Privacy Policy

1. Information We Collect

When you use vibeAudit, we collect:

• Account data: Email address and hashed password when you create an account.
• Scan targets: URLs you submit for scanning.
• Scan results: Vulnerability findings, severity ratings, and generated reports.
• Payment data: Processed entirely by Stripe. We store your Stripe customer ID but never your card details.
• Usage data: IP address (for rate limiting only), scan timestamps.

2. Service Tiers and Data Processing

Free Scan: Runs locally on our servers. No data is sent to third-party AI services. Cost: $0.

Deep Scan ($4.99+): Anonymized vulnerability data is sent to Anthropic's Claude API for AI-powered analysis. No personally identifiable information, URLs, or credentials are included in AI requests.

3. Test Credentials

If you provide test account credentials for authenticated scanning, they are stored temporarily and deleted immediately after the scan completes. Credentials are never logged, never sent to third-party services, and never stored long-term.

4. Third-Party Services

We use only two third-party services:

• Stripe: Payment processing. Subject to Stripe's Privacy Policy.
• Anthropic (Claude API): AI analysis for deep scans only. Only anonymized vulnerability patterns are sent — no user data, URLs, or credentials.

We do not use analytics tools, session recording, tracking cookies, or advertising services. We do not sell your data.

5. Cookies

We use a single session cookie (vg_session) for authentication. It is HttpOnly, SameSite=Lax, and Secure in production. We do not use tracking cookies, analytics scripts, or third-party cookies.

6. Data Retention

• Scan reports: Retained while your account is active. Deleted within 30 days of account deletion.
• Test credentials: Deleted immediately after scan completion.
• Session data: Expires after 7 days, automatically cleaned up.
• Rate limit data: Stored in memory only, cleared on server restart.

7. Your Rights

You may:

• Delete your account and all associated data at any time from your Account settings.
• Request a data export by contacting us.
• Opt out of data processing — simply don't use the service.

For California residents (CCPA): We do not sell personal information. For EU residents (GDPR): You have the right to access, rectify, and erase your personal data.

8. Security

We protect your data with bcrypt password hashing, HTTPS encryption, Content Security Policy headers, rate limiting, and session expiration.

Last updated: April 2026. Contact: [email protected]