Privacy Policy
Last updated: April 2026
1. Overview
VibeScan ("we", "us", "our") is committed to protecting your privacy. This policy explains what data we collect, why we collect it, and how we use it when you use VibeScan at vibescan.app.
2. Data We Collect
Account data
When you sign in, we store your email address, name (if provided), and a profile image URL from your OAuth provider (GitHub). This is used to identify your account and personalise your experience.
Code you submit
When you scan code, we process and store the scan results (findings, severity, file paths, line numbers, code snippets) associated with your account. We store this so you can view historical scan results. We do not store the full contents of your submitted code beyond what is necessary to display scan results.
GitHub integration
If you connect GitHub, we store an OAuth access token scoped to read your repositories. This token is used only to download code for scanning on your request and to post PR review comments. We do not access, store, or index your repository contents beyond what is needed for an active scan.
Billing data
Payment processing is handled by Stripe. We store your Stripe customer ID and subscription status, but never your card number or full payment details — those remain with Stripe under their own privacy policy.
Usage data
We collect basic server logs (request timestamps, response codes) for operational purposes. We do not use third-party analytics trackers.
3. How We Use Your Data
- To provide, operate, and improve the Service
- To authenticate you and keep your account secure
- To send transactional emails (magic link sign-in, subscription confirmation)
- To enforce usage limits and billing
- To respond to support requests
We do not sell your data. We do not use your code to train AI models. We do not share your data with third parties except as described in section 4.
4. Third-Party Services
We use the following sub-processors:
| Service | Purpose | Data shared |
|---|---|---|
| Railway | Database and app hosting | All stored data (hosted infrastructure) |
| Stripe | Payment processing | Email, billing details |
| Resend | Transactional email | Email address |
| OpenAI | AI-powered explanations | Code snippets from findings (not full files) |
| GitHub | OAuth sign-in and repo access | OAuth token, repo contents during scan |
5. Data Retention
Scan results are retained until you delete them or delete your account. When you delete a scan, all associated findings are permanently removed.
When you delete your account, we remove your personal data within 30 days, except where we are required to retain it for legal or compliance reasons (e.g., billing records for tax purposes, retained for up to 7 years).
6. Cookies
We use a single session cookie to keep you signed in. We do not use advertising cookies or third-party tracking cookies. No cookie consent banner is required for essential session cookies under PECR.
7. Your Rights (GDPR)
If you are located in the EEA or UK, you have the following rights under GDPR:
- Access — request a copy of the data we hold about you
- Rectification — ask us to correct inaccurate data
- Erasure — ask us to delete your account and associated data
- Portability — request your data in a machine-readable format
- Objection — object to processing where we rely on legitimate interests
To exercise any of these rights, email hello@vibescan.app. We will respond within 30 days.
8. Security
We implement industry-standard security measures including encrypted connections (HTTPS), hashed session tokens, and access controls. However, no system is completely secure. If you discover a security vulnerability in VibeScan, please disclose it responsibly to hello@vibescan.app.
9. Changes to This Policy
We may update this policy from time to time. We will notify you of material changes by email. The "last updated" date at the top reflects the most recent revision.
10. Contact
Questions or concerns about your privacy? Contact us at hello@vibescan.app