Privacy Policy

1. Data Controller

The data controller responsible for your personal information is:

2. Information We Collect

Purchase Information:

• Email address (collected via Stripe during checkout)
• Payment information (processed by Stripe, not stored by us)
• GitHub username (provided for repository access)
• Transaction details (amount, currency, timestamp)

Technical Information:

• IP addresses (for security and fraud prevention)
• Browser and device information
• Access logs and usage patterns
• Cookies and session data

Encrypted Data:

• All sensitive user data is encrypted using AES-256-GCM
• Zero-knowledge encryption ensures we cannot access your encrypted data
• Encryption keys are derived using PBKDF2 from user-provided passwords

3. How We Use Information

We use collected information for:

• Transaction Processing: Validating purchases and granting GitHub repository access
• Security: Preventing fraud, unauthorized access, and security breaches
• Service Delivery: Providing access to VibeSafely boilerplate and documentation
• Support: Responding to customer inquiries and technical issues
• Legal Compliance: Meeting GDPR, data protection, and tax requirements
• Service Improvement: Analyzing usage patterns to enhance our product

4. Legal Bases for Processing (GDPR)

Our legal bases for processing personal data:

• Contract Performance (Art. 6(1)(b)): Processing payment and delivering GitHub access
• Legitimate Interest (Art. 6(1)(f)): Security monitoring, fraud prevention, service improvement
• Legal Obligation (Art. 6(1)(c)): Tax records, data breach notifications, law enforcement requests
• Consent (Art. 6(1)(a)): Optional analytics, marketing communications

5. Third-Party Processors and Data Sharing

We share data with trusted partners:

• Stripe: Payment processing (PCI DSS compliant)
• GitHub: Repository access management
• Vercel: Hosting infrastructure (SOC 2 compliant)
• PostgreSQL/Redis providers: Database services with encryption
• Email service providers: Customer support communications

All third-party processors are bound by data processing agreements and maintain appropriate security standards. We do not sell or rent personal information to third parties.

6. Data Transfers

Data may be transferred outside the European Economic Area (EEA) to:

• United States (Stripe, GitHub, Vercel) - covered by adequacy decisions or standard contractual clauses
• Other jurisdictions only with appropriate safeguards (Art. 46 GDPR)

All transfers comply with GDPR requirements and include appropriate technical and organizational measures.

7. Data Retention

We retain data as follows:

• Transaction records: 7 years (tax and accounting requirements)
• Access logs: 90 days (security and debugging)
• Support communications: 3 years (customer service history)
• Encrypted user data: Until user requests deletion or account closure
• Cookies and session data: As specified in cookie settings

Data is automatically deleted after retention periods expire unless legal obligations require longer retention.

8. Your Privacy Rights (GDPR & Beyond)

You have the right to:

• Access: Request copies of your personal data
• Rectification: Correct inaccurate or incomplete data
• Erasure: Request deletion of your data ("right to be forgotten")
• Portability: Receive your data in a structured, machine-readable format
• Restriction: Limit how we process your data
• Objection: Object to processing based on legitimate interest
• Withdraw consent: For processing based on consent
• Lodge complaints: With supervisory authorities

To exercise these rights, contact us at support@your-domain.com. We will respond within 30 days.

9. Cookies and Tracking Technologies

We use cookies for:

• Essential cookies: Authentication, security, site functionality
• Analytics cookies: Understanding site usage (with consent)
• Performance cookies: Optimizing site performance

You can control cookies through your browser settings. Disabling essential cookies may affect site functionality.

10. Data Security and Breach Notification

Our security measures include:

• Encryption: AES-256-GCM for data at rest and in transit
• Access controls: Multi-factor authentication and principle of least privilege
• Monitoring: Continuous security monitoring and incident response
• Auditing: Regular security audits and vulnerability assessments
• Zero-knowledge architecture: We cannot access your encrypted data

In case of a data breach, we will notify affected users and supervisory authorities within 72 hours as required by GDPR.

11. Children's Privacy

VibeSafely is not intended for users under 16 years old. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child without parental consent, we will delete it immediately. Parents who believe their child has provided personal information should contact us at support@your-domain.com.

12. Policy Changes and Updates

We may update this Privacy Policy to reflect changes in our practices, technology, legal requirements, or business operations. Material changes will be communicated via email or prominent notice on our website at least 30 days before taking effect. Continued use of VibeSafely after changes indicates acceptance of the updated policy.

13. Contact Information

For privacy-related questions or to exercise your rights:

Supervisory Authority: You may also contact your local data protection authority if you believe your rights have been violated.