VibeQA is built by a security professional. We collect only what we need to run the service, we don't sell your data, and we give you control over what we store. This policy tells you exactly what we collect, why, and how long we keep it.
1. Who We Are
VibeQA ("we," "us," "our") is an automated quality assurance service for web applications, operated at vibeqa.io. To contact us about privacy matters: privacy@vibeqa.io.
2. What We Collect and Why
2.1 Account Data
When you create an account, we collect:
- Email address — required to create and identify your account, send transactional emails (scan results, trial expiry, billing receipts)
- Name — optional, used for personalization
- Password — stored as a bcrypt hash; we never store or transmit plaintext passwords
If you sign in via Google or GitHub SSO, we receive only your email address and public profile name from those providers. We do not receive your passwords or access your accounts beyond authentication.
2.2 Scan Data
When you submit a URL for scanning, we:
- Crawl and render the URL you provide using an automated browser
- Capture screenshots of the page at desktop and mobile viewports
- Collect and store the issues found (broken links, console errors, performance metrics, etc.)
- Store the URL and scan results in your scan history per your plan's retention period
Important: By submitting a URL for scanning, you confirm you own the site or have authorization from the owner to scan it. We access third-party websites only at your direction. We are not responsible for content found on scanned sites.
2.3 Technical and Usage Data
- IP addresses — logged for rate limiting, abuse prevention, and security. Free-tier rate limiting uses IP to enforce scan limits. Logs are retained for 30 days.
- Authentication tokens — JWT tokens are issued on login and stored in your browser's localStorage. Tokens use a sliding-window expiry with automatic refresh.
- Browser and device information — basic user-agent data collected to detect and prevent automated abuse of free-tier scans.
- Usage analytics — we use PostHog to understand how the product is used (feature usage, scan frequency, conversion events). PostHog is configured in privacy-preserving mode; data is not shared with third parties or used for ad targeting.
2.4 Payment Data
Payments are processed by Stripe. We do not store, transmit, or have access to your credit card numbers, CVV, or banking information. Stripe provides us with a non-sensitive billing token, your subscription status, and last-4 card digits for display purposes. Stripe's privacy policy governs how they handle your payment data.
3. Data Retention
| Data Type | Free Plan | Pro Plan | Team Plan |
|---|---|---|---|
| Scan results & screenshots | 7 days | 90 days | 1 year |
| Account data | Until account deletion or 2 years of inactivity | ||
| IP address logs | 30 days (rolling) | ||
| Email verification records | 90 days | ||
| Payment/billing records | 7 years (tax compliance) | ||
4. How We Use Your Data
- To provide the service — scanning URLs, generating reports, storing your history
- To run your account — authentication, billing, plan enforcement
- To communicate with you — transactional emails only (scan results, billing, trial expiry). We do not send marketing emails without your explicit opt-in.
- To prevent abuse — IP rate limiting, disposable email blocking, and behavioral signals are used to protect service integrity
- To improve the product — aggregated, anonymized usage analytics
We do not sell your data. We do not use your scan results to train AI models. We do not profile you for advertising.
5. Third-Party Services
| Service | Purpose | Data Shared |
|---|---|---|
| Stripe | Payment processing | Email, billing amount, plan selection |
| Railway | Cloud infrastructure (hosting) | All service data (encrypted at rest) |
| Google (OAuth) | Optional SSO login | Email, name (only if you use Google login) |
| GitHub (OAuth) | Optional SSO login | Email, name (only if you use GitHub login) |
| PostHog | Product analytics | Anonymized usage events, no PII in events |
We do not share your data with any other third parties except as required by law.
6. Cookies and Local Storage
VibeQA uses browser localStorage (not cookies) to store your authentication token. We use minimal session-level cookies only where technically required. We do not use tracking cookies, advertising cookies, or third-party cookies for analytics.
PostHog may set a first-party analytics cookie to track session continuity. This can be blocked via browser settings without affecting core service functionality.
7. Your Rights
Depending on your location, you may have the following rights:
- Access — request a copy of your personal data
- Correction — update inaccurate data via your account settings
- Deletion — delete your account and all associated data. Scan history is purged within 72 hours. Billing records are retained for legal compliance per Section 3.
- Portability — export your scan history in JSON format from your dashboard
- Opt-out of analytics — disable PostHog tracking via your account settings
- Withdraw consent — where processing is based on consent, you may withdraw it at any time
To exercise any of these rights: privacy@vibeqa.io. We respond to all requests within 30 days.
8. California Residents (CCPA)
California residents have the right to know what personal information we collect, to delete it, and to opt out of its sale. We do not sell personal information. To submit a CCPA request: privacy@vibeqa.io.
9. European Users (GDPR)
If you are located in the European Economic Area, our legal basis for processing your data is:
- Contract performance — to provide the service you signed up for
- Legitimate interests — fraud prevention, abuse control, service improvement
- Legal obligation — billing record retention
- Consent — marketing communications (where applicable)
Data is hosted on Railway infrastructure in the United States. By using VibeQA, you consent to this transfer. We apply appropriate safeguards consistent with GDPR Chapter V.
10. Security
VibeQA is built by a 20-year information security professional. Security measures include: HTTPS-only data transmission, bcrypt password hashing, JWT token rotation with sliding-window expiry, IP-based rate limiting, disposable email blocking on registration, and encrypted data at rest via Railway's infrastructure.
No system is perfectly secure. If you discover a security vulnerability, please report it responsibly to security@vibeqa.io.
11. Children
VibeQA is not directed to children under 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us at privacy@vibeqa.io and we will delete it promptly.
12. Changes to This Policy
We may update this policy. When we do, we will update the "Last updated" date at the top and, for material changes, notify you by email. Continued use of VibeQA after changes constitutes acceptance of the updated policy.
13. Contact
Questions about this policy: privacy@vibeqa.io
General support: hello@vibeqa.io