Privacy Policy

1. Who we are

The data controller for this Service is VIBSL, a registered fictitious name of a Texas limited liability company ("VIBSL", "we", "us"), with its registered office at [REPLACE: business address]. The parent entity name is provided on request — write to privacy@vibsl.com and we'll send it to you, including for any regulator or subject-access request. For EU/EEA users, we have not yet designated a GDPR Article 27 representative — we are currently below the Article 3(2) processing threshold for EU residents and will appoint one if and when that changes.

2. What we collect

• Account information — name, email, GitHub username, and your organisation name when you sign in.
• Deployment metadata — repository name and branch, commit SHA, build logs, image digest, scan results, SBOM. We do not retain your source code after the build container is destroyed.
• Configuration — environment-variable keys (values are encrypted at rest using Azure Key Vault and not returned in API responses), custom-domain settings, scaling rules.
• Usage telemetry — API request logs (HTTP status, latency, path), platform-side audit events (sign-in, deploy initiated, member added).
• Support correspondence — emails you send to our support, sales, or legal addresses.
• Cookies / analytics — see Section 7.

We do not currently collect or process payment information. When billing goes live we will update this section before processing a single card.

3. How we use it

We use the information above to:

• Run the Service — build, scan, deploy, and monitor your apps.
• Send transactional emails (sign-in confirmations, deploy notifications, billing — once it's live).
• Investigate security incidents and prevent abuse.
• Comply with legal obligations.
• Communicate with you about beta access, changes to the Service, and (with separate opt-in) product news.

We do not sell your personal information, and we do not use your source code, build artifacts, or deployment data to train shared machine-learning models.

4. Sub-processors

We use the following sub-processors to run the Service today. We will give 30 days' advance notice on this page before adding a new one that processes customer personal data.

• Microsoft Azure — primary infrastructure (compute, databases, blob storage, Key Vault). Region: Central US.
• GitHub, Inc. — repository OAuth + read-only source cloning.
• Cloudflare, Inc. — DNS, TLS termination, static-site CDN.
• Landing-page analytics — a cookieless, EU-hosted privacy-respecting provider, named here once enabled. Not currently active.
• [REPLACE: email-sending provider, e.g. Resend / Postmark] — transactional email.

Each of these providers processes data under their own terms and privacy commitments. When personal data is transferred outside the EEA, we rely on the European Commission's Standard Contractual Clauses (SCCs) and additional safeguards as required.

5. How long we keep it

• Source code — never persisted. Deleted with the build container at the end of the build (minutes).
• Build logs and scan artifacts — 90 days, then automatically deleted.
• Deployment metadata + audit events — for the life of the project, plus 30 days after deletion.
• Account record — for the life of the account, plus 90 days after deletion (longer where required by law).
• Support correspondence — 2 years from the date of the last message in the thread.
• Billing records — 7 years (US tax retention) once billing is live.

6. Security

We protect personal data using TLS 1.3 in transit, encrypted secrets at rest in Azure Key Vault, multi-tenant namespace isolation in the underlying cluster, and least-privilege IAM. Specific per-build controls (CVE scan, SBOM, secrets scan, EOL check) are described on our security page. We have not yet completed a SOC 2 or ISO 27001 audit — that is on our roadmap, not part of this policy.

7. Cookies & analytics

We avoid third-party tracking cookies on the marketing site. When analytics are enabled, we use a cookieless, privacy-respecting provider that records anonymous aggregate stats (page, country, referrer, screen size) and no personal identifiers. The specific provider will be named in this section once activated.

The dashboard application uses first-party cookies only — authentication session, theme preference, last-visited page. Strictly necessary cookies under the EU ePrivacy Directive.

8. Your rights

Depending on where you are, you have the following rights:

• Access — request a copy of the personal data we hold.
• Correct — fix inaccurate or incomplete data.
• Delete — request erasure (subject to legal-retention exceptions).
• Restrict / object — limit or object to processing in some cases.
• Portability — receive a machine-readable export.
• Withdraw consent — where processing relies on consent (e.g. marketing email).
• Lodge a complaint — with your local data-protection authority.

Send any request to privacy@vibsl.com . We'll respond within 30 days.

California residents: the CCPA gives you the same access / deletion rights, plus a right to know what personal information we've sold or shared (we do neither). To opt out of sharing for cross-context behavioural advertising, email privacy@vibsl.com . We will treat the request as honoured even if you weren't subject to such sharing in the first place.

9. International transfers

Our primary infrastructure is currently in Central US. If you access the Service from the EEA, the UK, or Switzerland, your personal data will be transferred to and processed in the United States under Standard Contractual Clauses (and, where applicable, the UK's International Data Transfer Addendum), supplemented by additional measures including encryption in transit and at rest.

10. Changes

We may update this policy. Material changes will be notified by email to the address on your account at least 30 days before they take effect. The "Last updated" date at the top of this page reflects the most recent version.

11. Contact

Privacy questions: privacy@vibsl.com .
Mailing address: [REPLACE: business address].