VibeShield

Privacy Policy

Last updated: May 10, 2026

1. Overview

This Privacy Policy describes what data VibeShield ("we", "our", "the Service") collects, how we use it, and your rights regarding that data. We collect the minimum necessary to deliver the Service and never sell your data to third parties.

2. What We Collect

From free scans:

  • The URL you submit for scanning
  • The findings detected (vulnerability patterns identified)
  • Timestamp of the scan
  • Your IP address — used for rate limiting and abuse prevention; not retained beyond 24 hours

When you provide your email:

  • Your email address — to send you the scan report and optional product updates

When you make a purchase:

Payment is processed by Paddle.com Market Limited ("Paddle"), our Merchant of Record. Paddle collects your billing details (name, email, billing address, payment method) for the purposes of processing the transaction, calculating tax, and detecting fraud. Paddle's privacy policy governs their use of this data: paddle.com/legal/privacy. We receive only your email address and transaction confirmation from Paddle. We never see or store your payment card details.

3. What We Don't Collect

  • We do not store the JavaScript bundle contents we fetch during a scan beyond the duration of that scan.
  • We do not store secret values detected by the scanner (e.g., API keys, JWT tokens). Where these appear in reports, only the first 6 characters are shown, redacted with ....
  • We use Google Analytics 4 with anonymized IPs for aggregate traffic measurement. Plausible Analytics (cookieless) is our primary analytics for performance metrics. We do not share any visitor data with advertisers or use it for retargeting.
  • We do not sell, rent, or share your data with third parties for marketing purposes.

4. Third-Party Services

We use the following third-party services to deliver VibeShield. Each has its own privacy policy:

  • Vercel — hosting infrastructure — privacy policy
  • Resend — transactional email delivery — privacy policy
  • Paddle — payment processing and Merchant of Record — privacy policy
  • Anthropic — AI generation of fix prompts; we send only redacted finding metadata, never your raw bundle content or PII — privacy policy
  • Plausible Analytics — cookieless website analytics — privacy policy
  • Google Analytics 4 — aggregate website analytics; we use anonymized IP and never send your scanned URLs to Google — privacy policy

5. Data Retention

  • Scan results: retained for 90 days, then automatically deleted.
  • Email address: retained until you request deletion or until 12 months of inactivity, whichever comes first.
  • Transaction records: retained for 7 years as required by applicable accounting and tax laws.

6. Your Rights

You have the right to:

  • Request a copy of the data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your data
  • Withdraw consent for marketing emails (every email includes an unsubscribe link)

To exercise any of these rights, email founder@vibe-shield.com.

EU and UK customers: you have additional rights under GDPR including the right to lodge a complaint with your supervisory authority.

7. Security

We use HTTPS for all data in transit. Data at rest (your email, scan timestamps) is encrypted on Vercel's infrastructure. We do not store secrets, payment data, or your application's source code.

8. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to subscribed users at least 14 days before they take effect.

9. Contact

Questions about your data? Contact us at founder@vibe-shield.com.