Faiga fa'avae fa'alenu'u

O FixVibe e faʻatautaia e EGO HERO LLC (“matou”, “i matou”), o le data controller mo personal data o loo faamatalaina i lenei policy. Mo fesili faalilolilo, e aofia ai data subject requests i lalo o GDPR, UK GDPR, po o CCPA, faafesootai privacy@fixvibe.app. Mo isi mea uma, tusi i support@fixvibe.app.

• Faamatalaga o le account

  Tuatusi email, OAuth identifier (pe afai e te saini i totonu ma Google po o GitHub), ma soo se igoa matou te maua mai lau OAuth provider. E faaaoga e authenticate oe ma faafesootai oe e uiga i lau account. E teu a o active lau account. Pe a e delete lau account, e aveese lenei data i totonu o le 30 aso, sei vagana ua manaomia ona matou teuina (faataitaiga, billing records i lalo o tax law).

  faavae faaletulafono · Performance of contract — Art. 6(1)(b) GDPR

• Scan targets ma findings

  URL e te scan, requests matou te faia i na URL, ma findings matou te faia. E teu i lalo o lau organization. Matou te delete otometi records e sili atu ona leva nai lo lau plan retention window: 30 aso (Hobby), 90 aso (Pro), 365 aso (Unlimited). E mafai ona e export pe delete lau scan history i soo se taimi mai Account → Privacy.

  faavae faaletulafono · Performance of contract — Art. 6(1)(b) GDPR

• Anonymous scan sessions

  Afai e te run se scan e aunoa ma le saini i totonu, matou te issue se HMAC-signed cookie (fixvibe_anon_session, 24-hour lifetime) e iai se opaque random ID. Matou te delete otometi unclaimed anonymous scan records pe a mavae le 24 itula. Afai e te sign up i totonu o le 24-hour window, e migrate lau scan i lau new account. Matou te le iloa po o ai anonymous users sei vagana ua latou sign up.

  faavae faaletulafono · Strictly necessary — ePrivacy Art. 5(3) exemption

• Billing data

  Stripe o la matou payment processor. Latou te teuina au card details i PCI-DSS infrastructure; matou te teuina na o se Stripe customer ID, subscription status, plan, period start/end, ma se tamai idempotency record o webhook events. Vaai i le privacy notice a Stripe i stripe.com/privacy.

  faavae faaletulafono · Performance of contract — Art. 6(1)(b) GDPR

• Server logs ma audit logs

  Short-lived API request logs may include IP address, user-agent, method, path, status, duration, request ID, user/org context, and error strings so we can debug the service and detect abuse. These request logs are automatically pruned after 72 hours by our retention cron, with up to 24 hours of cron scheduling slop. Audit logs for security-relevant actions (including sign in, scan started, token created/revoked, plan change, account deletion, and admin/support actions) may include IP address, user-agent, and request metadata. Audit logs are automatically pruned after 18 months, except where a longer period is required to comply with legal process or to defend a legal claim.

  faavae faaletulafono · Legitimate interest — Art. 6(1)(f) GDPR

• GitHub integration (filifiliga, na o Pro+)

  Afai e te connect se GitHub account mai Account → Integrations, matou te teuina se encrypted OAuth access token mo lau organization, lau GitHub login + numeric user ID, ma granted scopes. Matou te faaaoga le token na o le faitau repositories e te initiate scans against. Source code e fetched per-scan, processed in memory, ma na o individual finding evidence e persisted (no full source dumps). E deleted i totonu o le 30 aso pe a disconnect.

  faavae faaletulafono · Performance of contract / consent — Art. 6(1)(b) + 6(1)(a) GDPR

• API tokens + MCP server (filifiliga)

  Tokens e te create i Account → API tokens e stored as a SHA-256 hash, the first 8 plaintext characters (for identification), le name na e tuuina atu, faatasi ma created/last-used/revoked timestamps. The plaintext e shown to you exactly once on creation and never persisted. Tokens are bearer credentials: soo se tasi e iai le value e mafai ona read your scans ma start new ones seia e revoke. O le MCP server i /api/mcp e authenticated e tokens lava ia, exposes the same data the dashboard would, ma e le faia se separate data category.

  faavae faaletulafono · Performance of contract — Art. 6(1)(b) GDPR

• Outbound webhooks (optional, paid plans)

  If you create webhook endpoints from Account → Webhooks, we store the endpoint URL, selected event types, delivery status, short response excerpts, and an encrypted signing secret. We send scan, finding, monitor-alert, and scheduled-run metadata to the endpoints you configure. Those endpoints are recipients chosen by your organization, not FixVibe sub-processors.

  faavae faaletulafono · Performance of contract — Art. 6(1)(b) GDPR

• Live threat detection (filifiliga, na o Unlimited)

  Afai ua enabled monitoring i se verified domain, matou te capture periodically certificate-transparency log entries, DNS records, ma threat-intel listings (Spamhaus DBL, URLhaus) mo lena domain. O nei snapshots e iai hostnames ua uma ona e authorised matou e scan ma public results o public lookups. E leai se personal data o au end-users e captured. Snapshots older than 7 days e deleted otometi; o le most recent baseline e retained per signal type.

  faavae faaletulafono · Performance of contract — Art. 6(1)(b) GDPR

• Scheduled re-scans (filifiliga, na o Pro+)

  Afai e te enable scheduled scans i se verified domain, matou te record le cadence, last run time, next run time, ma le user na enable le schedule. Each cron-triggered scan inherits the authorization-to-scan attestation na faia ina ua verified muamua le domain — e te le re-attest per run. Disable i soo se taimi i Domains → Schedule.

  faavae faaletulafono · Performance of contract — Art. 6(1)(b) GDPR

• Analytics (filifiliga, consent-gated)

  Afai e te grant analytics consent ma ua configured analytics mo le deployment o loo e faaaogaina, matou te faaaoga se privacy-respecting product-analytics provider (proxied through our own domain) e record anonymous usage — o buttons e kiliki, checks e run e tagata, ma le mea i le funnel e drop off ai users. Matou te le tuu URLs e te scan, evidence content, po o personal data i analytics events. Revoke consent i soo se taimi via Cookie settings.

  faavae faaletulafono · Consent — Art. 6(1)(a) GDPR / ePrivacy Art. 5(3)

• Togiola o le ofo fa'asalalauga

  Pe a e togi se fa'ailoga fa'asalalauga, feso'ota'iga vala'aulia, po o aitalafu fa'asaga, matou te teu le fa'ailoga taamilosaga, le fuafuaga ma le umi na matou tu'uina atu ai, le fa'ailoga taimi amata ma le fa'ai'u o le fa'ata'ita'iga, le fuafuaga na e umia a o le'i o'o le fa'ata'ita'iga, ma se hash HMAC-SHA256 o lau IP i le taimi o le togi (matou te le teuina lava le IP matua — o le hash e iai na o le mea matou te fa'amalosia ai le tapula'a togi-tasi-i-le-feso'ota'iga, ma o le fesuiaiga o le ki HMAC i lalo e fa'aleaogaina ai uma hash ua teuina e aunoa ma le fa'aalia o se tasi). Tausia mo le ola o le taamilosaga fa'aopoopo le 18 masina mo fa'amoemoega o le tausi tupe ma su'esu'ega o le pepelo, ona tape lea ma le isi vaega o le fa'amaumauga o le taamilosaga.

  faavae faaletulafono · Manaoga aloa'ia (puipuiga pepelo, tausi tupe) — Mata. 6(1)(f) GDPR

• Tauvaga, taliga'aitu, ma lu'i

  Afai e te ulufale i se Lu'i FixVibe (e pei o le Lu'i Su'esu'ega Mua'i Puipuiga), matou te teu le imeli fa'afeso'ota'i e te tu'uina atu (e mana'omia ina ia mafai ona matou o'o atu ia te oe pe afai e te manumalo), igoa fa'aoga Reddit ma Product Hunt e te tu'uina atu filifili, lau ID o le su'esu'ega ma le domain a'a, le ituaiga polokalama na e ta'utino, ta'avale, ma le tasi-mea-na-ou-a'oa'oina tusitusiga e te tu'uina atu filifili, le tau o le feso'ota'iga-fa'aaliga e te filifilia filifili, ma pusa siaki tolu mana'omia e te talia (fa'atagaga, tulafono, fa'afeso'ota'i). Afai e te siakia fa'aeseese le filifili sulu-i-fa'asalalauga fa'atagaga, e mafai ona matou fa'aalia lou togi lautele, fa'ailoga, ta'avale, igoa fa'aoga, ma le upu na tu'uina atu i luga o le itulau o le aiga FixVibe, itulau lu'i, po o le lipoti toe tepa — e leai lava se isi vaega, ma e leai lava se filifiliga. Tausia ulufale Lu'i mo le ola o le Lu'i fa'aopoopo le 18 masina mo fa'amaoniga ma fa'amoemoega o feeseesea'iga. E mafai ona e toe ave le fa'atagaga sulu-i-fa'asalalauga i so'o se taimi e ala i le imeli atu i le privacy@fixvibe.app; o le toe aveina e le aafia ai le fa'agaioiina aloa'ia a o le'i toe ave.

  faavae faaletulafono · Fa'aaogaina o fefa'atauaiga (tamo'e o le Lu'i) ma fa'atagaga (sulu) — Mata. 6(1)(b) ma 6(1)(a) GDPR

• Matou te le faatauina lava au data.
• Matou te le embed third-party ad-tech, fingerprinting, po o session-replay scripts.
• Matou te le tuu lau scan target URLs po o finding evidence i analytics properties — o lena data e ola na o la matou database, gated by row-level security.
• Matou te le share au data ma third parties mo a latou lava marketing.

Matou te faalagolago i sub-processors nei e run FixVibe:

• Vercel Inc. (USA) — application hosting ma edge network. Privacy notice: vercel.com/legal/privacy-policy.
• Supabase Inc. (USA) — Postgres database, authentication, file storage, Realtime. O le FixVibe production database o loo i le AWS us-east-1 region. Privacy notice: supabase.com/privacy.
• Stripe Inc. (USA) — payment processing mo paid plans. Privacy notice: stripe.com/privacy.
• Upstash, Inc. (USA, via the Vercel Marketplace) — Redis-backed rate limiting; stores only short-lived IP-based counters. Privacy notice: upstash.com/privacy.
• PostHog Inc. (USA) — product analytics, only if you grant analytics consent and only when analytics is configured for the deployment you are using. Privacy notice: posthog.com/privacy.
• GitHub, Inc. (USA) — only if you connect the optional GitHub integration. Matou te faaaoga GitHub API e read repositories e te initiate scans against. Privacy notice: docs.github.com/site-policy/privacy-policies/github-general-privacy-statement.
• Resend, Inc. (USA) — transactional email delivery. Receives your email address and the email body when we send scan-completed, scheduled-scan, live-threat alert, and weekly-digest emails. Resend retains delivery metadata (timestamps, status, bounce records) for operational purposes; matou te le send marketing email through Resend. Privacy notice: resend.com/legal/privacy-policy.

Transfers of personal data outside the EEA/UK rely on the European Commission Standard Contractual Clauses (or the UK International Data Transfer Addendum), supplemented by the encryption-in-transit and encryption-at-rest measures described in “Security” below.

We will update this list and notify customers in-app if we add a new sub-processor that processes personal data on our behalf. Customer-configured outbound webhook endpoints are customer-selected recipients, not FixVibe sub-processors.

I lalo o GDPR, UK GDPR, ma equivalent laws (CCPA/CPRA, LGPD, PIPEDA, Australian Privacy Act etc.), e iai lau right to:

• access se copy o au data (e mafai ona e faia self-serve mai Account → Privacy);
• faasaʻo lau data;
• tape lau data (e mafai foi self-serve);
• tetee i processing based on legitimate interests;
• withdraw consent for analytics at any time via Cookie settings;
• data portability — your export is in JSON;
• lodge a complaint with your local supervisory authority (EU/UK/EEA) or equivalent.

Matou te respond to verifiable rights requests within 30 days. For requests we cannot satisfy via self-serve (rectification of a field we do not expose, restriction of processing, objection), email support@fixvibe.app with subject line “Privacy request”.

Matou te le sell your personal information. Matou te le share personal information for cross-context behavioral advertising. Analytics through PostHog only runs after you grant consent in our cookie banner; you can withdraw that consent at any time via Cookie settings or by clicking Your Privacy Choices in the footer.

Afai o oe o se California resident, e iai foi lau right to:

• know what personal information we collect, the sources, the purposes, and any third parties with which we share it (all detailed above);
• request deletion of your personal information (self-serve via Account → Privacy or by emailing us);
• correct inaccurate personal information;
• limit the use and disclosure of sensitive personal information — we collect none beyond authentication credentials and session metadata, both of which are required to provide the service;
• opt out of sale or sharing — not applicable since we do neither;
• not be discriminated against for exercising any of the above.

Matou te honor Global Privacy Control (GPC) signals automatically; sending a GPC header treats your visit as if you had explicitly opted out of any future analytics consent.

We force row-level security on every database table; users only see records belonging to organizations they are members of. Authenticated-scan headers, when supplied, are encrypted at rest with AES-256-GCM and purged after the scan completes. Stripe webhook payloads are HMAC-verified before processing, and customer outbound webhook signing secrets are encrypted at rest. The service-role database credential is held only on the server runtime and is never exposed to the browser. All traffic between you and FixVibe, and between FixVibe and our sub-processors, uses TLS 1.2 or higher.

E leai se security program e perfect. Afai e te believe ua e found a vulnerability in FixVibe, please report it to support@fixvibe.app.

Afai matou te faia material changes — new sub-processors, new categories of data, new retention periods — matou te update le date i luga ma notify oe in-app. Minor wording fixes do not trigger a notification.

privacy@fixvibe.app — replies usually within 5 business days, never longer than 30 days as required by GDPR Art. 12(3).