New: CheckVibe MCP server — scan from Claude Code and Cursor nativelyRead the docs
Last updated: May 17, 2026 (v3.0)
Summary at a glance.
We collect the minimum data we need to run CheckVibe, secure your account, deliver scan results you request, and meet our legal duties. We do not sell or rent personal data, we do not share data for cross-context behavioral advertising, we do not run advertising cookies, and we do not use your Customer Content to train third-party AI models. You can delete your account and associated personal data at any time from your account deletion page. The full policy below explains the legal details.
CheckVibe (“we,” “us,” or “our”), based in Switzerland, operates the checkvibe.dev website and the related security-scanning platform (the “Service”). This Privacy Policy explains what information we collect, why we collect it, how we use, share, retain, and protect it, and the rights you have under applicable data-protection laws.
This Policy applies to all visitors of our website, customers of our Service, individual users acting on behalf of an organization, and individuals whose information is processed through the Service (including, in limited circumstances, end-visitors of websites operated by our customers). It does not apply to third-party websites, products, or services we link to or that you connect to the Service.
This Policy should be read together with our Terms of Service, Cookie Policy, Data Processing Addendum, and Subprocessor List.
For purposes of the EU and UK General Data Protection Regulations (GDPR/UK GDPR), the Swiss Federal Act on Data Protection (revFADP/nFADP), and analogous laws, the data controller in respect of personal data we collect about our website visitors and account holders is:
CheckVibe is not currently required under Art. 37 GDPR to appoint a formal Data Protection Officer (DPO), but you can address all privacy enquiries to the contact above and we will respond promptly. For data we process on behalf of our business customers (for example, scan-related data collected through their account), we act as a processor and the customer is the controller. See our Data Processing Addendum.
EU/UK representatives.As a Switzerland-based processor not established in the EU/UK, CheckVibe's processing of EU/UK personal data is limited and does not currently meet the thresholds requiring the appointment of an Art. 27 GDPR or UK GDPR Article 27 representative. We will appoint a representative if and when our activities meet that threshold. EU and UK data subjects may continue to send all requests and complaints to support@checkvibe.dev.
We collect the following categories of information:
Email address, password hash (we never store passwords in plain text), display name (if provided), authentication-provider identifier (if you sign in via a third-party provider), and account-creation and last-sign-in timestamps.
Scan history; URLs, domains, repositories, and projects you submit; scan results, severity ratings, and remediation suggestions; project configuration; saved settings; threshold alerts; and feature-usage patterns. Scan results may incorporate publicly available data about your scanned property (HTTP headers, TLS configuration, DNS records, public source code, certificate-transparency log entries, public CVE records, public WHOIS data).
When you subscribe to a paid plan, billing details are processed by Stripe, Inc. We receive a Stripe customer ID, plan/subscription status, transaction history, billing email, country, postal code, and tax identifier (where applicable). We do not store your full credit-card number, CVC/CVV, or full bank-account number on our servers. See Stripe's Privacy Policy.
IP address, user-agent string, device identifiers, browser type and version, operating system, language preferences, referring URL, pages requested, response codes, request timestamps, session identifiers, and similar diagnostic telemetry generated automatically by your interactions with the Service. This data is used for security, fraud prevention, service operation, abuse mitigation, debugging, and performance monitoring.
When you connect an integration (such as GitHub or Supabase), you may provide repository URLs, project URLs, OAuth tokens, personal access tokens, or other credentials. We store these credentials encrypted at rest and use them only to perform the scans you initiate. We never transmit them outside the subprocessors strictly required to execute the requested scan. You can revoke and delete these credentials at any time by removing the associated project or disconnecting the integration.
Our optional real-time threat-detection feature, which you (the customer) may deploy on your own scanned site by adding a JavaScript snippet, collects limited end-visitor telemetry on that site: IP address, user-agent, page URL, referrer, timestamps, request fingerprints, and behavioral signals (such as automated-client heuristics). This data is processed solely to detect malicious activity, bots, attempted abuse, and security threats for the benefit of the deploying customer. It is not used for advertising, retargeting, sale, profiling for cross-context behavioral advertising, or profile-building of identified individuals.
Customer responsibility. If you (the customer) deploy the threat-detection script on your site, you are the controller of the resulting visitor data and you are responsible for providing the appropriate notice to, and (where required) collecting consent from, your visitors under the ePrivacy Directive, GDPR, the FADP, the CCPA/CPRA, and any other applicable law. CheckVibe acts as a processor of that data on your behalf in accordance with our Data Processing Addendum.
When you contact us (via email, in-product chat, or otherwise), we collect your email address, message content, attachments, and metadata necessary to respond. Support correspondence is retained for the duration of your account plus thirty (30) days after account closure, and then deleted, unless retention is required by law, dispute, or ongoing security investigation.
If you (or your organization) is publicly identified as the operator of a website with demonstrable security issues we discovered during a publicly observable scan, we may, on a limited, individualized basis and in our legitimate interest, send a one-off notification email to a public contact address. You can opt out of any further outreach by replying to the message or contacting support@checkvibe.dev.
CheckVibe does not knowingly request or process “sensitive personal information” (as defined under CPRA, GDPR Art. 9, or similar laws) for inferring characteristics about you. We do not collect genetic, biometric, health, racial, ethnic, religious, philosophical, union-membership, sex-life, sexual-orientation, or precise-geolocation data, nor government identifiers, financial account login credentials, mail/email contents, or messages. If such data inadvertently appears in scanned content or support correspondence, we will treat it with the elevated standards required by applicable law and you may request deletion.
Under the EU GDPR, UK GDPR, and the Swiss revFADP, we rely on the following legal bases:
For Swiss FADP purposes, processing is carried out on equivalent bases (consent, contract, law, or overriding legitimate interest). For UK GDPR purposes, equivalent bases apply.
We share personal data only with the categories of recipients listed below and only to the extent strictly necessary for the relevant purpose. A current list of our principal subprocessors is maintained at checkvibe.dev/subprocessors.
Each subprocessor is bound by contractual obligations consistent with applicable data-protection law, including, where required, Standard Contractual Clauses (SCCs) and UK Addenda. We share only the minimum data necessary for each recipient's purpose.
CheckVibe is based in Switzerland. Some of our service providers process personal data in countries outside of Switzerland and the European Economic Area (EEA), including in the United States. When we transfer personal data internationally, we rely on one or more transfer mechanisms recognized under applicable law, including:
A copy of the relevant transfer mechanism for a specific recipient is available on request by writing to support@checkvibe.dev.
We retain personal data only for as long as necessary for the purposes set out in this Policy or as required by law. Indicative retention periods:
When retention is no longer required, personal data is deleted or anonymized so it can no longer be linked to you. Anonymized and aggregated data may be retained indefinitely.
We use a minimal set of strictly necessary cookies and similar local-storage technologies for authentication, security, and session management. We do not use advertising or third-party tracking cookies. For details, see our Cookie Policy.
Do Not Track / Global Privacy Control. Because we do not engage in cross-context behavioral advertising and do not sell personal data, browser-based “Do Not Track” signals and Global Privacy Control (GPC) signals do not change our processing. We honor GPC as an opt-out request to the extent required by applicable law.
We implement appropriate technical and organizational measures designed to protect personal data against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure, including without limitation: TLS encryption in transit; encryption of sensitive credentials at rest; secure password hashing; role-based access controls; row-level security on our database; principle of least privilege; multi-factor authentication for administrative accounts; logging and monitoring; periodic vulnerability assessment of our own platform; vendor-risk review of subprocessors; and security training for personnel with access to personal data.
No method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security. You are responsible for keeping your account credentials confidential and notifying us of any suspected compromise.
In the event of a personal-data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will notify the competent supervisory authority without undue delay and, where feasible, not later than seventy-two (72) hours after becoming aware of it, as required by Art. 33 GDPR (or analogous obligations under the FADP, UK GDPR, or other applicable law). Where the breach is likely to result in a high risk to affected individuals, we will also notify those individuals without undue delay as required by Art. 34 GDPR.
We do not make decisions that produce legal effects or similarly significant effects on you based solely on automated processing (within the meaning of Art. 22 GDPR). Our scanning, threat-detection, and AI-assisted analysis features apply automated rules to data you submit, but the outputs are informational and require human review and action; they are not used to make decisions that legally or significantly affect any individual.
Subject to conditions and exceptions in applicable law, you may have the following rights with respect to personal data we hold about you:
You can exercise the right to erasure instantly from your account deletion page. For all other requests, contact support@checkvibe.dev. We will respond within thirty (30) days (extendable by sixty (60) days for complex requests, with notice to you). We may need to verify your identity before responding.
If you are a California resident, you have additional rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, “CCPA/CPRA”):
Categories of personal information collected in the preceding 12 months: identifiers (email, IP); commercial information (subscription, payment metadata); internet or other electronic-network activity (log, telemetry); inferences for security and abuse detection only. We have not sold or shared (for cross-context behavioral advertising) any personal information in the preceding 12 months. We do not knowingly sell or share information of consumers under sixteen (16).
To exercise a right, use your account deletion page or email support@checkvibe.devwith the subject “CCPA Request.”
Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), Iowa (ICDPA), Tennessee (TIPA), Indiana (ICDPA), New Hampshire, Delaware, New Jersey, Maryland, Minnesota, Rhode Island, and Florida (FDBR), and any other U.S. state that grants equivalent rights, have, subject to the conditions and exceptions of their respective laws, the right to access, correct, delete, and obtain a portable copy of their personal data, and to opt out of (i) the sale of personal data, (ii) targeted advertising, and (iii) profiling for decisions that produce legal or similarly significant effects. CheckVibe does not engage in (i), (ii), or (iii). To exercise other rights, follow the instructions in Section 14 or contact support@checkvibe.dev. Appeals of our decisions on such requests can be sent to the same address with the subject “Privacy Appeal.”
Brazil (LGPD). Brazilian data subjects have rights of access, correction, anonymization, blocking, deletion, portability, information about sharing, and withdrawal of consent. Direct requests to support@checkvibe.dev.
Canada (PIPEDA, Quebec Law 25). Canadian residents may request access to and correction of personal information and withdraw consent subject to legal and contractual restrictions. Quebec residents may additionally request the cessation of dissemination, de-indexing, and portability where applicable.
Australia. Australian residents may access and correct their personal information under the Australian Privacy Principles.
Japan, South Korea, Singapore, India, others. We honor analogous rights under applicable local data-protection laws to the extent they apply to our processing.
The Service is not directed to, and we do not knowingly collect personal data from, anyone under the age of sixteen (16) (or the higher minimum age in your jurisdiction, including eighteen (18) where required). We do not knowingly collect “personal information from children” within the meaning of the U.S. Children's Online Privacy Protection Act (COPPA). If you are a parent or guardian and believe that we have collected personal data from your child, please contact us at support@checkvibe.devand we will promptly delete it.
CheckVibe does not sell personal data for money or any other valuable consideration. We do not share personal data for cross-context behavioral advertising. We do not use Customer Content (such as your scan data, source code, repository contents, or integration credentials) to train, fine-tune, or evaluate any third-party large-language model or machine-learning model except as strictly necessary to run the specific scan or feature you requested.
We may update this Privacy Policy from time to time. For material changes, we will provide advance notice (generally at least thirty (30) days) by email and/or by posting a prominent notice in the Service. The current version is always available at checkvibe.dev/privacy with a “Last updated” date and version number. Non-material changes (such as clarifications or typographical corrections) take effect on posting. Continued use of the Service after changes take effect constitutes acceptance.
If you have questions about this Privacy Policy, your personal data, or wish to exercise your rights, contact us:
See also: Terms of Service · Cookie Policy · DPA · Subprocessors · Disclaimer
