Privacy Policy

1. Introduction

CheckVibe ("we", "us", or "our") is operated by CheckVibe, based in Switzerland. We operate the checkvibe.dev website and scanning platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.

By using CheckVibe, you agree to the collection and use of information in accordance with this policy. This policy should be read alongside our Terms of Service and Cookie Policy.

2. Information We Collect

We collect the following types of information:

2.1 Account Information

Email address and password hash when you create an account.

2.2 Usage Data

Scan history, domains scanned, scan results, project configurations, and feature usage patterns.

2.3 Payment Information

Billing details processed securely through Stripe. We do not store your full credit card number on our servers. Stripe may collect additional information as described in Stripe's Privacy Policy.

2.4 Technical Data

IP address, browser type, device information, and session data collected automatically through server logs and cookies.

2.5 User-Provided Credentials

If you choose to connect integrations, you may provide credentials such as GitHub repository URLs, Supabase project URLs, and Supabase access tokens (PATs). These are stored encrypted in our database and used solely to perform security scans you initiate. They are never shared with third parties beyond the specific scanning services required. You can delete these credentials at any time by removing the associated project.

2.6 Threat Detection Data

Our real-time threat detection feature may deploy a lightweight JavaScript snippet on scanned pages to collect visitor interaction data such as IP addresses, user agents, and behavioral signals. This data is used exclusively for identifying malicious activity and security threats and is not used for advertising or profiling purposes.

2.7 Support Ticket Data

When you submit a support request, we collect your email address, message content, and any attachments you provide. This information is used to respond to your inquiry and improve our support processes. Support correspondence is retained for the duration of your account plus 30 days after closure.

3. Legal Bases for Processing (GDPR)

Under the EU General Data Protection Regulation (GDPR) and Swiss Federal Act on Data Protection (FADP), we process your data on the following legal bases:

• Contract performance (Art. 6(1)(b)): Processing your account data, scan data, and payment information to provide our services.
• Legitimate interest (Art. 6(1)(f)): Fraud prevention, service improvement, security monitoring, and analytics to maintain and improve our platform.
• Consent (Art. 6(1)(a)): Optional marketing communications and non-essential cookies. You can withdraw consent at any time.
• Legal obligation (Art. 6(1)(c)): Where we are required to retain data to comply with applicable laws.

4. How We Use Your Information

• To provide, maintain, and improve our scanning services.
• To process transactions and manage your subscription.
• To send service-related communications such as scan completion notifications.
• To detect and prevent fraud or abuse of our platform.
• To comply with legal obligations.
• To respond to your support requests.

5. Third-Party Services

We use the following third-party services to operate our platform:

• Stripe — payment processing ( privacy policy).
• Supabase — authentication and database hosting ( privacy policy).
• Vercel — web hosting and deployment ( privacy policy).
• GitHub API— repository security scanning (only when you connect a repository).
• Google Safe Browsing— threat detection for scanned URLs.
• Google Gemini API— AI-based analysis for vibe-coding detection.
• National Vulnerability Database (NVD)— CVE lookup for dependency scanning.
• Resend — transactional email delivery for support notifications and outreach communications ( privacy policy).

These services may collect and process data according to their own privacy policies. We only share the minimum data necessary for each service to function.

6. International Data Transfers

Our servers and third-party service providers may be located outside of your country of residence, including in the United States and the European Economic Area (EEA). When we transfer data outside of Switzerland or the EEA, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission or reliance on the recipient's participation in recognized frameworks such as the EU-U.S. Data Privacy Framework.

7. Data Retention

• Account data: Retained for as long as your account is active, plus 30 days after deletion.
• Scan results: Retained for the duration of your subscription. Deleted within 30 days of account closure.
• Payment records: Retained for up to 7 years as required by tax and accounting laws.
• Server logs: Retained for up to 90 days for security and debugging purposes.
• User-provided credentials: Deleted immediately when you remove the associated project or account.

8. Cookies and Tracking

We use cookies and similar technologies for authentication and session management. For detailed information about the cookies we use and how to manage them, please see our Cookie Policy.

9. Data Security

We implement industry-standard security measures to protect your data, including encrypted connections (TLS), secure password hashing, role-based access controls, and row-level security on our database. User-provided credentials (such as Supabase PATs) are stored encrypted. However, no method of electronic transmission or storage is completely secure, and we cannot guarantee absolute security.

10. Your Rights Under GDPR

If you are located in the EEA, Switzerland, or the UK, you have the following rights under applicable data protection law:

• Access— request a copy of the personal data we hold about you.
• Rectification— request correction of inaccurate or incomplete data.
• Erasure— delete your account and all associated data instantly from your account deletion page.
• Portability— receive your data in a structured, machine-readable format.
• Restriction— request that we limit processing of your data in certain circumstances.
• Objection— object to processing based on legitimate interests.
• Withdraw consent— where processing is based on consent, withdraw it at any time without affecting prior processing.
• Lodge a complaint— file a complaint with your local data protection authority. In Switzerland, this is the Federal Data Protection and Information Commissioner (FDPIC).

You can delete your account and all data instantly from your account deletion page. For other requests, contact us at support@checkvibe.dev. We will respond within 30 days.

11. Your Rights Under CCPA/CPRA

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

• Right to know— request details about the categories and specific pieces of personal information we have collected.
• Right to delete— delete your account and all personal data instantly from your account deletion page.
• Right to opt-out of sale— we do not sell your personal information to third parties. We do not share personal information for cross-context behavioral advertising.
• Right to non-discrimination— we will not discriminate against you for exercising your privacy rights.

You can delete your account instantly from your account deletion page. For other requests, contact us at support@checkvibe.dev.

12. Children's Privacy

CheckVibe is not intended for use by anyone under the age of 16. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe your child has provided us with personal data, please contact us and we will promptly delete it.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the updated policy on this page, updating the "Last updated" date, and incrementing the version number. For significant changes, we will also notify you by email.

14. Contact Us

If you have questions about this Privacy Policy, your personal data, or wish to exercise your rights, contact us:

• Email: support@checkvibe.dev
• General inquiries: support@checkvibe.dev
• Website: checkvibe.dev