hinallataq encryption-at-rest measureswan yapasqa.

We will update this list and notify customers in-app if we add a new sub-processor that processes personal data on our behalf. Customer-configured outbound webhook endpoints are customer-selected recipients, not FixVibe sub-processors.

GDPR, UK GDPR, hinallataq rikch’aq kamachikuykuna (CCPA/CPRA, LGPD, PIPEDA, Australian Privacy Act etc.) ukhupi, qam kay derechokunayuq kanki:

• data-niykipa copy access ruway (Account → Privacy nisqamanta self-serve ruwayta atinki);
• data-niykita corrected ruwachiy;
• data-niykita deleted ruwachiy (self-serve hinallataq);
• legitimate interests nisqapi sayaq processingman object ruway;
• Cookie settings nisqawan may pachas analytics consent withdraw ruway;
• data portability — exportniyki JSON ukhupi kachkan;
• local supervisory authority (EU/UK/EEA) utaq rikch’aq autoridadman complaint lodge ruway.

Verifiable rights requestsman 30 p’unchaw ukhupi kutichiyku. Self-servewan mana hunt’ay atisqayku requestspaq (mana expose ruwasqayku field rectification, processing restriction, objection), support@fixvibe.appman “Privacy request” subject linewan email apachiy.

Personal informationniykita mana vendeykuchu. Cross-context behavioral advertisingpaq personal information mana share ruwanchikchu. PostHogwan analyticsqa cookie bannerniykupi consent quptiyki qhipallan purin; chay consentta may pachas Cookie settings nisqawan utaq footerpi Your Privacy Choices click ruwaspa withdraw ruwayta atinki.

California tiyaq kanki chayqa, kay derechokunayuqpas kanki:

• ima personal information huñusqayku, sources, purposes, hinallataq mayqan third partieswan share ruwasqayku yachay (tukuy hawa detallado);
• personal informationniykipa deletion request ruway (Account → Privacy nisqamanta self-serve utaq ñuqaykuman email apachispa);
• mana allin personal information correct ruway;
• sensitive personal information use hinallataq disclosure limit ruway — authentication credentials hinallataq session metadata hawapi mana imatapas collect ruwanchikchu, iskayninpas service qunapaq necesario;
• sale utaq sharing nisqamanta opt out ruway — mana applikanchu, iskaynintapas mana ruwanchikchu;
• hawa derechokunamanta mayqanta exercise ruwasqaykirayku mana discriminated kay.

Global Privacy Control (GPC) signals kikinmanta honor ruwanchik; GPC header apachiyqa visitniykita hamuq analytics consentmanta claro opted out ruwasqa hina qhawarin.

We force row-level security on every database table; users only see records belonging to organizations they are members of. Authenticated-scan headers, when supplied, are encrypted at rest with AES-256-GCM and purged after the scan completes. Stripe webhook payloads are HMAC-verified before processing, and customer outbound webhook signing secrets are encrypted at rest. The service-role database credential is held only on the server runtime and is never exposed to the browser. All traffic between you and FixVibe, and between FixVibe and our sub-processors, uses TLS 1.2 or higher.

Mana ima security program perfectchu. FixVibepi vulnerability tarisqaykita creenki chayqa, ama hina kaspa support@fixvibe.appman report ruway.

Material changes ruwaptiyku — musuq sub-processors, musuq data categories, musuq retention periods — hawa date update ruwasaqku hinaspa in-app notify ruwasaqku. Huch’uy wording fixes notification mana trigger ruwanchu.

privacy@fixvibe.app — kutichiykunaqa usualmente 5 business days ukhupi, GDPR Art. 12(3) mañakusqan 30 p’unchawmanta hayk’aq aswan unaychu.