Privacy Policy
Effective Date: May 3, 2026 · Last Updated: May 3, 2026
VibeSec Advisory ("VibeSec," "we," "us," or "our") provides FORGE Methodology consulting and advisory services. This Privacy Policy describes how we collect, use, store, share, and protect your information when you engage us for consulting services or visit vibesecadvisory.com (collectively, the "Services"). By engaging VibeSec or using our Services, you acknowledge that you have read and understood this Privacy Policy.
01.Information We Collect
1.1 Information You Provide Directly
| Data Type | What We Collect | Why |
|---|---|---|
| Contact information | Name, email address, company name, job title, phone number (if provided) | Engagement communications, invoicing, deliverable delivery |
| Referral source | How you heard about VibeSec (if provided via contact form) | Understanding how clients find us, improving outreach |
| Organizational information | Team structure, technology stack, AI tool inventory, development workflows, security policies | Delivering consulting engagements (strategy sessions, roadmaps, assessments) |
| Interview and call notes | Notes from kickoff calls, stakeholder interviews, and delivery sessions | Creating accurate, tailored deliverables |
| Contact form submissions | Name, email, and message submitted through our website | Responding to inquiries, async scoping, follow-up communications, and delivery questions |
1.2 Information Generated During Engagements
| Data Type | What We Collect | Why |
|---|---|---|
| Process analysis results | Workflow assessments, FORGE blueprints, guardrails recommendations, process redesign documentation | Providing consulting engagement deliverables |
| Assessment reports | Written deliverables including roadmaps, governance policies, executive summaries, technical reports | Delivering consulting engagement work product |
| Engagement history | Record of engagements (dates, type, scope, status) | Service continuity, follow-up support |
1.3 Information Collected Through Third Parties
| Data Type | Source | Why |
|---|---|---|
| Payment information | Stripe, Inc. | Processing engagement payments. VibeSec does NOT receive, store, or have access to your full credit card number. We receive only: payment status and a truncated card identifier for display. |
| Email delivery metadata | Twilio SendGrid | Delivering transactional emails (invoices, engagement communications, deliverable notifications). SendGrid processes your email address and email delivery status. |
1.4 Information Collected Automatically
| Data Type | How | Why |
|---|---|---|
| IP address | Cloudflare (hosting provider) | Security, abuse prevention, and performance optimization |
| Basic request analytics | Cloudflare Analytics | Aggregate traffic analysis (page views, geographic distribution). We do NOT use Google Analytics or third-party tracking scripts. |
1.5 Information We Do NOT Collect
- ✓No source code. Unless you specifically provide code samples for review during a consulting engagement, we do not access or store your application source code.
- ✓No internal network data. We do not access your internal networks or install agents inside your infrastructure. Consulting engagements are based on information you voluntarily share.
- ✓No employee personal data. During consulting engagements we may learn team member roles and responsibilities, but we do not collect personal data (home addresses, Social Security numbers, etc.) of your employees.
- ✓No browsing history. We do not track your activity across other websites.
02.How We Use Your Information
We use your information for the following purposes:
- ✓Delivering Consulting Services. Conducting strategy sessions, creating AI adoption roadmaps, performing security assessments, drafting governance policies, and delivering other engagement deliverables.
- ✓Process Analysis. Analyzing your workflows, AI tool usage, and organizational processes to create FORGE blueprints, guardrails recommendations, and transformation roadmaps.
- ✓Communications. Sending engagement-related emails (proposals, invoices, deliverables, follow-up calls) and service-related announcements.
- ✓Billing. Processing engagement payments, sending invoices, and handling billing inquiries through Stripe.
- ✓Security and Abuse Prevention. Detecting and preventing unauthorized access, fraud, and abuse of our website.
- ✓Service Improvement. Analyzing aggregate, anonymized engagement patterns to improve our methodology and tools. We do NOT use individual client vulnerability findings or organizational details for this purpose.
- ✓Legal Compliance. Complying with applicable laws, regulations, legal processes, or governmental requests.
04.AI and Automated Processing
4.1 How We Use AI
VibeSec uses AI-powered tools (including Anthropic Claude) to assist with analysis and draft components of consulting deliverables. AI helps us analyze workflow patterns, identify process optimization opportunities, and prepare FORGE blueprints and recommendations. All AI-generated analysis is reviewed and refined by VibeSec's human consultants before delivery.
4.2 What Data AI Processes
During consulting engagements, AI tools may process:
- Workflow descriptions and process documentation you share
- Organizational context (team structure, AI tool inventory) provided during sessions
- Anonymized process data used to generate FORGE blueprints and recommendations
AI tools do NOT process: your source code, internal network data, employee personal information, or any data you have not voluntarily shared with VibeSec.
4.3 AI Data Retention
VibeSec uses commercial AI API services for AI-assisted analysis. Provider retention, logging, and model training treatment are governed by the applicable provider agreement and account settings in effect when processing occurs. VibeSec does not authorize model providers to use client submissions for public model training where commercial terms or account settings prevent that use.
4.4 Human Review
All deliverables that include AI-generated analysis are reviewed by VibeSec's human consultants before delivery to you. AI assists our work but does not replace human judgment.
05.Data Storage and Security
5.1 Where Your Data Is Stored
| Data Type | Storage Location | Provider |
|---|---|---|
| Website data (lead forms) | Cloudflare edge network (global, with primary processing in US) | Cloudflare KV / D1 |
| Payment data | Stripe infrastructure (US) | Stripe |
| Engagement files and deliverables | United States (VPS) | Hostinger |
| Engagement working files | United States (VPS) | Hostinger |
| Email delivery | Twilio infrastructure (US) | SendGrid |
5.2 Security Measures
- ✓Encryption in transit: All data transmitted between your browser and our website is encrypted using TLS 1.2 or higher.
- ✓Encryption at rest: Data stored in Cloudflare KV is encrypted at rest per Cloudflare's infrastructure standards.
- ✓Access controls: Only authorized VibeSec personnel (currently the founder) can access client engagement data. Client data is organized per-engagement with access restricted to the engagement team.
- ✓Confidentiality: All consulting engagements are covered by mutual confidentiality obligations (see our Terms of Service, Section 7).
- ✓Minimal data collection: We collect only the data necessary to deliver the Services you engage us for.
5.3 Breach Notification
In the event of a data breach that affects your information, VibeSec will notify affected clients via email within seventy-two (72) hours of becoming aware of the breach, provide information about the nature of the breach, the data affected, and steps we are taking, and notify relevant regulatory authorities as required by applicable law.
06.Data Retention
| Data Type | Retention Period | Basis |
|---|---|---|
| Engagement files (notes, working docs, analysis data) | 90 days after final deliverable | Follow-up support; securely deleted after 90 days |
| Final deliverables (reports, roadmaps, policies) | Delivered to you; VibeSec copy deleted after 90 days | You retain your copies indefinitely |
| Contact and engagement records | Duration of business relationship + 1 year | Follow-up calls, re-engagement, business continuity |
| Financial records (invoices, payments) | Per applicable tax law (typically 7 years) | Legal obligation |
| Email delivery logs | Per SendGrid retention policy (typically 30 days) | Service delivery |
| Cloudflare access logs | Per Cloudflare retention policy (typically 72 hours for raw logs) | Security |
6.1 Deletion on Request
You may request deletion of your data at any time by contacting [email protected]. VibeSec will process deletion requests within thirty (30) days. Some data may be retained as required by law (for example, financial records for tax compliance). Deletion of engagement files does not affect deliverables already delivered to you.
6.2 Early Deletion
If you would like engagement files deleted before the standard 90-day retention period, notify VibeSec in writing and we will accommodate the request within ten (10) business days.
07.Your Rights
7.1 All Clients
Regardless of your location, you have the right to:
- ✓Access: Request a summary of the data we hold about you and your organization.
- ✓Correction: Request correction of inaccurate information.
- ✓Deletion: Request deletion of your data, subject to legal retention requirements.
- ✓Copies of deliverables: Request re-delivery of engagement deliverables during the retention period.
- ✓Opt-out of marketing: Unsubscribe from marketing emails at any time (transactional emails related to active engagements are not marketing).
To exercise these rights, contact [email protected]. We will respond within thirty (30) days.
7.2 California Residents (CCPA/CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):
- ✓Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you.
- ✓Right to Delete: You may request deletion of your personal information, subject to certain exceptions.
- ✓Right to Opt-Out of Sale/Sharing: VibeSec does NOT sell your personal information. VibeSec does NOT share your personal information for cross-context behavioral advertising.
- ✓Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
Categories of Personal Information Collected: Identifiers (name, email address, company), internet/electronic network activity (IP address), professional information (job title, company), and commercial information (engagement history, payment status).
Sensitive Personal Information: We do not collect sensitive personal information as defined by the CPRA (Social Security numbers, financial account numbers, precise geolocation, racial/ethnic origin).
To submit a CCPA request, contact [email protected] with the subject line "CCPA Request."
7.3 European Economic Area and UK Residents (GDPR)
VibeSec is US-based and primarily serves US clients. If GDPR applies to you, you have the following additional rights:
- ✓Lawful Basis: We process your personal data on the basis of contract performance (delivering consulting services you engaged) and legitimate interests (security, service improvement).
- ✓Right to Portability: You may request your personal data in a structured, commonly used, machine-readable format.
- ✓Right to Restrict Processing: You may request that we restrict processing of your data in certain circumstances.
- ✓Right to Object: You may object to processing based on legitimate interests.
- ✓Data Transfers: Your data is processed in the United States. By engaging VibeSec, you consent to the transfer of your data to the US.
09.Children's Privacy
Our Services are intended for business professionals and are not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child under 18, we will promptly delete that information. If you believe a child has provided us with personal information, please contact [email protected].
10.Third-Party Links
Our website and deliverables may contain links to third-party websites or services (security frameworks, tool documentation, remediation resources). VibeSec is not responsible for the privacy practices of third-party websites. We encourage you to review their privacy policies.
11.Changes to This Policy
VibeSec may update this Privacy Policy from time to time. We will:
- ✓Post the updated Privacy Policy at vibesecadvisory.com/privacy with a new "Last Updated" date
- ✓Notify active consulting clients via email of material changes that affect how we handle engagement data
- ✓If required by law, obtain your consent before applying material changes to the processing of your data
Your continued engagement of VibeSec after changes take effect constitutes your acceptance of the revised Privacy Policy.
12.Data Protection Officer
For privacy-related inquiries, VibeSec's designated privacy contact is available at [email protected]. VibeSec has not appointed a formal Data Protection Officer, as our processing activities do not meet the applicable thresholds under GDPR Article 37.
13.Contact Information
For all privacy-related requests, please email [email protected]. We will acknowledge your request within five (5) business days and provide a substantive response within thirty (30) days.
Copyright © 2026 VibeSec Advisory. All rights reserved.