Privacy Policy

Last updated: May 7, 2026

Data controller: [ENTITY NAME, REGISTERED ADDRESS — TODO before launch]

1. Information We Collect

1.1 Information You Provide Directly

Account information: When you create a Vibeless account we collect your name, email address, and any profile details you choose to provide. Authentication is handled through Clerk, our identity provider.
Payment information: When you subscribe to a paid plan, payment card details and billing address are collected and processed by Stripe. Vibeless does not store full payment card numbers on its own servers.
Support & communications: When you contact us via email or in-app support, we collect the content of your messages and any attachments you send.
User-generated content: Specifications, context documents, architecture documents, dependency information, and any other content you create or upload within the Service.

1.2 Information Collected Automatically

Usage data: Pages visited, features used, timestamps, click events, search queries, and other interactions with the Service.
Device & browser data: IP address, browser type and version, operating system, device identifiers, screen resolution, and language preferences.
Log data: Server logs that record requests made to our systems, including the URL, HTTP method, referrer, response code, and timestamps.
Cookies & similar technologies:We use cookies, local storage, and similar tracking technologies as described in Section 9 (Cookie Policy) below.

1.3 Information from Third Parties

We may receive information about you from our authentication provider (Clerk), payment processor (Stripe), or other integrated services when you connect third-party accounts to Vibeless. This information is limited to what is necessary to operate the Service.

2. How We Use Your Information

We use the information we collect for the following purposes:

Provide and operate the Service: Create and manage your account, process subscriptions, deliver features, and maintain uptime.
Improve and develop: Analyze usage patterns to fix bugs, improve existing features, and build new functionality.
Communicate with you:Send transactional emails (receipts, password resets, account notifications), respond to support requests, and — where you have opted in — send product updates or marketing communications via SendGrid.
Billing and payments: Process subscription charges, issue invoices, handle refunds, and prevent payment fraud through Stripe.
Security and fraud prevention: Detect and prevent unauthorized access, abuse, and other malicious activity.
Legal compliance: Comply with applicable laws, regulations, legal processes, or enforceable governmental requests.
Aggregated analytics: Generate anonymized, aggregated statistics that cannot be used to identify you, for internal reporting and product planning.

3. Legal Basis for Processing (GDPR Article 6)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, we rely on the following legal bases under the General Data Protection Regulation (GDPR) to process your personal data:

Performance of a contract (Art. 6(1)(b)): Processing necessary to provide the Service you have subscribed to, including account management, feature delivery, and payment processing.
Legitimate interests (Art. 6(1)(f)): Processing necessary for our legitimate business interests — such as improving the Service, ensuring security, and conducting analytics — provided those interests are not overridden by your data-protection rights.
Consent (Art. 6(1)(a)): Where you have given explicit consent, for example by opting in to marketing emails or accepting non-essential cookies. You may withdraw consent at any time.
Legal obligation (Art. 6(1)(c)): Processing necessary to comply with a legal obligation to which we are subject, such as tax reporting or responding to lawful data-access requests.

4. Data Sharing & Third Parties

We do not sell your personal data. We share information only with the categories of recipients described below, and only to the extent necessary for the stated purposes:

4.1 Sub-processors

Processor	Purpose	Data Processed
Clerk	Authentication & identity management	Name, email, profile data, session tokens
Stripe	Payment processing & subscription billing	Payment card details, billing address, transaction history
SendGrid	Transactional & marketing email delivery	Email address, name, email content
Vercel	Application hosting & edge delivery	IP address, request logs, usage data
Neon	PostgreSQL database hosting	All Service data stored in our database (encrypted at rest)
Cloudflare	DNS resolution & email routing	IP address, DNS query metadata
Anthropic	LLM inference for agent workflows (desktop app / worker — not the marketing site)	Content submitted by users to agent workflows

4.2 Other Disclosures

Legal requirements: We may disclose your information if required by law, regulation, legal process, or governmental request.
Business transfers: In connection with a merger, acquisition, bankruptcy, or sale of all or a portion of our assets, your data may be transferred to the acquiring entity. We will notify you of any such change.
With your consent: We may share information with third parties when you have given us explicit permission to do so.

5. International Data Transfers

Vibeless and its sub-processors operate infrastructure in the United States and other countries. If you are located outside the United States, your personal data will be transferred to and processed in the United States or other jurisdictions where our sub-processors maintain facilities.

Where we transfer personal data from the EEA, United Kingdom, or Switzerland to countries that have not been deemed to provide an adequate level of data protection, we rely on appropriate safeguards including:

Standard Contractual Clauses (SCCs) approved by the European Commission.
Data Processing Agreements with each sub-processor that include equivalent protections.
Any additional supplementary measures necessary to ensure an essentially equivalent level of protection as required by applicable law.

You may request a copy of the relevant transfer mechanisms by contacting us at privacy@vibeless.pro.

6. Data Retention Periods

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law. The specific retention periods are as follows:

Account data:Retained for the duration of your active account and for up to 30 days after account deletion to allow for recovery, after which it is permanently deleted.
User-generated content:Retained for the duration of your active account. Upon account deletion, content is purged within 30 days.
Payment and billing records:Retained for a minimum of 7 years to comply with tax and accounting obligations.
Server and access logs:Retained for up to 90 days, after which they are automatically deleted or anonymized.
Support correspondence:Retained for up to 3 years after the last interaction for quality assurance and to resolve potential disputes.
Marketing preferences: Retained until you withdraw consent or delete your account.

When data is no longer required, it is securely deleted or anonymized so that it can no longer be associated with you.

7. Your Rights Under GDPR

If you are located in the EEA, the United Kingdom, or Switzerland, you have the following rights under the GDPR (and equivalent local legislation):

Right of access (Art. 15): Request a copy of the personal data we hold about you.
Right to rectification (Art. 16): Request correction of inaccurate or incomplete personal data.
Right to erasure (Art. 17): Request deletion of your personal data where there is no compelling reason for continued processing.
Right to restriction of processing (Art. 18): Request that we limit the processing of your data in certain circumstances.
Right to data portability (Art. 20): Receive your personal data in a structured, commonly used, machine-readable format.
Right to object (Art. 21): Object to processing based on legitimate interests, including profiling.
Right to withdraw consent (Art. 7(3)): Where processing is based on consent, you may withdraw that consent at any time without affecting the lawfulness of processing prior to withdrawal.
Right to lodge a complaint: You have the right to lodge a complaint with your local Data Protection Authority.

To exercise any of these rights, please contact us at privacy@vibeless.pro. We will respond to your request within 30 days, as required by law.

8. Your Rights Under CCPA / CPRA

If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) grant you the following rights:

Right to know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose for collecting it, and the categories of third parties with whom we share it.
Right to delete: You may request that we delete the personal information we have collected from you, subject to certain exceptions.
Right to correct: You may request that we correct inaccurate personal information we maintain about you.
Right to opt out of sale or sharing:Vibeless does not sell or share personal information as defined in CCPA § 1798.140(ad)/(ag). We do not have a “sell” or “share” relationship with any third party for purposes of cross-context behavioral advertising.
Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA rights.

To submit a verifiable consumer request, email privacy@vibeless.pro with the subject line “CCPA Request.” We will verify your identity before processing the request and respond within 45 days.

Categories of personal information collected(per CCPA § 1798.110): Identifiers (name, email, IP address); commercial information (subscription plan, payment history); internet or electronic network activity (usage data, log data); and professional information (job title, if provided).

9. US State Privacy Rights

Several US states have enacted comprehensive consumer privacy laws that grant residents rights similar to those described above. The following sections summarize your rights under each applicable law. To exercise any of these rights, email privacy@vibeless.pro.

9.1 Colorado Privacy Act (CPA)

Colorado residents have the right to access, correct, delete, and obtain a portable copy of their personal data. You may also opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, and profiling in furtherance of decisions that produce legal or similarly significant effects. We do not sell personal data or use it for targeted advertising. To submit a request, email privacy@vibeless.pro; we will respond within 45 days.

9.2 Virginia Consumer Data Protection Act (VCDPA)

Virginia residents have the right to access, correct, delete, and obtain a copy of personal data, and to opt out of the sale of personal data, targeted advertising, and profiling for decisions with significant effects. If we decline your request, you may appeal by sending a written appeal to privacy@vibeless.pro with the subject “VCDPA Appeal”; we will respond to the appeal within 60 days. If your appeal is denied, you may contact the Virginia Attorney General at oag.state.va.us.

9.3 Connecticut Data Privacy Act (CTDPA)

Connecticut residents have the right to access, correct, delete, and obtain a portable copy of their personal data, and to opt out of the sale of personal data, targeted advertising, and certain profiling activities. You may appeal a denial of your request by emailing privacy@vibeless.pro with the subject “CTDPA Appeal.” We will respond to your initial request within 45 days.

9.4 Utah Consumer Privacy Act (UCPA)

Utah residents have the right to access and delete their personal data, and to opt out of the sale of personal data and the use of personal data for targeted advertising. Vibeless does not sell personal data or use it for targeted advertising. To exercise these rights, email privacy@vibeless.pro.

10. International Privacy Rights

10.1 Brazil — Lei Geral de Proteção de Dados (LGPD)

If you are located in Brazil, the LGPD grants you rights to access, correct, anonymize, port, delete, and obtain information about the use of your personal data, as well as the right to revoke consent. Our data protection officer (DPO) can be reached at privacy@vibeless.pro. We will respond to your request within 15 days as required by the LGPD. You may also lodge a complaint with the Autoridade Nacional de Proteção de Dados (ANPD).

10.2 Canada — PIPEDA

If you are located in Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws govern our handling of your personal information. We are accountable for the personal information under our control and have designated privacy@vibeless.pro as the point of contact for privacy inquiries. We collect personal information for identified purposes with your knowledge and consent, retain it only as long as necessary, and maintain safeguards appropriate to the sensitivity of the information. You have the right to access your personal information and to challenge its accuracy. You may direct complaints to the Office of the Privacy Commissioner of Canada if our response is unsatisfactory.

11. Cookie Policy

Cookies are small text files placed on your device when you visit our website. We use the following categories of cookies. A full enumeration of the specific cookies we set is available at /legal/cookie.

11.1 Strictly Necessary Cookies

These cookies are essential for the Service to function. They include session cookies used for authentication (managed by Clerk) and cookies required to process payments. Because they are necessary, they cannot be disabled.

11.2 Analytics Cookies

We use analytics cookies to understand how visitors interact with the Service. These cookies collect information in an aggregated form, including the number of visitors, the pages visited, and the source of traffic. You may opt out of analytics cookies through our cookie consent banner.

11.3 Functional Cookies

Functional cookies remember your preferences (such as your cookie consent choice) and provide enhanced, personalized features.

11.4 Cookie Table

Name	Category	Purpose
`__session`	Necessary	Clerk authenticated session token; keeps you signed in.
`__client_uat`	Necessary	Tracks last Clerk authentication timestamp; required for session lifecycle management.
`cookie-consent`	Functional	Stores your cookie banner choice so we do not prompt you on every visit. Set by Vibeless; expires after 1 year.
Vercel Analytics cookies	Analytics	Aggregate, privacy-respecting traffic measurement (page views, referrers). Set by Vercel; session-scoped.

11.5 Managing Your Cookie Preferences

You can control and delete cookies through your browser settings. You may also manage your preferences through our cookie consent banner (displayed on your first visit, bottom of the page). For further detail see /legal/cookie.

12. Children's Privacy

Vibeless is not directed to individuals under the age of 13 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected personal data from a child under the applicable age, we will take steps to delete that information as promptly as possible. If you believe a child has provided us with personal data, please contact us at privacy@vibeless.pro.

13. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include, but are not limited to:

Encryption of data in transit using TLS 1.2 or higher.
Encryption of data at rest within our database (Neon PostgreSQL).
Role-based access controls limiting employee and contractor access to personal data on a need-to-know basis.
Regular security assessments and vulnerability scanning of our infrastructure.
Use of industry-standard authentication mechanisms (managed by Clerk), including support for multi-factor authentication.
Incident response procedures to address potential data breaches promptly.

While we strive to protect your personal data, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security, but we are committed to maintaining and improving our security posture.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

Update the “Last updated” date at the top of this page.
Provide prominent notice within the Service (for example, a banner notification) or send you an email notification, where required by applicable law.

Material changes take effect 30 days after notice is provided. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated policy.

15. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Privacy inquiries: privacy@vibeless.pro
General legal inquiries: legal@vibeless.pro
Registered entity: [ENTITY NAME, REGISTERED ADDRESS — TODO before launch]

We will make every effort to respond to your inquiry within 30 days.