FixVibe

// privacy

ናይ ብሕታዊነት ፖሊሲ

ናይ መወዳእታ ምሕዳስ · 2026-05-17

መን ኢና

FixVibe ብ EGO HERO LLC ይምራሕ (“ንሕና”, “ንዓና”)፣ ንብዛዕባ እቲ ኣብዚ ፖሊሲ ዝተገልጸ personal data data controller እዩ። ንናይ ብሕታዊነት ሕቶታት፣ ኣብ ትሕቲ GDPR, UK GDPR, ወይ CCPA ዝኾኑ data subject requests ሓዊሱ፣ ናብ privacy@fixvibe.app ተወከሱ። ንኻልእ ኩሉ ናብ support@fixvibe.app ጽሓፉ።

እንታይ ንእክብ፣ ስለምንታይ፣ ክንደይ ግዜ ንዕቅቦ

  • ናይ ሕሳብ ዳታ

    ኢሜይል ኣድራሻ፣ OAuth identifier (ብ Google ወይ GitHub እንተ sign in ጌርካ)፣ ካብ OAuth provider ዝረኸብናዮ ዝኾነ ስም። ንምርግጋጽካን ብዛዕባ ሕሳብካ ንምርኻብካን ይጥቀም። ሕሳብካ ንጡፍ ክሳብ ዝኾነ ይዕቀብ። ሕሳብካ ክትድምስስ ከለኻ፣ እዚ ዳታ ኣብ ውሽጢ 30 መዓልቲ ይእለ፣ እንተዘይኮነ ክንዕቅቦ ብሕጊ ተገዲድና እንተኾይንና (ንኣብነት billing records ኣብ ትሕቲ tax law)።

    ሕጋዊ መሰረት · ምፍጻም ውዕል — Art. 6(1)(b) GDPR

  • ናይ ስካን ዕላማታትን ውጽኢታትን

    እቶም እትስካኖም URLs፣ ናብቶም URLs እንገብሮም requests፣ እንፈጥሮም findings። ኣብ organization ናትካ ተዓቂቦም ይቕመጡ። ካብ retention window ናይ plan ናትካ ዝኣረጉ records ብርእሶም ንድምስሶም: 30 መዓልቲ (Hobby), 90 መዓልቲ (Pro), 365 መዓልቲ (Unlimited)። ካብ ሕሳብ → ብሕታዊነት scan history ናትካ ኣብ ዝኾነ ግዜ export ወይ delete ክትገብሮ ትኽእል።

    ሕጋዊ መሰረት · ምፍጻም ውዕል — Art. 6(1)(b) GDPR

  • Anonymous scan sessions

    ብዘይ sign in ስካን እንተ ኣካየድካ፣ ንሕና HMAC-signed cookie (fixvibe_anon_session, 24-hour lifetime) ንህብ፣ opaque random ID ዝሕዝ። Unclaimed anonymous scan records ድሕሪ 24 ሰዓት ብርእሶም ንድምስሶም። ኣብ ውሽጢ 24-hour window sign up እንተ ጌርካ፣ ስካንካ ናብ ሓድሽ ሕሳብካ ይግዕዝ። Anonymous users መን ምዃኖም ኣይንፈልጥን፣ እንተዘይ sign up ጌሮም።

    ሕጋዊ መሰረት · ብጥብቂ ኣድላዪ — ePrivacy Art. 5(3) exemption

  • ናይ billing ዳታ

    Stripe payment processor ናትና እዩ። ንሳቶም ናይ ካርድካ ዝርዝር ኣብ PCI-DSS infrastructure ይዕቅቡ፤ ንሕና ግን Stripe customer ID, subscription status, plan, period start/end, ከምኡውን ን webhook events ንእሽቶ idempotency record ጥራይ ንዕቅብ። ናይ Stripe privacy notice ኣብ stripe.com/privacy ርአ።

    ሕጋዊ መሰረት · ምፍጻም ውዕል — Art. 6(1)(b) GDPR

  • Server logs እና audit logs

    Short-lived API request logs may include IP address, user-agent, method, path, status, duration, request ID, user/org context, and error strings so we can debug the service and detect abuse. These request logs are automatically pruned after 72 hours by our retention cron, with up to 24 hours of cron scheduling slop. Audit logs for security-relevant actions (including sign in, scan started, token created/revoked, plan change, account deletion, and admin/support actions) may include IP address, user-agent, and request metadata. Audit logs are automatically pruned after 18 months, except where a longer period is required to comply with legal process or to defend a legal claim.

    ሕጋዊ መሰረት · ሕጋዊ ረብሓ — Art. 6(1)(f) GDPR

  • GitHub integration (ኣማራጺ፣ Pro+ ጥራይ)

    ካብ ሕሳብ → Integrations GitHub account እንተ ኣተሓሒዝካ፣ ን organization ናትካ encrypted OAuth access token፣ GitHub login + numeric user ID ናትካ፣ እና granted scopes ንዕቅብ። Token ን repositories እትጀምርሎም scans ንምንባብ ጥራይ ንጥቀም። Source code ንነፍሲ ወከፍ scan ይወሰድ፣ ኣብ memory ይስራሕ፣ individual finding evidence ጥራይ ይዕቀብ (full source dumps የለን)። ድሕሪ disconnect ኣብ ውሽጢ 30 መዓልቲ ይድምሰስ።

    ሕጋዊ መሰረት · ምፍጻም ውዕል / ፍቓድ — Art. 6(1)(b) + 6(1)(a) GDPR

  • API tokens + MCP server (ኣማራጺ)

    ኣብ ሕሳብ → API tokens እትፈጥሮም tokens ከም SHA-256 hash፣ መጀመርታ 8 plaintext characters (ንመለለዪ)፣ ዝሃብካዮ name፣ እና created/last-used/revoked timestamps ይዕቀቡ። Plaintext ኣብ ምፍጣር ሓንሳብ ጥራይ ይርአየካ እምበር ፈጺሙ persisted ኣይከውንን። Tokens bearer credentials እዮም: value ዘለዎ ሰብ ክሳብ revoke ትገብሮም scans ናትካ ክንብብን ሓደስቲ scans ክጅምርን ይኽእል። MCP server ኣብ /api/mcp በቶም ተመሳሳሊ tokens authenticated ይኸውን፣ dashboard ዘርእዮ ተመሳሳሊ data ይ expose ይገብር፣ ፍሉይ data category ኣይፈጥርን።

    ሕጋዊ መሰረት · ምፍጻም ውዕል — Art. 6(1)(b) GDPR

  • Outbound webhooks (optional, paid plans)

    If you create webhook endpoints from Account → Webhooks, we store the endpoint URL, selected event types, delivery status, short response excerpts, and an encrypted signing secret. We send scan, finding, monitor-alert, and scheduled-run metadata to the endpoints you configure. Those endpoints are recipients chosen by your organization, not FixVibe sub-processors.

    ሕጋዊ መሰረት · Performance of contract — Art. 6(1)(b) GDPR

  • Live threat detection (ኣማራጺ፣ Unlimited ጥራይ)

    ኣብ verified domain monitoring እንተ enabled ኮይኑ፣ ንሕና በብግዜኡ certificate-transparency log entries, DNS records, እና threat-intel listings (Spamhaus DBL, URLhaus) ናይቲ domain ንሕዝ። እዞም snapshots ኣብ ቅድሚኡ ክንስካኖም ፍቓድ ዝሃብካና hostnames እና public results of public lookups ይሓዙ። ናይ end-users ናትካ personal data ኣይውሰድን። ካብ 7 መዓልቲ ዝኣረጉ snapshots ብርእሶም ይድምሰሱ፤ እቲ ዝቐረበ baseline ንነፍሲ ወከፍ signal type ይዕቀብ።

    ሕጋዊ መሰረት · ምፍጻም ውዕል — Art. 6(1)(b) GDPR

  • ብመደብ ዝግበሩ re-scans (ኣማራጺ፣ Pro+ ጥራይ)

    ኣብ verified domain scheduled scans እንተ enabled ጌርካ፣ cadence, last run time, next run time, እና የናይ user schedule ከም ዘ enabled ጌሩ ንመዝግብ። ነፍሲ ወከፍ cron-triggered scan ኣብ መጀመርታ domain verified ክኸውን ዝተገብረ authorization-to-scan attestation ይወርስ — ንነፍሲ ወከፍ run ዳግማይ attest ኣይትገብርን። ኣብ Domains → Schedule ኣብ ዝኾነ ግዜ disable ግበሮ።

    ሕጋዊ መሰረት · ምፍጻም ውዕል — Art. 6(1)(b) GDPR

  • Analytics (ኣማራጺ፣ ብፍቓድ ዝተገደበ)

    Analytics consent እንተ ሂብካን ን deployment እትጥቀመሉ analytics configured እንተ ኣሎናን፣ ን anonymous usage ንምምዝጋብ privacy-respecting product-analytics provider (ብ domain ናትና proxied) ንጥቀም — እንታይ buttons clicked ይኾኑ፣ ሰባት እንታይ checks run ይገብሩ፣ users ኣብ funnel ኣበይ drop off ይገብሩ። URLs እትስካኖም፣ evidence content፣ ወይ personal data ናብ analytics events ኣይነእትዎን። ፍቓድ ኣብ ዝኾነ ግዜ ብ revoke ግበር።

    ሕጋዊ መሰረት · ፍቓድ — Art. 6(1)(a) GDPR / ePrivacy Art. 5(3)

  • ናይ ምስሉፍ ቅሬታ ምውሳድ

    ናይ ቅሬታ ኮድ፣ ናይ ዕድመ ሊንክ ወይ ናይ ምልኣት ሕታም ምስ እትወስድ፣ ናይ ምስሉፍ ኮድ፣ ዝሃብናካ መደብን ግዜን፣ ናይ ፈተና ናይ ምጅማርን ምውዳኣን ግዜ-ምልክታት፣ ቅድሚ ፈተና ዝሓዝካዮ መደብ ከምኡውን ኣብ እዋን ምውሳድ ናይ IP address HMAC-SHA256 hash (ጥረ IP ፈጺምና ኣይነቐምጥን — እቲ hash ናይ ሓደ-ምውሳድ-ብ-network ድሬታት ንምድላው ጥራይ ይነብር፣ ከምኡውን ናይ ታሕተዋይ HMAC ሕታም ምዙዋር ኩሎም ዝተቐመጡ hashes ብዘይ ምቕላዕ ሰብ ዝፍርሱ) ንቐምጥ። ንሕይወት ናይ ምስሉፍ + 18 ኣዋርሕ ንሕሳብን ናይ ፋጥራ-ምርመራን ዕላማታት ይተርፍ፣ ድሕሪኡ ምስ ካልኦም ናይ ምስሉፍ መዝገብ ይሰረዝ።

    ሕጋዊ መሰረት · ሕጋዊ ረብሓ (ናይ ፋጥራ ምክልኻል፣ ሕሳብ ምውዓል) — Art. 6(1)(f) GDPR

  • ውድድራት፣ ሰዊፕስቴክስ ከምኡውን ብድሆታት

    ናይ FixVibe ብድሆ ምስ እትኣቱ (ከም ናይ ጸጥታ Preflight ብድሆ)፣ ናይ ርክብ ኢመይል እተኣቱዎ (ምስ እትዕወት ክንበጽሓካ ምእንቲ ዝድሊ)፣ ብኣማራጺ እትህብ ናይ Reddit ከምኡውን Product Hunt ስም-ተጠቀምቲ፣ ናይ scan ID ከምኡውን root domainካ፣ ብኣማራጺ እትህብ ብርእስኻ ዝተሓበረ ናይ ፕሮጀክት ዓይነት፣ stack ከምኡውን ሓደ-ነገር-ዝተማሃርኩዎ ጽሑፍ፣ ብኣማራጺ እትመርጾ ናይ ምድላው-መንገዲ ዋጋ ከምኡውን እትቕበሎም ሰለስተ ዝድልዩ ናይ ስምምዕ ቦታታት (ፍቓድ፣ ሕግታት፣ ርክብ) ንቐምጥ። ናይ ኣብ ምክፋት-ዝሳር ኣማራጺ ስምምዕ ብተናጻል እንተድኣ መሪጽካ፣ ህዝባዊ ነጥብኻ፣ ምትዕባይ፣ stack፣ ስም-ተጠቃሚን ዝቐረበ ጥቕሲኻን ኣብ ናይ FixVibe ቤት-ገጽ፣ ናይ ብድሆ ገጽ፣ ወይ ናይ ድሕሪ ግዜ ለጠፋ ክንፈስር ንኽእል — ካልእ ሜዳ ፈጺምና ኣይኮነን፣ ከምኡውን ናይ ዘይ ፍቓድ ፈጺምና ኣይኮነን። ናይ ብድሆ መእተዊታት ንሕይወት ናይ ብድሆ + 18 ኣዋርሕ ንናይ መረጋገጺን ግድልን ዕላማታት ይተርፉ። ናይ ኣብ ምክፋት-ዝሳር ስምምዕ ናብ privacy@fixvibe.app ብኢመይል ብምልኣኽ ኣብ ዝኾነ ግዜ ክትስሕብ ትኽእል፤ ምስሓብ ቅድሚ ምስሓብ ዝነበረ ሕጋዊ ምስራሕ ኣይጽልውን።

    ሕጋዊ መሰረት · ናይ ውዕል ምስራሕ (ብድሆ ምክያድ) ከምኡውን ስምምዕ (ምፍሳር) — Art. 6(1)(b) ከምኡውን 6(1)(a) GDPR

እቲ ዘይንእክቦ

  • ንዳታኻ ፈጺምና ኣይንሸጦን።
  • third-party ad-tech, fingerprinting, ወይ session-replay scripts ኣይን embed ገብርን።
  • scan target URLs ወይ finding evidence ናትካ ኣብ analytics properties ኣይነእትዎን — እቲ ዳታ ኣብ database ናትና ጥራይ ይቕመጥ፣ ብ row-level security gated እዩ።
  • ዳታኻ ንናይ ሳልሳይ ወገናት ገዛእ marketing ምኽንያት ምስኦም share ኣይንገብርን።

Sub-processors

FixVibe ንምስራሕ ኣብዞም ዝስዕቡ sub-processors ንተኣማመን:

  • Vercel Inc. (USA) — application hosting እና edge network። Privacy notice: vercel.com/legal/privacy-policy.
  • Supabase Inc. (USA) — Postgres database, authentication, file storage, Realtime። FixVibe production database ኣብ AWS us-east-1 region እዩ። Privacy notice: supabase.com/privacy.
  • Stripe Inc. (USA) — payment processing ን paid plans። Privacy notice: stripe.com/privacy.
  • Upstash, Inc. (USA, ብ Vercel Marketplace) — Redis-backed rate limiting፤ short-lived IP-based counters ጥራይ ይዕቅብ። Privacy notice: upstash.com/privacy.
  • PostHog Inc. (USA) — product analytics፣ analytics consent እንተ ሂብካ እና analytics ን deployment እትጥቀመሉ configured እንተ ኾይኑ ጥራይ። Privacy notice: posthog.com/privacy.
  • GitHub, Inc. (USA) — optional GitHub integration እንተ connect ጌርካ ጥራይ። ንሕና GitHub API ን repositories እትጀምርሎም scans ንምንባብ ንጥቀም። Privacy notice: docs.github.com/site-policy/privacy-policies/github-general-privacy-statement.
  • Resend, Inc. (USA) — transactional email delivery። scan-completed, scheduled-scan, live-threat alert, እና weekly-digest emails ክንሰድድ ከለና email address ናትካን email bodyን ይቕበል። Resend delivery metadata (timestamps, status, bounce records) ን operational purposes ይዕቅብ፤ ብ Resend marketing email ፈጺምና ኣይንሰድድን። Privacy notice: resend.com/legal/privacy-policy.

Transfers ናይ personal data ካብ EEA/UK ወጻኢ ኣብ European Commission's Standard Contractual Clauses (ወይ UK's International Data Transfer Addendum) ይተኣማመኑ፣ ብታሕቲ ኣብ “Security” ዝተገልጹ encryption-in-transit እና encryption-at-rest measures ተመሊኦም።

We will update this list and notify customers in-app if we add a new sub-processor that processes personal data on our behalf. Customer-configured outbound webhook endpoints are customer-selected recipients, not FixVibe sub-processors.

መሰላትካ

ኣብ ትሕቲ GDPR, UK GDPR, እና ተመጣጣኒ ሕግታት (CCPA/CPRA, LGPD, PIPEDA, Australian Privacy Act ወዘተ)፣ እዞም መሰላት ኣለዉኻ:

  • ናይ ዳታኻ copy ምርካብ (እዚ ካብ ሕሳብ → ብሕታዊነት self-serve ክትገብሮ ትኽእል);
  • ዳታኻ corrected ክትገብር;
  • ዳታኻ deleted ክትገብር (እውን self-serve);
  • ኣብ legitimate interests ዝተመርኮሰ processing ክት object ገብር;
  • ን analytics ፍቓድ ኣብ ዝኾነ ግዜ ብ withdraw ክትገብር;
  • data portability — export ናትካ ብ JSON እዩ;
  • ናብ local supervisory authority (EU/UK/EEA) ወይ ተመጣጣኒ ኣካል complaint lodge ክትገብር።

ን verifiable rights requests ኣብ ውሽጢ 30 መዓልቲ ንምልስ። Self-serve ክንፈጽሞም ዘይንኽእል requests (rectification ናይ field ዘይን expose ገብሮ፣ restriction of processing፣ objection)፣ ናብ support@fixvibe.app ብ subject line “Privacy request” email ስደድ።

ነበርቲ California (CCPA / CPRA)

ናትካ personal information ኣይንሸጥን። Personal information ን cross-context behavioral advertising ኣይን share ገብርን። Analytics ብ PostHog ድሕሪ ኣብ cookie banner ናትና consent ምሃብካ ጥራይ ይካየድ፤ እቲ consent ኣብ ዝኾነ ግዜ ብ ወይ ኣብ footer ናይ ብሕታዊነት ምርጫታትካ ብምጥዋቕ withdraw ክትገብሮ ትኽእል።

ናይ California ነባሪ እንተ ኾንካ፣ ተወሳኺ እዞም መሰላት ኣለዉኻ:

  • ንሕና እንታይ personal information ከም እን collect ንምፍላጥ፣ sources፣ purposes፣ እና third parties ምስ መን ከም እን share ገብሮ (ኩሉ ኣብ ላዕሊ ተዘርዚሩ);
  • deletion ናይ personal information ናትካ request ምግባር (self-serve ብ ሕሳብ → ብሕታዊነት ወይ ብ email ናባና);
  • ግጉይ personal information correct ምግባር;
  • use እና disclosure ናይ sensitive personal information limit ምግባር — ካብ authentication credentials እና session metadata ወጻኢ ኣይን collect ገብርን፣ ክልቲኦም ን service ምቕራብ ኣድለይቲ እዮም;
  • ካብ sale ወይ sharing opt out ምግባር — ኣይተፈጻምን ምኽንያቱ ክልቲኦም ኣይንገብርን;
  • ንላዕሊ ዘለዉ መሰላት ብምጥቃምካ discrimination ከይትቕበል።

ንሕና Global Privacy Control (GPC) signals ብርእስና honor ንገብር፤ GPC header ምስዳድ ን visit ናትካ ከም እተ explicitly opted out ካብ ዝመጽእ analytics consent ይቑጸር።

Security

We force row-level security on every database table; users only see records belonging to organizations they are members of. Authenticated-scan headers, when supplied, are encrypted at rest with AES-256-GCM and purged after the scan completes. Stripe webhook payloads are HMAC-verified before processing, and customer outbound webhook signing secrets are encrypted at rest. The service-role database credential is held only on the server runtime and is never exposed to the browser. All traffic between you and FixVibe, and between FixVibe and our sub-processors, uses TLS 1.2 or higher.

ዝፍጹም security program የለን። ኣብ FixVibe vulnerability ረኺብካ እንተ ኣሚንካ፣ በጃኻ ናብ support@fixvibe.app report ግበሮ።

ለውጥታት ናይዚ ፖሊሲ

Material changes እንተ ጌርና — ሓደስቲ sub-processors፣ ሓደስቲ categories ናይ data፣ ሓደስቲ retention periods — ነቲ ኣብ ላዕሊ ዘሎ date update ክንገብር ኢና እና ኣብ app notify ክንገብረካ ኢና። ናይ wording fixes ንኣሽቱ notification ኣይ trigger ገብሩን።

ርክብ

privacy@fixvibe.app — መልስታት ብተለምዶ ኣብ ውሽጢ 5 business days፣ ብ GDPR Art. 12(3) ከም ዝጥለብ ካብ 30 መዓልቲ ዝነውሕ ፈጺሙ ኣይኮነን።

ናይ ብሕታዊነት ፖሊሲ · FixVibe