Privacy Policy
Effective Date: March 29, 2026 · Last Updated: March 29, 2026
VibeSec Advisory ("VibeSec," "we," "us," or "our") operates the security assessment platform at vibesecadvisory.com (the "Service"). This Privacy Policy describes how we collect, use, store, share, and protect your personal information when you use the Service. By creating an Account or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, do not use the Service.
01.Information We Collect
1.1 Information You Provide
| Data Type | What We Collect | Why |
|---|---|---|
| Email address | The email you use to create your Account | Account creation, magic-link authentication, service communications, PDF report delivery |
| Domain names | Domains you add for assessment | Performing security scans you request |
| Domain verification records | DNS TXT records you create | Confirming domain ownership before scanning |
| User settings | PDF email toggle, notification preferences | Delivering the Service according to your preferences |
1.2 Information Generated by the Service
| Data Type | What We Collect | Why |
|---|---|---|
| Scan results | Security scores, vulnerability findings (severity, type, description, remediation guidance) | Providing assessment results — this is the core Service |
| Scan history | Record of scans initiated (date, time, domain, scan type, status) | Dashboard history, service troubleshooting |
| Assessment Reports | PDF and dashboard representations of scan results | Delivering reports to you |
1.3 Information Collected Through Third Parties
| Data Type | Source | Why |
|---|---|---|
| Billing information | Stripe, Inc. | Processing your Subscription payments. VibeSec does NOT receive, store, or have access to your full credit card number. We receive only: subscription status, plan type, billing cycle dates, and a truncated card identifier for display. |
| Email delivery metadata | Twilio SendGrid | Delivering transactional emails (magic links, PDF reports). SendGrid processes your email address and email delivery status. |
1.4 Information Collected Automatically
| Data Type | How | Why |
|---|---|---|
| Session data | Session cookie (see Section 7) | Maintaining your authenticated session |
| IP address | Cloudflare (hosting provider) | Security, abuse prevention, and performance optimization |
| Basic request analytics | Cloudflare Analytics | Aggregate traffic analysis (page views, geographic distribution). We do NOT use Google Analytics or third-party tracking scripts. |
1.5 Information We Do NOT Collect
- ✓No passwords. We use magic-link email authentication. We do not store or process passwords.
- ✓No source code. We do not access, scan, or store your application source code. Our scans assess your domain's externally-observable security posture.
- ✓No internal network data. Our scans are external only (similar to what a visitor to your website can observe). We do not install agents inside your infrastructure.
- ✓No browsing history. We do not track your activity across other websites.
02.How We Use Your Information
We use your information for the following purposes:
- ✓Providing the Service. Running security assessments on your Verified Domains, generating Assessment Reports, displaying results in your Dashboard, and delivering PDF reports via email.
- ✓Account Management. Creating and maintaining your Account, authenticating your identity via magic links, managing your Subscription.
- ✓Communications. Sending transactional emails (magic links, scan completion notifications, PDF reports, billing confirmations), and service-related announcements (security notices, Terms updates, planned maintenance).
- ✓Billing. Processing Subscription payments, managing renewals, and handling refund requests through Stripe.
- ✓Security and Abuse Prevention. Detecting and preventing unauthorized access, fraud, abuse of the Service, and violations of our Terms of Service.
- ✓Service Improvement. Analyzing aggregate, anonymized usage patterns to improve the Service. We do NOT use individual scan results or vulnerability findings for this purpose.
- ✓Legal Compliance. Complying with applicable laws, regulations, legal processes, or governmental requests.
04.Data Storage and Security
4.1 Where Your Data Is Stored
| Data Type | Storage Location | Provider |
|---|---|---|
| Account data (email, settings) | Cloudflare edge network (global, with primary processing in US) | Cloudflare KV |
| Session data | Cloudflare edge network | Cloudflare KV |
| Subscription data | Stripe infrastructure (US) | Stripe |
| Scan results and history | Cloudflare KV (US region) | Cloudflare |
| Assessment processing | United States (VPS) | Hostinger |
| Email delivery | Twilio infrastructure (US) | SendGrid |
4.2 Security Measures
- ✓Encryption in transit: All data transmitted between your browser and the Service is encrypted using TLS 1.2 or higher.
- ✓Encryption at rest: Scan data stored in Cloudflare KV is encrypted at rest per Cloudflare's infrastructure standards.
- ✓Authentication: Magic-link email authentication with time-limited, single-use tokens.
- ✓Access controls: Only authorized VibeSec personnel can access customer data, and only for support, debugging, or legal compliance purposes. Access is logged.
- ✓Domain verification: DNS TXT verification required before any scanning, preventing unauthorized access to assessment data.
- ✓Minimal data collection: We collect only the data necessary to provide the Service.
- ✓No password storage: Magic-link authentication means we never store or process passwords.
4.3 Breach Notification
In the event of a data breach that affects your personal information, VibeSec will notify affected users via email within seventy-two (72) hours of becoming aware of the breach, provide information about the nature of the breach, the data affected, and steps we are taking, and notify relevant regulatory authorities as required by applicable law.
05.Data Retention
| Data Type | Retention Period | Basis |
|---|---|---|
| Scan results and history | 60 days from each Scan | Service functionality; automatic deletion |
| Account data (email, domains, settings) | Duration of active Account + 30 days | Contract performance; post-cancellation export window |
| Subscription/billing records | Per Stripe retention policy and applicable tax law (typically 7 years for financial records) | Legal obligation |
| Email delivery logs | Per SendGrid retention policy (typically 30 days) | Service delivery |
| Cloudflare access logs | Per Cloudflare retention policy (typically 72 hours for raw logs) | Security |
| Scan processing logs on VPS | 30 days | Debugging, abuse prevention |
5.1 Deletion After Cancellation
- Your Account enters a 30-day read-only period for data export
- After the read-only period, Account data is deleted within 30 days
- Scan data continues to expire per its 60-day retention schedule
- Financial records are retained as required by law
5.2 Deletion on Request
You may request immediate deletion of your Account and associated data at any time (see Section 6). Some data may be retained as required by law.
06.Your Rights
6.1 All Users
Regardless of your location, you have the right to:
- ✓Access: Request a copy of the personal data we hold about you.
- ✓Correction: Request correction of inaccurate personal data.
- ✓Deletion: Request deletion of your Account and personal data, subject to legal retention requirements.
- ✓Data Export: Export your Assessment Reports in PDF format from the Dashboard.
- ✓Opt-out of marketing: Unsubscribe from marketing emails at any time (transactional emails related to your Account and Service are not marketing).
To exercise these rights, contact [email protected]. We will respond within thirty (30) days.
6.2 California Residents (CCPA/CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):
- ✓Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose for collecting it, and the categories of third parties with whom we share it.
- ✓Right to Delete: You may request deletion of your personal information, subject to certain exceptions (e.g., completing a transaction, legal obligations).
- ✓Right to Correct: You may request correction of inaccurate personal information.
- ✓Right to Opt-Out of Sale/Sharing: VibeSec does NOT sell your personal information. VibeSec does NOT share your personal information for cross-context behavioral advertising.
- ✓Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
Categories of Personal Information Collected: Identifiers (email address), internet/electronic network activity (IP address, session data), and commercial information (subscription status).
Sensitive Personal Information: We do not collect sensitive personal information as defined by the CPRA (e.g., Social Security numbers, financial account numbers, precise geolocation, racial/ethnic origin).
To submit a CCPA request, contact [email protected] with the subject line "CCPA Request." We will verify your identity before processing the request. You may also designate an authorized agent to submit requests on your behalf.
6.3 European Economic Area and UK Residents (GDPR)
VibeSec is US-based and primarily targets US customers. If GDPR applies to your use of the Service, you have the following additional rights:
- ✓Lawful Basis: We process your personal data on the basis of contract performance (providing the Service you subscribed to) and legitimate interests (security, abuse prevention, service improvement).
- ✓Right to Portability: You may request your personal data in a structured, commonly used, machine-readable format.
- ✓Right to Restrict Processing: You may request that we restrict processing of your personal data in certain circumstances.
- ✓Right to Object: You may object to processing based on legitimate interests.
- ✓Right to Lodge a Complaint: You may lodge a complaint with your local data protection authority.
- ✓Data Transfers: Your data is processed in the United States. By using the Service, you consent to the transfer of your data to the US.
08.Children's Privacy
The Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child under 18, we will promptly delete that information. If you believe a child has provided us with personal information, please contact [email protected].
09.Third-Party Links
The Service may contain links to third-party websites or services (e.g., links to remediation resources, security frameworks, or tool documentation). VibeSec is not responsible for the privacy practices of third-party websites. We encourage you to review their privacy policies.
10.Changes to This Policy
VibeSec may update this Privacy Policy from time to time. We will:
- ✓Post the updated Privacy Policy at vibesecadvisory.com/privacy with a new "Last Updated" date
- ✓Notify you via email of material changes at least thirty (30) days before they take effect
- ✓If required by law, obtain your consent before applying material changes to the processing of your data
Your continued use of the Service after changes take effect constitutes your acceptance of the revised Privacy Policy.
11.Data Protection Officer
For privacy-related inquiries, VibeSec's designated privacy contact is available at [email protected]. VibeSec has not appointed a formal Data Protection Officer, as our processing activities do not meet the applicable thresholds under GDPR Article 37.
12.Contact Information
For all privacy-related requests, please email [email protected]. We will acknowledge your request within five (5) business days and provide a substantive response within thirty (30) days.
Copyright © 2026 VibeSec Advisory. All rights reserved.