FixVibe

// privacy

Maxfiylik siyosati

oxirgi yangilanish · 2026-05-17

Biz kimmiz

FixVibe EGO HERO LLC tomonidan boshqariladi (“biz”, “bizni”); u ushbu siyosatda tasvirlangan personal data uchun data controller hisoblanadi. Maxfiylik savollari, jumladan GDPR, UK GDPR yoki CCPA boʻyicha data subject requests uchun privacy@fixvibe.app bilan bogʻlaning. Boshqa masalalar uchun support@fixvibe.app manziliga yozing.

Nimani yigʻamiz, nima uchun va qancha saqlaymiz

  • Account data

    Email manzili, OAuth identifier (agar Google yoki GitHub orqali kirsangiz), va OAuth providerimizdan oladigan har qanday ism. Sizni authenticate qilish va accountingiz haqida siz bilan bogʻlanish uchun ishlatiladi. Accountingiz active boʻlgan vaqt davomida saqlanadi. Accountingizni oʻchirganingizda, bu data 30 kun ichida olib tashlanadi, uni saqlashimiz talab qilinadigan holatlar bundan mustasno (masalan, tax law boʻyicha billing records).

    qonuniy asos · Performance of contract — Art. 6(1)(b) GDPR

  • Scan targets va findings

    Siz scan qiladigan URLs, biz o‘sha URLsga yuboradigan requests, va biz yaratadigan findings. Tashkilotingizga bogʻlab saqlanadi. Biz planningiz retention windowidan eski recordsni avtomatik oʻchiramiz: 30 kun (Hobby), 90 kun (Pro), 365 kun (Unlimited). Scan historyni istalgan vaqtda Account → Privacy orqali export yoki delete qilishingiz mumkin.

    qonuniy asos · Performance of contract — Art. 6(1)(b) GDPR

  • Anonymous scan sessions

    Agar tizimga kirmasdan scan ishga tushirsangiz, biz opaque random ID saqlaydigan HMAC-signed cookie (fixvibe_anon_session, 24-hour lifetime) beramiz. Unclaimed anonymous scan records 24 soatdan keyin avtomatik oʻchiriladi. Agar 24-hour window ichida sign up qilsangiz, scanningiz yangi accountingizga koʻchiriladi. Anonymous users kimligini ular sign up qilmaguncha bilmaymiz.

    qonuniy asos · Strictly necessary — ePrivacy Art. 5(3) exemption

  • Billing data

    Stripe bizning payment processorimiz. Ular card detailsingizni PCI-DSS infrastructureda saqlaydi; biz faqat Stripe customer ID, subscription status, plan, period start/end, va webhook eventsning kichik idempotency recordini saqlaymiz. Stripe privacy noticeini stripe.com/privacy manzilida koʻring.

    qonuniy asos · Performance of contract — Art. 6(1)(b) GDPR

  • Server logs va audit logs

    Short-lived API request logs may include IP address, user-agent, method, path, status, duration, request ID, user/org context, and error strings so we can debug the service and detect abuse. These request logs are automatically pruned after 72 hours by our retention cron, with up to 24 hours of cron scheduling slop. Audit logs for security-relevant actions (including sign in, scan started, token created/revoked, plan change, account deletion, and admin/support actions) may include IP address, user-agent, and request metadata. Audit logs are automatically pruned after 18 months, except where a longer period is required to comply with legal process or to defend a legal claim.

    qonuniy asos · Legitimate interest — Art. 6(1)(f) GDPR

  • GitHub integration (ixtiyoriy, faqat Pro+)

    Agar Account → Integrations orqali GitHub account ulasangiz, tashkilotingiz uchun encrypted OAuth access token, GitHub loginingiz + numeric user ID, va granted scopesni saqlaymiz. Tokendan faqat siz scans boshlagan repositoriesni oʻqish uchun foydalanamiz. Source code har scan uchun fetch qilinadi, memoryda process qilinadi, va faqat individual finding evidence saqlanadi (full source dumps yoʻq). Disconnect qilingandan keyin 30 kun ichida delete qilinadi.

    qonuniy asos · Performance of contract / consent — Art. 6(1)(b) + 6(1)(a) GDPR

  • API tokens + MCP server (ixtiyoriy)

    Account → API tokensda yaratadigan tokens SHA-256 hash sifatida, identification uchun birinchi 8 plaintext characters, siz bergan name, hamda created/last-used/revoked timestamps bilan saqlanadi. Plaintext yaratilish paytida sizga aynan bir marta koʻrsatiladi va hech qachon persisted boʻlmaydi. Tokens bearer credentials hisoblanadi: valuega ega har kim sizning scansingizni oʻqishi va siz revoke qilmaguningizcha yangilarini boshlashi mumkin. /api/mcpdagi MCP server shu tokens bilan authenticated qilinadi, dashboard koʻrsatadigan ayni datani exposes qiladi, va alohida data category yaratmaydi.

    qonuniy asos · Performance of contract — Art. 6(1)(b) GDPR

  • Outbound webhooks (optional, paid plans)

    If you create webhook endpoints from Account → Webhooks, we store the endpoint URL, selected event types, delivery status, short response excerpts, and an encrypted signing secret. We send scan, finding, monitor-alert, and scheduled-run metadata to the endpoints you configure. Those endpoints are recipients chosen by your organization, not FixVibe sub-processors.

    qonuniy asos · Performance of contract — Art. 6(1)(b) GDPR

  • Live threat detection (ixtiyoriy, faqat Unlimited)

    Agar verified domainda monitoring enabled boʻlsa, biz oʻsha domain uchun vaqti-vaqti bilan certificate-transparency log entries, DNS records, va threat-intel listings (Spamhaus DBL, URLhaus) capture qilamiz. Bu snapshots siz bizga scan qilishga allaqachon ruxsat bergan hostnames va public lookupsning public resultsini oʻz ichiga oladi. End-usersingizning personal data olinmaydi. 7 kundan eski snapshots avtomatik delete qilinadi; eng soʻnggi baseline har signal type boʻyicha retained qilinadi.

    qonuniy asos · Performance of contract — Art. 6(1)(b) GDPR

  • Scheduled re-scans (ixtiyoriy, faqat Pro+)

    Agar verified domainda scheduled scansni enable qilsangiz, biz cadence, last run time, next run time, va scheduleni enable qilgan userni record qilamiz. Har bir cron-triggered scan domain birinchi marta verified qilinganda berilgan authorization-to-scan attestationni inherits qiladi — har run uchun qayta attest qilishingiz shart emas. Istalgan vaqtda Domains → Schedule orqali disable qiling.

    qonuniy asos · Performance of contract — Art. 6(1)(b) GDPR

  • Analytics (ixtiyoriy, consent-gated)

    Agar analytics consent bersangiz va foydalanayotgan deploymentingiz uchun analytics configured boʻlsa, anonymous usageni record qilish uchun privacy-respecting product-analytics provider (oʻz domainimiz orqali proxied) ishlatamiz — qaysi buttons clicked boʻladi, odamlar qaysi checksni run qiladi, funnelning qayerida users drop off qiladi. Scan qilgan URLs, evidence content, yoki personal datani analytics eventsga kiritmaymiz. Consentni istalgan vaqtda orqali revoke qiling.

    qonuniy asos · Consent — Art. 6(1)(a) GDPR / ePrivacy Art. 5(3)

  • Reklama taklifini olish

    Promo kod, taklif havolasi yoki taklifnoma kreditini olganingizda, biz kampaniya kodini, berilgan rejani va davomiyligini, sinov boshlanishi va tugash vaqt belgilarini, sinov muddatidan oldin egallagan rejangizni va olish vaqtidagi IP manzilingizning HMAC-SHA256 xeshini saqlaymiz (biz hech qachon xom IP'ni saqlamaymiz — xesh faqat tarmoq uchun bir martalik olish chegaralarini amalga oshirish uchun mavjud va asosiy HMAC kalitini almashtirish hech kimni fosh qilmasdan barcha saqlangan xeshlarni bekor qiladi). Hisob va firibgarlikni tekshirish maqsadlari uchun kampaniya muddati plyus 18 oy davomida saqlanadi, so'ngra kampaniya yozuvining qolgan qismi bilan o'chiriladi.

    qonuniy asos · Qonuniy manfaat (firibgarlikning oldini olish, hisob) — GDPR 6(1)(f) modda

  • Tanlovlar, sweepstakes va challenge'lar

    Agar siz FixVibe Challenge'ga (masalan, Xavfsizlik oldindan tekshiruv tanlovi) kirsangiz, biz yuborgan kontakt emailini (agar yutsangiz siz bilan bog'lanish uchun zarur), ixtiyoriy taqdim etadigan Reddit va Product Hunt foydalanuvchi nomlarini, skaner ID'si va asosiy domeningizni, o'z-o'zidan xabar qilingan loyiha turi, stek va ixtiyoriy taqdim etadigan bir-narsa-men-o'rgandim matnini, ixtiyoriy tanlagan kashfiyot kanali qiymatini va siz qabul qiladigan uchta talab qilingan rozilik katakchasini (ruxsat, qoidalar, kontakt) saqlaymiz. Agar siz alohida ixtiyoriy marketingda namoyish etish roziligini belgilasangiz, biz sizning ommaviy balingiz, reytingingiz, stek, foydalanuvchi nomi va yuborilgan iqtibosingizni FixVibe bosh sahifasida, challenge sahifasida yoki sharh postida ko'rsatishimiz mumkin — hech qachon boshqa biron maydonni va hech qachon ushbu rozilik bo'lmasdan. Challenge kiritishlari tasdiqlash va nizo maqsadlari uchun Challenge muddati plyus 18 oy davomida saqlanadi. Marketingda namoyish etish roziligini istalgan vaqtda privacy@fixvibe.app ga elektron pochta yuborish orqali bekor qilishingiz mumkin; bekor qilish bekor qilishdan oldingi qonuniy ishlovga ta'sir qilmaydi.

    qonuniy asos · Shartnomaning bajarilishi (Challenge'ni o'tkazish) va rozilik (namoyish etish) — GDPR 6(1)(b) va 6(1)(a) modda

Biz nimalarni yigʻmaymiz

  • Biz datangizni hech qachon sotmaymiz.
  • Biz third-party ad-tech, fingerprinting, yoki session-replay scriptsni embed qilmaymiz.
  • Scan target URLs yoki finding evidenceni analytics propertiesga kiritmaymiz — u data faqat databaseimizda, row-level security bilan gated holda turadi.
  • Dataningizni third parties bilan ularning oʻz marketingi uchun share qilmaymiz.

Sub-processors

FixVibeni ishlatish uchun quyidagi sub-processorsga tayanamiz:

  • Vercel Inc. (USA) — application hosting va edge network. Privacy notice: vercel.com/legal/privacy-policy.
  • Supabase Inc. (USA) — Postgres database, authentication, file storage, Realtime. FixVibe production database AWS us-east-1 regionda joylashgan. Privacy notice: supabase.com/privacy.
  • Stripe Inc. (USA) — paid plans uchun payment processing. Privacy notice: stripe.com/privacy.
  • Upstash, Inc. (USA, Vercel Marketplace orqali) — Redis-backed rate limiting; faqat short-lived IP-based countersni saqlaydi. Privacy notice: upstash.com/privacy.
  • PostHog Inc. (USA) — product analytics, faqat analytics consent berganingizda va faqat foydalanayotgan deploymentingiz uchun analytics configured boʻlganda. Privacy notice: posthog.com/privacy.
  • GitHub, Inc. (USA) — faqat ixtiyoriy GitHub integrationni ulasangiz. Biz GitHub API orqali siz scans boshlagan repositoriesni oʻqiymiz. Privacy notice: docs.github.com/site-policy/privacy-policies/github-general-privacy-statement.
  • Resend, Inc. (USA) — transactional email delivery. Scan-completed, scheduled-scan, live-threat alert, va weekly-digest emails yuborganimizda email addressingiz va email bodyni oladi. Resend operational purposes uchun delivery metadata (timestamps, status, bounce records)ni saqlaydi; biz Resend orqali hech qachon marketing email yubormaymiz. Privacy notice: resend.com/legal/privacy-policy.

EEA/UK tashqarisiga personal data transfers European Commission Standard Contractual Clauses (yoki UK International Data Transfer Addendum)ga tayanadi, quyidagi “Security” boʻlimida tasvirlangan encryption-in-transit va encryption-at-rest choralari bilan toʻldiriladi.

We will update this list and notify customers in-app if we add a new sub-processor that processes personal data on our behalf. Customer-configured outbound webhook endpoints are customer-selected recipients, not FixVibe sub-processors.

Huquqlaringiz

GDPR, UK GDPR, va ekvivalent qonunlar (CCPA/CPRA, LGPD, PIPEDA, Australian Privacy Act etc.) boʻyicha quyidagi huquqlarga egasiz:

  • dataningiz nusxasiga access olish (buni Account → Privacy orqali self-serve qilishingiz mumkin);
  • dataningizni corrected qildirish;
  • dataningizni deleted qildirish (self-serve ham mavjud);
  • legitimate interests asosidagi processingga object qilish;
  • analytics uchun consentni istalgan vaqtda orqali withdraw qilish;
  • data portability — exportingiz JSON formatida;
  • local supervisory authority (EU/UK/EEA) yoki ekvivalent organga complaint berish.

Verifiable rights requestsga 30 kun ichida javob beramiz. Self-serve orqali qondira olmaydigan requests uchun (biz expose qilmaydigan fieldni rectification qilish, restriction of processing, objection), support@fixvibe.app manziliga “Privacy request” subject line bilan email yuboring.

California residents (CCPA / CPRA)

Biz personal informationingizni sotmaymiz. Cross-context behavioral advertising uchun personal informationni share qilmaymiz. PostHog orqali analytics faqat cookie bannerimizda consent berganingizdan keyin ishlaydi; bu consentni istalgan vaqtda orqali yoki footerdagi Your Privacy Choicesni bosib withdraw qilishingiz mumkin.

Agar California resident boʻlsangiz, sizda quyidagi huquqlar ham bor:

  • qanday personal information yigʻishimizni, sources, purposes, va uni share qiladigan third partiesni bilish (hammasi yuqorida batafsil berilgan);
  • personal informationingizni deletion qilishni request qilish (Account → Privacy orqali self-serve yoki bizga email yuborib);
  • inaccurate personal informationni correct qilish;
  • sensitive personal informationdan foydalanish va disclosure qilishni limit qilish — biz authentication credentials va session metadatadan tashqari hech narsa yigʻmaymiz, ikkalasi ham serviceni taqdim etish uchun talab qilinadi;
  • sale yoki sharingdan opt out qilish — amal qilmaydi, chunki biz ikkalasini ham qilmaymiz;
  • yuqoridagilardan birini amalga oshirganingiz uchun discriminated against qilinmaslik.

Global Privacy Control (GPC) signalsni avtomatik hurmat qilamiz; GPC header yuborish visitingizni kelajakdagi analytics consentdan aniq opt out qilgandek hisoblaydi.

Security

We force row-level security on every database table; users only see records belonging to organizations they are members of. Authenticated-scan headers, when supplied, are encrypted at rest with AES-256-GCM and purged after the scan completes. Stripe webhook payloads are HMAC-verified before processing, and customer outbound webhook signing secrets are encrypted at rest. The service-role database credential is held only on the server runtime and is never exposed to the browser. All traffic between you and FixVibe, and between FixVibe and our sub-processors, uses TLS 1.2 or higher.

Hech bir security program mukammal emas. Agar FixVibeda vulnerability topganingizga ishonsangiz, uni support@fixvibe.app manziliga report qiling.

Ushbu policyga oʻzgarishlar

Agar material changes qilsak — yangi sub-processors, yangi data categories, yangi retention periods — yuqoridagi dateni update qilamiz va sizni in-app notify qilamiz. Minor wording fixes notificationni trigger qilmaydi.

Aloqa

privacy@fixvibe.app — replies odatda 5 business days ichida, GDPR Art. 12(3) talab qilgan 30 kundan hech qachon uzoq emas.

Maxfiylik siyosati · FixVibe