Privacy Policy
Last updated: July 12, 2026
This policy explains what VibeAudits ("we") collects, why, and what your choices are. The short version: we collect what is needed to run audits and your account, we do not sell your data, and we do not run advertising or cross-site tracking.
1. Data we collect
- Account data: your name, email address, and a salted hash of your password (never the password itself). If you sign in with Google, we receive your name, email, and avatar from Google.
- Audit data: the URLs you submit, and the artifacts our crawler produces while testing them, including page screenshots, console and network logs, performance measurements, and findings. Screenshots and logs reflect the content of the website you audited at that moment.
- Test credentials: if you enable authenticated audits, the test account username and an encrypted (AES-256-GCM) copy of the test password. These are used only to sign in during audits of your project and are never shown back to you or anyone else.
- Usage and billing data: audit counts against plan limits, plan status, and subscription identifiers. Payment card details go directly to Stripe; we never see or store card numbers.
- Technical basics: standard server logs (IP address, user agent, timestamps) kept by our hosting providers for security and debugging.
2. What we do not do
- We do not sell or rent personal data.
- We do not run third-party advertising or cross-site tracking.
- We use only strictly necessary cookies (your sign-in session). That is why there is no cookie banner: there is nothing to opt out of.
- No AI or machine learning model is trained on your data or your audit results.
3. How we use data
To operate the Service: running audits you request, generating and storing your reports, enforcing plan limits, processing subscriptions, sending transactional email (verification, password reset, audit alerts you enabled), and keeping the Service secure. We send no marketing email without your consent.
4. Where data lives (processors)
We use a small set of infrastructure providers to run the Service:
- Vercel (website and API hosting; screenshot storage via Vercel Blob)
- Neon (database hosting)
- Railway (audit worker compute)
- Stripe (payments and subscription management)
- Brevo (transactional email delivery)
Each processes data only as needed to provide their service to us. Data is primarily stored in the United States.
5. Retention
Account data is kept while your account exists. Audit reports and their artifacts (including screenshots) are kept so you can view your history and trends, and are deleted when the related project or your account is deleted. Encrypted test credentials are kept until you replace them, disable authenticated audits, or delete the project. Provider server logs rotate on their standard schedules.
6. Your rights and choices
You can access and update your account details in Settings, change your password, and replace stored test credentials at any time. You can request a copy of your data or full deletion of your account and its data by emailing us; we will act on verified requests within 30 days. Depending on where you live (for example the EU/EEA, UK, or California), you may have additional statutory rights such as access, correction, deletion, portability, and the right to lodge a complaint with a supervisory authority. We honor these rights regardless of location.
7. Screenshots of audited websites
Reports include screenshots of the pages our crawler visited on websites you submitted. If a website displays personal data, that data may appear in your report artifacts. You are responsible for ensuring you are permitted to audit the websites you submit (see the Terms of Service) and for handling your reports accordingly.
8. Security
Passwords are stored as salted bcrypt hashes. Test credentials are encrypted at rest with AES-256-GCM. Transport is HTTPS everywhere. Access to production systems is limited to the operator. No method of storage or transmission is 100% secure, but we design for least exposure: secrets are never returned by our APIs and screenshots are the only crawl artifacts stored outside the database.
9. Children
The Service is not directed to children and may not be used by anyone under 16. We do not knowingly collect data from children.
10. Changes and contact
We will update this policy as the Service evolves and update the date above when we do. Questions or requests: support@vibeaudits.org. See also our Terms of Service.
