Inqubomgomo Yobumfihlo

I-FixVibe iqhutshwa yi-EGO HERO LLC (“thina”, “kithi”), isilawuli sedatha sedatha yomuntu siqu echazwe kule nqubomgomo. Ngemibuzo yobumfihlo, kuhlanganisa nezicelo zabantu bedatha ngaphansi kwe-GDPR, UK GDPR, noma CCPA, xhumana no-privacy@fixvibe.app. Kokunye noma yini, bhalela ku-support@fixvibe.app.

• Idatha ye-akhawunti

  Ikheli le-imeyili, isihlonzi se-OAuth (uma ungena nge-Google noma GitHub), nanoma yiliphi igama esilithola kumhlinzeki wakho we-OAuth. Kusetshenziswa ukukuqinisekisa nokuxhumana nawe nge-akhawunti yakho. Kugcinwa ngesikhathi i-akhawunti yakho isasebenza. Uma ususa i-akhawunti yakho, le datha iyasuswa zingakapheli izinsuku ezingama-30, ngaphandle lapho kudingeka siyigcine (isb., amarekhodi okukhokha ngaphansi komthetho wentela).

  isisekelo esisemthethweni · Ukufeza inkontileka — Art. 6(1)(b) GDPR

• Okuqondiswe kuma-skani nemiphumela

  Ama-URLs owaskanayo, izicelo esizenzayo kulawo ma-URLs, nemiphumela esiyikhiqizayo. Kugcinwa ngaphansi kwenhlangano yakho. Sisusa ngokuzenzakalelayo amarekhodi amadala kunewindi lokugcina leplani yakho: izinsuku ezingama-30 (Hobby), izinsuku ezingama-90 (Pro), izinsuku ezingama-365 (Unlimited). Ungakhipha noma ususe umlando wakho wama-skani noma nini kusuka ku-I-akhawunti → Ubumfihlo.

  isisekelo esisemthethweni · Ukufeza inkontileka — Art. 6(1)(b) GDPR

• Izikhathi zama-skani angaziwa

  Uma uqala skani ngaphandle kokungena, sikhipha cookie esayinwe nge-HMAC (fixvibe_anon_session, impilo yamahora angu-24) ephethe i-ID engahleliwe engacacile. Sisusa ngokuzenzakalelayo amarekhodi ama-skani angaziwa angazange athathwe ngemva kwamahora angu-24. Uma ubhalisa ngaphakathi kwewindi lamahora angu-24, skani yakho idlulela ku-akhawunti yakho entsha. Asazi ukuthi abasebenzisi abangaziwa bangobani ngaphandle uma bebhalisa.

  isisekelo esisemthethweni · Kudingeka ngokuqinile — ePrivacy Art. 5(3) exemption

• Idatha yokukhokha

  Stripe ngumcubunguli wethu wezinkokhelo. Bagcina imininingwane yekhadi lakho kwingqalasizinda ye-PCI-DSS; thina sigcina kuphela Stripe customer ID, isimo sokubhalisa, iplani, ukuqala/ukuphela kwesikhathi, nerekhodi elincane le-idempotency lezehlakalo ze-webhook. Bheka isaziso sobumfihlo se-Stripe ku-stripe.com/privacy.

  isisekelo esisemthethweni · Ukufeza inkontileka — Art. 6(1)(b) GDPR

• Amalogi eseva namalogi okuhlola

  Short-lived API request logs may include IP address, user-agent, method, path, status, duration, request ID, user/org context, and error strings so we can debug the service and detect abuse. These request logs are automatically pruned after 72 hours by our retention cron, with up to 24 hours of cron scheduling slop. Audit logs for security-relevant actions (including sign in, scan started, token created/revoked, plan change, account deletion, and admin/support actions) may include IP address, user-agent, and request metadata. Audit logs are automatically pruned after 18 months, except where a longer period is required to comply with legal process or to defend a legal claim.

  isisekelo esisemthethweni · Inzalo esemthethweni — Art. 6(1)(f) GDPR

• Ukuhlanganiswa kwe-GitHub (okuzikhethela, Pro+ kuphela)

  Uma uxhuma i-akhawunti ye-GitHub kusuka ku-I-akhawunti → Ukuhlanganiswa, sigcina OAuth access token ebethelwe yenhlangano yakho, GitHub login yakho + numeric user ID, nama-scopes avunyelwe. Sisebenzisa i-token kuphela ukufunda repositories oqala ama-skani kuzo. Source code ilandwa nge-skani ngayinye, icutshungulwa ku-memory, futhi kugcinwa ubufakazi bomphumela ngamunye kuphela (akukho full source dumps). Isuswa zingakapheli izinsuku ezingama-30 ngemva kokunqamula.

  isisekelo esisemthethweni · Ukufeza inkontileka / imvume — Art. 6(1)(b) + 6(1)(a) GDPR

• API tokens + MCP server (okuzikhethela)

  Tokens ozidala ku-I-akhawunti → API tokens zigcinwa njenge-SHA-256 hash, izinhlamvu zokuqala ezingu-8 ze-plaintext (zokuhlonza), igama olinikezile, kanye nama-timestamps okudalwa/ukusetshenziswa kokugcina/ukuhoxiswa. I-plaintext iboniswa kuwe kanye kuphela ngesikhathi sokudalwa futhi ayigcinwa. Tokens zingama-bearer credentials: noma ubani onenani angafunda ama-skani akho futhi aqale amasha uze uyihoxise. MCP server ku-/api/mcp iqinisekiswa ngama-tokens afanayo, iveza idatha efanayo ne-dashboard, futhi ayidali isigaba sedatha esihlukile.

  isisekelo esisemthethweni · Ukufeza inkontileka — Art. 6(1)(b) GDPR

• Outbound webhooks (optional, paid plans)

  If you create webhook endpoints from Account → Webhooks, we store the endpoint URL, selected event types, delivery status, short response excerpts, and an encrypted signing secret. We send scan, finding, monitor-alert, and scheduled-run metadata to the endpoints you configure. Those endpoints are recipients chosen by your organization, not FixVibe sub-processors.

  isisekelo esisemthethweni · Performance of contract — Art. 6(1)(b) GDPR

• Ukutholwa kwezinsongo bukhoma (okuzikhethela, Unlimited kuphela)

  Uma unokulandelela okuvuliwe ku-domain eqinisekisiwe, sithatha ngezikhathi ezithile certificate-transparency log entries, DNS records, nama-threat-intel listings (Spamhaus DBL, URLhaus) alowo domain. La ma-snapshots aqukethe hostnames osuvele wasigunyaza ukuziskana kanye nemiphumela yomphakathi yama-public lookups. Ayikho idatha yomuntu siqu yabasebenzisi bakho bokugcina ethathwayo. Ama-snapshots amadala kunezinsuku ezingu-7 asuswa ngokuzenzakalelayo; baseline yakamuva kakhulu igcinwa ngohlobo ngalunye lwe-signal.

  isisekelo esisemthethweni · Ukufeza inkontileka — Art. 6(1)(b) GDPR

• Ama-skani aphindwayo ahleliwe (okuzikhethela, Pro+ kuphela)

  Uma uvula scheduled scans ku-domain eqinisekisiwe, sirekhoda cadence, last run time, next run time, nokuthi yimuphi umsebenzisi ovule schedule. I-cron-triggered scan ngayinye ithola i-authorization-to-scan attestation eyenziwa ngesikhathi i-domain iqinisekiswa okokuqala — awudingi ukuphinda ufakaze nge-run ngayinye. Vala noma nini ku-Domains → Schedule.

  isisekelo esisemthethweni · Ukufeza inkontileka — Art. 6(1)(b) GDPR

• Analytics (okuzikhethela, kudinga imvume)

  Uma unikeza imvume ye-analytics futhi sine-analytics esethiwe kule deployment oyisebenzisayo, sisebenzisa umhlinzeki we-product-analytics ohlonipha ubumfihlo (ophroksywe nge-domain yethu) ukurekhoda ukusetshenziswa okungaziwa — yiziphi izinkinobho ezichofozwayo, yiziphi checks abantu abazigijimayo, nokuthi abasebenzisi bawa kuphi ku-funnel. Asifaki ama-URLs owaskanayo, evidence content, noma personal data kuma-analytics events. Hoxisa imvume noma nini nge-Cookie settings.

  isisekelo esisemthethweni · Imvume — Art. 6(1)(a) GDPR / ePrivacy Art. 5(3)

• Ukuthengwa kwesipho sokuthuthukiswa

  Lapho uthenga ikhodi yokuthuthukiswa, isixhumanisi sesimemo, noma i-credit yokuthuma, sigcina ikhodi yomkhankaso, icebo nesikhathi esisinikezile, izitembu zesikhathi sokuqala nokuphela kwehora lokuvivinya, icebo obonayo ngaphambi kwehora lokuvivinya, ne-hash ye-HMAC-SHA256 yekheli lakho le-IP ngesikhathi sokuthengwa (asikaze sigcine i-IP eluhlaza — i-hash ikhona kuphela ukuze sikwazi ukuphoqelela imikhawulo yokuthenga okukodwa ngenethiwekhi, futhi ukushintsha okhiye we-HMAC ongaphansi kwenza onke ama-hash agcinwe angasebenzi ngaphandle kokuveza muntu). Igcinwa impilo yomkhankaso kuhlanganise nezinyanga eziyi-18 ngezinhloso zokubala namaphenya enkohliso, bese isulwa nayo yonke irekhodi lomkhankaso.

  isisekelo esisemthethweni · Inzuzo esemthethweni (ukuvimbela inkohliso, ukubala) — Art. 6(1)(f) GDPR

• Imincintiswano, ama-sweepstakes, nezinselelo

  Uma ungena Enselelweni ye-FixVibe (njengeNselelo Yokulungiselela Ezokuphepha), sigcina i-imeyili yokuxhumana oyithumelayo (idingekile ukuze sikwazi ukukufinyelela uma uwina), amagama omsebenzisi e-Reddit ne-Product Hunt owanikeza ngokuzikhethela, i-scan ID yakho nesizinda esiyimpande, uhlobo lwephrojekthi olubikwe ngokwakho, isitaki, nombhalo we-into-eyodwa-engiyifundile owanikeza ngokuzikhethela, inani lesiteshi sokuthola owalikhetha ngokuzikhethela, namabhokisi okuhlola amathathu adingekayo emvume owavuma (igunya, imithetho, ukuxhumana). Uma uhlola ngokuhlukile imvume yokuzikhethela egqanyiswe-emkhankasweni-wokumaketha, singabonisa amaphuzu akho omphakathi, isilinganiso, isitaki, igama lomsebenzisi, nokucaphuna okuthunyelwe ekhasini lasekhaya le-FixVibe, ikhasi lenselelo, noma ukuphawula okufushane — akukho nesinye isimu, futhi akukaze ngaphandle kwaleyo mvume. Ukungena Enselelweni kugcinwa impilo yeNselelo kuhlanganise nezinyanga eziyi-18 ngezinhloso zokuqinisekisa nokuxabana. Ungayihoxisa imvume egqanyiswe-emkhankasweni-wokumaketha nganoma yisiphi isikhathi ngokuthumela i-imeyili ku-privacy@fixvibe.app; ukuhoxisa akuthinti ukucutshungulwa okusemthethweni ngaphambi kokuhoxisa.

  isisekelo esisemthethweni · Ukwenza isivumelwano (ukuqhuba iNselelo) nemvume (ukugqamisa) — Art. 6(1)(b) ne-6(1)(a) GDPR

• Asiyithengisi idatha yakho nanini.
• Asifaki ad-tech yabantu besithathu, fingerprinting, noma session-replay scripts.
• Asifaki ama-URL oqondiswe kuwo ama-skani noma ubufakazi bemiphumela kuma-analytics properties — leyo datha ihlala kuphela ku-database yethu, ivinjwe yi-row-level security.
• Asabelani ngedatha yakho nabantu besithathu ukuze bayisebenzisele ukumaketha kwabo.

Sincika kulaba bacubunguli-abancane ukusebenzisa i-FixVibe:

• Vercel Inc. (USA) — application hosting ne-edge network. Isaziso sobumfihlo: vercel.com/legal/privacy-policy.
• Supabase Inc. (USA) — Postgres database, authentication, file storage, Realtime. I-FixVibe production database ise-AWS us-east-1 region. Isaziso sobumfihlo: supabase.com/privacy.
• Stripe Inc. (USA) — ukucubungula izinkokhelo zamaplani akhokhelwayo. Isaziso sobumfihlo: stripe.com/privacy.
• Upstash, Inc. (USA, nge-Vercel Marketplace) — Redis-backed rate limiting; igcina kuphela ama-counters amafushane asekelwe ku-IP. Isaziso sobumfihlo: upstash.com/privacy.
• PostHog Inc. (USA) — product analytics, kuphela uma unikeza imvume ye-analytics futhi kuphela lapho i-analytics isethiwe kule deployment oyisebenzisayo. Isaziso sobumfihlo: posthog.com/privacy.
• GitHub, Inc. (USA) — kuphela uma uxhuma ukuhlanganiswa kwe-GitHub okukhethwayo. Sisebenzisa GitHub API ukufunda repositories oqala ama-skani kuzo. Isaziso sobumfihlo: docs.github.com/site-policy/privacy-policies/github-general-privacy-statement.
• Resend, Inc. (USA) — ukulethwa kwama-imeyili e-transactional. Ithola ikheli lakho le-imeyili nomzimba we-imeyili lapho sithumela ama-imeyili e-scan-completed, scheduled-scan, live-threat alert, nama-weekly-digest. Resend igcina delivery metadata (timestamps, status, bounce records) ngezinhloso zokusebenza; asithumeli i-imeyili yokumaketha nge-Resend. Isaziso sobumfihlo: resend.com/legal/privacy-policy.

Ukudluliselwa kwedatha yomuntu siqu ngaphandle kwe-EEA/UK kuncike ku-European Commission Standard Contractual Clauses (noma ku-UK International Data Transfer Addendum), kuhlanganiswe nezinyathelo ze-encryption-in-transit ne-encryption-at-rest ezichazwe ku-“Ukuphepha” ngezansi.

We will update this list and notify customers in-app if we add a new sub-processor that processes personal data on our behalf. Customer-configured outbound webhook endpoints are customer-selected recipients, not FixVibe sub-processors.

Ngaphansi kwe-GDPR, UK GDPR, nemithetho efanayo (CCPA/CPRA, LGPD, PIPEDA, Australian Privacy Act njll.), unelungelo loku:

• finyelela ikhophi yedatha yakho (ungakwenza ngokuzihudulela kusuka ku-I-akhawunti → Ubumfihlo);
• lungisa idatha yakho;
• susa idatha yakho (nakhona ngokuzihudulela);
• phikisa ukucubungula okusekelwe ezinzuzweni ezisemthethweni;
• hoxisa imvume ye-analytics noma nini nge-Cookie settings;
• ukuthwaleka kwedatha — i-export yakho iku-JSON;
• faka isikhalazo kumlawuli wakho wasendaweni (EU/UK/EEA) noma ofanayo.

Siphendula izicelo zamalungelo eziqinisekisekayo zingakapheli izinsuku ezingama-30. Ngezicelo esingakwazi ukuzanelisa ngokuzihudulela (ukulungiswa kwenkambu esingayivezi, ukuvinjelwa kokucubungula, ukuphikisa), thumela i-imeyili ku-support@fixvibe.app enesihloko esithi “Privacy request”.

Asiluthengisi ulwazi lwakho lomuntu siqu. Asabelani ngolwazi lomuntu siqu nge-cross-context behavioral advertising. Analytics nge-PostHog isebenza kuphela ngemva kokuba unikeze imvume ebhaneni lethu le-cookie; ungayihoxisa leyo mvume noma nini nge-Cookie settings noma ngokuchofoza Your Privacy Choices ku-footer.

Uma ungumhlali wase-California, unelungelo futhi loku:

• wazi ukuthi yiluphi ulwazi lomuntu siqu esiluqoqayo, imithombo, izinhloso, nanoma yibaphi abantu besithathu esabelana nabo (konke kuchazwe ngenhla);
• cela ukusulwa kolwazi lwakho lomuntu siqu (ngokuzihudulela nge-I-akhawunti → Ubumfihlo noma ngokusithumelela i-imeyili);
• lungisa ulwazi lomuntu siqu olungalungile;
• nciphisa ukusetshenziswa nokudalulwa kolwazi lomuntu siqu olubucayi — asiqoqi lutho ngaphandle kwe-authentication credentials ne-session metadata, kokubili okudingekayo ukunikeza insizakalo;
• phuma ekuthengisweni noma ekwabelaneni — akusebenzi ngoba asenzi nokukodwa kwalokho;
• ungacwaswa ngokusebenzisa noma yiliphi ilungelo elingenhla.

Sihlonipha ngokuzenzakalelayo izimpawu ze-Global Privacy Control (GPC); ukuthumela i-GPC header kuphatha ukuvakasha kwakho sengathi uphumile ngokusobala kunoma iyiphi imvume ye-analytics yesikhathi esizayo.

We force row-level security on every database table; users only see records belonging to organizations they are members of. Authenticated-scan headers, when supplied, are encrypted at rest with AES-256-GCM and purged after the scan completes. Stripe webhook payloads are HMAC-verified before processing, and customer outbound webhook signing secrets are encrypted at rest. The service-role database credential is held only on the server runtime and is never exposed to the browser. All traffic between you and FixVibe, and between FixVibe and our sub-processors, uses TLS 1.2 or higher.

Alukho uhlelo lokuphepha oluphelele. Uma ukholwa ukuthi uthole ubuthakathaka ku-FixVibe, sicela ububike ku-support@fixvibe.app.

Uma senza izinguquko ezibalulekile — abacubunguli-abancane abasha, izigaba ezintsha zedatha, izikhathi ezintsha zokugcina — sizobuyekeza usuku olungenhla futhi sikwazise ngaphakathi kohlelo. Ukulungisa amagama okuncane akudali isaziso.

privacy@fixvibe.app — izimpendulo ngokuvamile zingakapheli izinsuku zokusebenza ezi-5, futhi azidluli izinsuku ezingama-30 njengoba kudingwa yi-GDPR Art. 12(3).