FixVibe

// privacy

Tu'utu'uni Fakatau'atāina

fakafou'i fakamuimui · 2026-05-17

Ko hai kimautolu

'Oku fakalele 'a FixVibe 'e EGO HERO LLC (“kimautolu”, “mau”), ko e pule ki he fakamatala fakafo'ituitui 'oku fakamatala'i 'i he tu'utu'uni ni. Ki he ngaahi fehu'i fakatau'atāina, kau ai 'a e ngaahi kole 'a e tokotaha 'oku kau ki ai e fakamatala 'i lalo 'i he GDPR, UK GDPR, pe CCPA, fetu'utaki ki privacy@fixvibe.app. Ki ha me'a kehe, tohi ki support@fixvibe.app.

Ko e me'a 'oku mau tānaki, ko e 'uhinga, pea mo e lōloa 'oku mau tauhi ai

  • Fakamatala kauniti

    Tu'asila 'imeili, OAuth identifier (kapau 'oku ke hū 'aki Google pe GitHub), pea mo ha hingoa 'oku mau ma'u mei ho'o OAuth provider. 'Oku ngāue'aki ke fakamo'oni'i koe pea fetu'utaki atu fekau'aki mo ho'o kauniti. 'Oku tauhi lolotonga 'oku kei mo'ui ho'o kauniti. 'I ho'o tamate'i ho'o kauniti, 'oku to'o 'a e fakamatala ni 'i loto 'i he aho 30, tuku kehe 'a e feitu'u 'oku fie ma'u ai ke mau tauhi ia (hange ko e ngaahi lekooti totongi 'i lalo 'i he lao tukuhau).

    'uhinga fakalao · Fakahoko 'o e konituleki — Art. 6(1)(b) GDPR

  • Ngaahi sini sivi mo e ngaahi kite

    Ko e ngaahi URL 'oku ke sivi, ko e ngaahi kole 'oku mau fai ki he ngaahi URL ko ia, pea mo e ngaahi kite 'oku mau fa'u. 'Oku tauhi ia ki ho'o kautaha. 'Oku mau tamate'i 'otomētika 'a e ngaahi lekooti kuo motu'a ange 'i he matapā tauhi 'o ho'o palani: aho 30 (Hobby), aho 90 (Pro), aho 365 (Unlimited). 'Oku ke lava ke export pe tamate'i ho'o hisitōlia sivi 'i ha taimi mei Account → Privacy.

    'uhinga fakalao · Fakahoko 'o e konituleki — Art. 6(1)(b) GDPR

  • Ngaahi nofo'anga sivi ta'efaka'ilonga

    Kapau 'oku ke fai ha sivi ta'e hū ki loto, 'oku mau tuku atu ha HMAC-signed cookie (fixvibe_anon_session, houa 24 hono mo'ui) 'oku tauhi ai ha ID noa 'oku 'ikai mahino. 'Oku mau tamate'i 'otomētika 'a e ngaahi lekooti sivi ta'efaka'ilonga 'oku 'ikai claim hili 'a e houa 24. Kapau 'oku ke lesisita 'i loto 'i he matapā houa 24, 'oku hiki ho'o sivi ki ho'o kauniti fo'ou. 'Oku 'ikai ke mau 'ilo ko hai 'a e kau ngāue ta'efaka'ilonga tuku kehe kapau te nau lesisita.

    'uhinga fakalao · Fie ma'u mālohi — ePrivacy Art. 5(3) exemption

  • Fakamatala totongi

    Ko Stripe 'emau tokotaha ngāue'i totongi. 'Oku nau tauhi ho'o ngaahi fakaikiiki kaati 'i he PCI-DSS infrastructure; 'oku mau tauhi pē ha Stripe customer ID, tu'unga subscription, palani, kamata'anga/ngata'anga 'o e vaha'a taimi, pea mo ha lekooti idempotency si'isi'i 'o e ngaahi me'a webhook. Sio ki he fanongonongo fakatau'atāina 'a Stripe 'i stripe.com/privacy.

    'uhinga fakalao · Fakahoko 'o e konituleki — Art. 6(1)(b) GDPR

  • Ngaahi server log mo e audit log

    Short-lived API request logs may include IP address, user-agent, method, path, status, duration, request ID, user/org context, and error strings so we can debug the service and detect abuse. These request logs are automatically pruned after 72 hours by our retention cron, with up to 24 hours of cron scheduling slop. Audit logs for security-relevant actions (including sign in, scan started, token created/revoked, plan change, account deletion, and admin/support actions) may include IP address, user-agent, and request metadata. Audit logs are automatically pruned after 18 months, except where a longer period is required to comply with legal process or to defend a legal claim.

    'uhinga fakalao · 'Uhinga totonu fakalao — Art. 6(1)(f) GDPR

  • GitHub integration (fili pē, Pro+ pē)

    Kapau 'oku ke fakafehokotaki ha GitHub account mei Account → Integrations, 'oku mau tauhi ha OAuth access token kuo encrypt ma'a ho'o kautaha, ho'o GitHub login + numeric user ID, pea mo e scopes kuo foaki. 'Oku mau ngāue'aki 'a e token pē ke lau 'a e repositories 'oku ke kamata'i sivi ki ai. 'Oku fetch 'a e source code ki he sivi takitaha, process 'i he memory, pea 'oku persist pē 'a e evidence 'o e kite takitaha (ikai ha full source dumps). 'Oku tamate'i 'i loto 'i he aho 30 hili 'a e disconnect.

    'uhinga fakalao · Fakahoko 'o e konituleki / loto — Art. 6(1)(b) + 6(1)(a) GDPR

  • API tokens + MCP server (fili pē)

    Ko e tokens 'oku ke fa'u 'i Account → API tokens 'oku tauhi ko ha SHA-256 hash, ko e ngaahi mata'itohi plaintext 'e 8 'uluaki (ki he identification), ko e hingoa na'a ke tuku, fakataha mo e created/last-used/revoked timestamps. 'Oku faka'ali'ali atu 'a e plaintext kiate koe tu'o taha pē 'i hono fa'u pea 'oku 'ikai persist. Ko e tokens ko e bearer credentials: ko ha taha pē 'oku ne ma'u 'a e value 'e lava ke lau ho'o ngaahi sivi pea kamata'i ha ngaahi sivi fo'ou kae 'oua kuo ke revoke. Ko e MCP server 'i /api/mcp 'oku authenticate 'aki 'a e tokens tatau, 'oku faka'ali'ali 'a e fakamatala tatau mo e dashboard, pea 'oku 'ikai fa'u ha kulupu fakamatala mavahe.

    'uhinga fakalao · Fakahoko 'o e konituleki — Art. 6(1)(b) GDPR

  • Outbound webhooks (optional, paid plans)

    If you create webhook endpoints from Account → Webhooks, we store the endpoint URL, selected event types, delivery status, short response excerpts, and an encrypted signing secret. We send scan, finding, monitor-alert, and scheduled-run metadata to the endpoints you configure. Those endpoints are recipients chosen by your organization, not FixVibe sub-processors.

    'uhinga fakalao · Performance of contract — Art. 6(1)(b) GDPR

  • Live threat detection (fili pē, Unlimited pē)

    Kapau 'oku ke fakamo'ui 'a e monitoring 'i ha domain kuo fakamo'oni'i, 'oku mau puke fakataimi 'a e certificate-transparency log entries, DNS records, mo e threat-intel listings (Spamhaus DBL, URLhaus) ki he domain ko ia. Ko e ngaahi snapshots ni 'oku 'i ai 'a e hostnames kuo ke 'osi fakamafai'i kimautolu ke sivi mo e ngaahi ola fakapule'anga 'o e public lookups. 'Oku 'ikai ma'u ha fakamatala fakafo'ituitui 'a ho'o end-users. 'Oku tamate'i 'otomētika 'a e snapshots kuo motu'a ange 'i he aho 7; 'oku tauhi 'a e baseline fakamuimui taha ki he fa'ahinga signal takitaha.

    'uhinga fakalao · Fakahoko 'o e konituleki — Art. 6(1)(b) GDPR

  • Ngaahi toe-sivi kuo fakataimi (fili pē, Pro+ pē)

    Kapau 'oku ke fakamo'ui 'a e scheduled scans 'i ha domain kuo fakamo'oni'i, 'oku mau lekooti 'a e cadence, taimi fakahoko fakamuimui, taimi fakahoko hoko, pea mo e tokotaha na'a ne fakamo'ui 'a e schedule. Ko e cron-triggered scan kotoa 'oku ne ma'u 'a e authorization-to-scan attestation na'e fai 'i he taimi na'e fuofua fakamo'oni'i ai 'a e domain — 'oku 'ikai ke ke toe attest 'i he fakahoko takitaha. Ta'ofi 'i ha taimi 'i Domains → Schedule.

    'uhinga fakalao · Fakahoko 'o e konituleki — Art. 6(1)(b) GDPR

  • Analytics (fili pē, fakangatangata 'aki e loto)

    Kapau 'oku ke foaki 'a e analytics consent pea kuo configure analytics ki he deployment 'oku ke ngāue'aki, 'oku mau ngāue'aki ha provider product-analytics 'oku tokanga ki he fakatau'atāina (proxied through our own domain) ke lekooti ha ngāue ta'efakahingoa — ko e hā buttons 'oku lomi'i, ko e hā checks 'oku fai 'e he kakai, feitu'u 'oku drop off ai 'a e users 'i he funnel. 'Oku 'ikai ke mau tuku 'a e URLs 'oku ke sivi, evidence content, pe fakamatala fakafo'ituitui ki he analytics events. To'o ho'o loto 'i ha taimi mei .

    'uhinga fakalao · Loto — Art. 6(1)(a) GDPR / ePrivacy Art. 5(3)

  • Ma'u 'o e fakaaaa faka'oange

    'I ho'o ma'u ha promo code, linga fakaafe, pe kalateti fakahokohoko, 'oku mau tauhi 'a e code 'o e kāpenga, 'a e palani mo e loloa na'a mau 'oange, 'a e sitamipa taimi kamata mo ngata 'o e sivi, 'a e palani na'a ke nofo ai ki mu'a 'i he sivi, mo ha hash HMAC-SHA256 'o ho IP 'i he taimi 'o e ma'u ('oku 'ikai te mau tauhi 'a e IP fakatu'a — 'oku 'i ai pē 'a e hash ke mau lava 'o fakahoko 'a e ngaahi fakangatangata taha-ma'u-'i he-fa'ahinga, pea ko e taliani 'o e ki HMAC fakavaha 'oku ne fakata'e'aonga'i 'a e ngaahi hash kotoa pē kuo tauhi 'o 'ikai fakahā ha taha). Tauhi ki he mo'ui 'o e kāpenga 'o tānaki ai ha māhina 'e 18 ki he ngaahi 'uhinga 'o e tauhi tohi mo e fakatotolo kākā, pea tāmate'i mo e toenga 'o e lekōti 'o e kāpenga.

    'uhinga fakalao · Mahu'inga fakalao (malu'i mei he kākā, tauhi tohi) — Art. 6(1)(f) GDPR

  • Ngaahi feau'auhi, ngaahi sweepstake, mo e ngaahi pole

    Kapau te ke kau ki ha Pole 'a FixVibe (hangē ko e Pole Sivi Mu'a ki he Malu'i), 'oku mau tauhi 'a e 'imeili fetu'utaki 'oku ke 'oatu (fiema'u ke mau lava 'o a'u kiate koe kapau te ke ikuna), 'a e ngaahi hingoa kau Reddit mo Product Hunt 'oku ke 'oatu fakafili, ho'o scan ID mo e root domain, 'a e fa'ahinga poloseki, stack, mo e tohi me'a-'e-taha-na'a ku-ako 'oku ke 'oatu fakafili, 'a e fika 'o e founga-'ilo'i 'oku ke fili fakafili, mo e ngaahi pokisi fakapapau 'e tolu 'oku fiema'u 'oku ke tali (ngofua, lao, fetu'utaki). Kapau te ke fili makehe 'a e ngofua fakafili fakahā-'i he-fakaoange, 'e lava ke mau fakahā ho'o ma'ata'ata fakapule'anga, tu'unga, stack, hingoa kau, mo e fakamatala kuo 'oatu 'i he peesi 'apinga 'o e FixVibe, peesi 'o e pole, pe pousi fakamanatu — 'ikai ha feitu'u kehe, pea 'ikai 'i ha taimi 'o 'ikai 'a e fili-hū ko ia. 'Oku tauhi 'a e ngaahi kau 'o e Pole ki he mo'ui 'o e Pole 'o tānaki ai ha māhina 'e 18 ki he ngaahi 'uhinga 'o e fakapapau'i mo e kikihi. 'E lava ke ke toho 'a e ngofua fakahā-'i he-fakaoange 'i ha taimi 'i he 'imeili ki he privacy@fixvibe.app; ko e toho 'oku 'ikai te ne uesia 'a e fakahoko fakalao ki mu'a 'i he toho.

    'uhinga fakalao · Fakahoko 'o e kontalakiti (fakalele 'o e Pole) mo e ngofua (fakahā) — Art. 6(1)(b) mo e 6(1)(a) GDPR

Ko e me'a 'oku 'IKAI te mau tānaki

  • 'Oku 'ikai 'aupito ke mau fakatau atu ho'o fakamatala.
  • 'Oku 'ikai ke mau embed ha third-party ad-tech, fingerprinting, pe session-replay scripts.
  • 'Oku 'ikai ke mau tuku ho'o scan target URLs pe finding evidence ki he analytics properties — ko e fakamatala ko ia 'oku nofo pē 'i he'emau database, 'oku malu'i 'aki e row-level security.
  • 'Oku 'ikai ke mau vahevahe ho'o fakamatala mo e kau taha tolu ki he'enau marketing pē 'a kinautolu.

Ngaahi Ki'i Ngāue'i

'Oku mau falala ki he ngaahi Ki'i Ngāue'i ni ke fakalele 'a FixVibe:

  • Vercel Inc. (USA) — application hosting mo e edge network. Fanongonongo fakatau'atāina: vercel.com/legal/privacy-policy.
  • Supabase Inc. (USA) — Postgres database, authentication, file storage, Realtime. Ko e FixVibe production database 'oku 'i he AWS us-east-1 region. Fanongonongo fakatau'atāina: supabase.com/privacy.
  • Stripe Inc. (USA) — payment processing ki he paid plans. Fanongonongo fakatau'atāina: stripe.com/privacy.
  • Upstash, Inc. (USA, via the Vercel Marketplace) — Redis-backed rate limiting; 'oku tauhi pē 'a e counters IP-based 'oku mo'ui nounou. Fanongonongo fakatau'atāina: upstash.com/privacy.
  • PostHog Inc. (USA) — product analytics, kapau pē 'oku ke foaki analytics consent pea kapau pē kuo configure analytics ki he deployment 'oku ke ngāue'aki. Fanongonongo fakatau'atāina: posthog.com/privacy.
  • GitHub, Inc. (USA) — kapau pē 'oku ke fakafehokotaki 'a e GitHub integration fili pē. 'Oku mau ngāue'aki GitHub API ke lau 'a e repositories 'oku ke kamata'i sivi ki ai. Fanongonongo fakatau'atāina: docs.github.com/site-policy/privacy-policies/github-general-privacy-statement.
  • Resend, Inc. (USA) — transactional email delivery. 'Oku ma'u ho'o tu'asila 'imeili mo e sino 'o e 'imeili 'i he taimi 'oku mau tuku atu ai 'a e scan-completed, scheduled-scan, live-threat alert, mo e weekly-digest emails. 'Oku tauhi 'e Resend 'a e delivery metadata (timestamps, status, bounce records) ki he ngaahi 'uhinga faka'operesoni; 'oku 'ikai 'aupito ke mau tuku marketing email 'i Resend. Fanongonongo fakatau'atāina: resend.com/legal/privacy-policy.

Ko e transfers 'o e fakamatala fakafo'ituitui ki tu'a mei he EEA/UK 'oku fakafalala ki he European Commission's Standard Contractual Clauses (pe ko e UK's International Data Transfer Addendum), 'oku fakakakato 'aki 'a e ngaahi me'a encryption-in-transit mo encryption-at-rest 'oku fakamatala'i 'i he “Security” 'i lalo.

We will update this list and notify customers in-app if we add a new sub-processor that processes personal data on our behalf. Customer-configured outbound webhook endpoints are customer-selected recipients, not FixVibe sub-processors.

Ho'o ngaahi totonu

'I lalo 'i he GDPR, UK GDPR, mo e ngaahi lao tatau (CCPA/CPRA, LGPD, PIPEDA, Australian Privacy Act etc.), 'oku 'i ai ho'o totonu ke:

  • hū ki ha tatau 'o ho'o fakamatala ('oku ke lava ke fai ia self-serve mei Account → Privacy);
  • fakatonutonu ho'o fakamatala;
  • tamate'i ho'o fakamatala (self-serve foki);
  • taukave'i 'a e processing 'oku fakatefito 'i he legitimate interests;
  • to'o 'a e loto ki he analytics 'i ha taimi mei ;
  • data portability — ko ho'o export 'oku 'i he JSON;
  • fai ha launga ki ho'o local supervisory authority (EU/UK/EEA) pe ko ha taha tatau.

'Oku mau tali ki he ngaahi kole totonu 'oku lava fakamo'oni'i 'i loto 'i he aho 30. Ki he ngaahi kole 'oku 'ikai lava ke mau fakahoko 'aki self-serve (rectification 'o ha field 'oku 'ikai mau expose, restriction of processing, objection), 'imeili ki support@fixvibe.app mo e subject line “Privacy request”.

Kakai nofo California (CCPA / CPRA)

'Oku 'ikai ke mau fakatau atu ho'o fakamatala fakafo'ituitui. 'Oku 'ikai ke mau vahevahe fakamatala fakafo'ituitui ki he cross-context behavioral advertising. Ko e Analytics 'i PostHog 'oku lele pē hili ho'o foaki loto 'i he'emau cookie banner; 'oku ke lava ke to'o 'a e loto ko ia 'i ha taimi mei pe 'aki ho'o lomi'i Ho'o Fili Fakatau'atāina 'i he footer.

Kapau ko ha taha nofo California koe, 'oku toe 'i ai ho'o totonu ke:

  • 'ilo ko e hā fakamatala fakafo'ituitui 'oku mau tānaki, ngaahi ma'u'anga, ngaahi 'uhinga, pea mo ha kau taha tolu 'oku mau vahevahe mo kinautolu (kotoa 'oku fakamatala'i 'i 'olunga);
  • kole ke tamate'i ho'o fakamatala fakafo'ituitui (self-serve mei Account → Privacy pe 'aki ho'o 'imeili mai);
  • fakatonutonu 'a e fakamatala fakafo'ituitui 'oku hala;
  • fakangatangata 'a e ngāue'aki mo e disclosure 'o e sensitive personal information — 'oku 'ikai ke mau tānaki ha me'a tuku kehe 'a e authentication credentials mo e session metadata, pea 'oku fie ma'u fakatou'osi ke 'oatu 'a e service;
  • opt out mei he sale pe sharing — 'ikai applicable koe'uhi 'oku 'ikai ke mau fai fakatou'osi;
  • 'oua 'e fai ha discrimination koe'uhi ko ho'o ngāue'aki ha taha 'o e ngaahi totonu 'i 'olunga.

'Oku mau fakalangilangi'i 'otomētika 'a e Global Privacy Control (GPC) signals; ko e tuku mai ha GPC header 'oku sio ki ho'o 'a'ahi hange kuo ke opt out mahino mei ha analytics consent 'i he kaha'u.

Malu'i

We force row-level security on every database table; users only see records belonging to organizations they are members of. Authenticated-scan headers, when supplied, are encrypted at rest with AES-256-GCM and purged after the scan completes. Stripe webhook payloads are HMAC-verified before processing, and customer outbound webhook signing secrets are encrypted at rest. The service-role database credential is held only on the server runtime and is never exposed to the browser. All traffic between you and FixVibe, and between FixVibe and our sub-processors, uses TLS 1.2 or higher.

'Oku 'ikai ha security program 'oku haohaoa. Kapau 'oku ke tui kuo ke ma'u ha vulnerability 'i FixVibe, kātaki 'o lipooti ia ki support@fixvibe.app.

Ngaahi liliu ki he tu'utu'uni ni

Kapau te mau fai ha ngaahi liliu mahu'inga — sub-processors fo'ou, categories fo'ou 'o e fakamatala, ngaahi retention periods fo'ou — te mau fakafou'i 'a e 'aho 'i 'olunga pea fakaha atu 'i loto-app. Ko e fakatonutonu lea iiki 'oku 'ikai fakatupu ha fakaha.

Fetu'utaki

privacy@fixvibe.app — 'oku angamaheni ke tali 'i loto 'i he ngaahi aho ngāue 5, pea 'ikai 'aupito lōloa ange 'i he aho 30 'oku fie ma'u 'e GDPR Art. 12(3).

Tu'utu'uni Fakatau'atāina · FixVibe