Skip to content← Back to home

Privacy Policy

Last updated: April 20, 2026

Last updated: April 20, 2026. This Privacy Policy has not been reviewed by outside counsel. If you are an enterprise customer, email support@protectyourvibes.ai for a reviewed copy.

1. Introduction

Protect Your Vibes Inc. ("PYV", "we", "us") operates protectyourvibes.ai, a web application that scans URLs for security misconfigurations and surfaces remediation guidance. This Privacy Policy explains what we collect, how we use it, and the choices you have. Questions? Write to support@protectyourvibes.ai.

2. Information we collect

  • Account information — email address, a bcrypt-hashed password handled by Supabase Auth, session cookies, account creation and last-sign-in timestamps.
  • Scan inputs and responses — the URLs you submit, DNS records, and HTTP headers and bodies returned by the scanned sites. Scan evidence may contain personal data if the scanned app is publicly leaking it (for example, an exposed Supabase table). This is your own exposed data, surfaced to you so you can fix it.
  • Billing information — processed by Stripe. We store a Stripe customer ID, subscription status, and the last four digits of your card. We never receive or store full card numbers or CVCs.
  • Technical information — a one-way hash of your IP address for rate limiting, user-agent string for abuse detection, and request IDs for debugging.
  • Cookies — essential cookies (auth, session, CSRF) are used by default. Analytics and marketing cookies are only set with your consent via the cookie banner.

3. How we use information

  • Provide the scanning service and deliver results
  • Authenticate and authorize requests
  • Prevent abuse through rate limiting and bot detection
  • Send transactional email (scan results, security alerts, billing receipts)
  • Send marketing email only if you have opted in; you can unsubscribe in any email
  • Improve the product via aggregate, de-identified analytics

4. Legal bases for processing (GDPR)

  • Contract — providing the service you signed up for.
  • Legitimate interest — abuse detection, fraud prevention, product security.
  • Consent — marketing email, analytics cookies, optional third-party integrations.
  • Legal obligation — tax, accounting, and lawful requests from authorities.

5. Data sharing

We share data with the following sub-processors, each under a written data-protection agreement:

  • Supabase (US) — managed database and authentication
  • Vercel (US, global edge) — web and API hosting
  • Stripe (US + EU) — payment processing and subscription management
  • Resend (US) — transactional email delivery
  • Cloudflare (global) — DNS, DDoS protection, Turnstile CAPTCHA, stealth egress proxy for scans
  • Sentry (US) — error tracking; optional and disableable on customer request

We do not sell your data to advertisers or data brokers. We do not use your data, scan inputs, or scan results to train AI models.

See our Data Processing Agreement for processor terms.

6. Data retention

  • Scan evidence — auto-purged after 30 days on the free tier, or per-user-configured between 1 and 365 days on paid tiers.
  • Scan metadata (finding IDs, counts, grades) — retained for trend analysis until you delete your account.
  • Account data — retained until you delete your account.
  • Billing records — retained for seven (7) years to comply with US tax and accounting requirements.

7. Your rights (GDPR + CCPA)

  • Access GET /api/me/export downloads everything we hold about you as JSON.
  • Correction — edit your profile in /settings.
  • Deletion DELETE /api/settings/account, or email support@protectyourvibes.ai.
  • Portability — the export endpoint returns machine-readable JSON.
  • Object to processing — disable analytics in cookie settings; opt out of marketing email.
  • Lodge a complaint — with your EU supervisory authority, or the California Attorney General if you reside in California.
  • Non-discrimination — we will not deny service, change pricing, or degrade quality because you exercised a right.

8. International transfers

All data is currently stored in the United States (Supabase US-East-1 and Vercel US edges). EU, UK, and Swiss residents acknowledge that their data is transferred to the US under the EU Standard Contractual Clauses (Commission Decision 2021/914) and, where applicable, the UK International Data Transfer Addendum. EU-region hosting is on our roadmap for regulated enterprise customers.

9. Children's privacy

The service is not directed at children under 13 (US) or 16 (EU). We do not knowingly collect data from children. If you believe a child has created an account, email support@protectyourvibes.ai and we will delete the account immediately.

10. Security

  • All traffic is encrypted in transit via TLS 1.2 or higher
  • Passwords are hashed with bcrypt by Supabase Auth
  • Database storage is encrypted at rest with AES-256
  • Principle of least privilege on service-role keys
  • Row-Level Security on all customer-facing tables
  • Evidence containing PII is auto-purged per retention policy
  • We do not offer HIPAA-compliant services. Do not scan HIPAA-regulated applications without a Business Associate Agreement (BAA), which is not available.

11. Breach notification

If we detect a breach affecting your personal data, we will notify you within 72 hours per GDPR Article 33 and any applicable US state breach-notification laws.

12. Updates to this policy

We will email you at least 30 days before any material change to this Privacy Policy. Non-material edits (typos, link fixes) will be reflected in the "Last updated" date above. Last updated: April 20, 2026.

13. Contact

support@protectyourvibes.ai, or write to: Protect Your Vibes Inc., address to be published once incorporation is complete. See also our Terms of Service, Acceptable Use Policy, DPA, and Terms of Engagement.