Last updated: April 30 2025
Vibe Security ("Service", "Vibe Security", "we", "us" or "our") is a software-as-a-service platform available at vibesecurity.io, app.vibesecurity.io, and any related sub-domains operated by 6GL Software Inc., 1505 Laperriere Ave, Suite 509, Ottawa, ON K1Z 7T1, Canada.
Contact: [email protected]
This Policy applies to:
It does not apply to third-party services you use independently (e.g., GitHub).
| Term | Meaning |
|---|---|
| Personal Information (PI) | Information that identifies or relates to an identifiable individual. |
| Controller | 6GL Software Inc. (for EU/UK users) determines the purposes and means of processing PI. |
| Processor / Sub-processor | A party that processes PI on our behalf (e.g., hosting, analytics, payment, or e-mail vendors). |
| GitHub Data | Any data—code, metadata, issues, pull requests, commit history—retrieved from GitHub via OAuth sign-in or the Vibe Security GitHub App. |
| Scan Results | Machine-generated findings and metadata produced when we analyse GitHub Data (includes code snippets from the cloned repos). |
| Category | What | Source | Purpose / Legal Basis* |
|---|---|---|---|
| Account Data | GitHub username, public profile info, primary e-mail, OAuth access token | GitHub OAuth | Contract performance; legitimate interest in secure authentication |
| Repository Selections | List of repos you authorise (read-only) | You / GitHub App install | Contract performance |
| GitHub Data | Code and files cloned from authorised repos | GitHub API | Contract performance; legitimate interest in providing security analysis |
| Scan Results | Vulnerability reports, metrics, AI prompts & model outputs (may include code snippets) | Generated by Service | Same as above |
| Payment Data | Customer name, e-mail, card last 4 digits, billing address, subscription status | Stripe | Contract performance |
| Communications | Support requests, feedback, e-mails | You | Legitimate interest in customer service |
| Usage Data | Request logs, error logs, aggregated analytics | Server logs; Umami (cookieless) | Legitimate interest in improving Service |
| Cookies & Similar | Essential session cookie (_django_session_). We may introduce additional cookies or trackers in the future to enhance functionality or analytics. | Browser | Contract performance; legitimate interest in service optimisation |
*Legal bases refer to Art. 6(1) GDPR where applicable. We obtain consent where required.
We upload limited code context to a large-language-model (LLM) served via OpenRouter or an equivalent provider. The LLM may use prompts and responses for model training. We have no contractual data-protection guarantees from the provider. You remain responsible for excluding sensitive materials you do not wish to share.
Consent to manual review & improvement – By using the Service you agree that Vibe Security personnel, bound by confidentiality, may manually review vulnerability findings to verify accuracy and reduce false positives. We may store and use anonymized vulnerability descriptions (with all repository-specific identifiers removed) to train and improve our models and rule-sets. No identifiable Personal Information is included in this training data.
| Data type | Retention policy |
|---|---|
| Access tokens | Until you revoke GitHub access or delete your account. |
| Cloned code | Ephemeral – wiped within 24 h after each scan completes. |
| Scan Results | Retained until you delete the project or close your account, or up to 24 months for aggregate research unless earlier deletion is requested. |
| Payment records | 7 years (tax / accounting). |
| Server logs | 30 days (raw) / 12 months (aggregated). |
| Support communications | 3 years unless legal requirements necessitate longer. |
We do not sell your PI. We share it only with:
| Recipient | Purpose | Location | Safeguards |
|---|---|---|---|
| Amazon Web Services (us-east-2) | Hosting & data storage | USA | SCCs for EU/UK data |
| OpenRouter | LLM inference | USA (sub-processors may vary) | No contractual guarantees |
| Stripe | Payment processing | USA | SCCs & PCI-DSS compliance |
| Transactional e-mail provider | Service e-mails | USA | SCCs |
| Umami (self-hosted at umami.vibesecurity.io) | Cookieless analytics | USA | Data remains on our AWS servers |
| Professional advisors | Legal/accounting | Canada/USA | Confidentiality obligations |
| Government authorities | Only if required by law | Varies | As legally mandated |
Depending on your location, you may have the right to access, correct, erase, port, or object to processing of your PI, or withdraw consent. Contact [email protected]; we respond within 30 days.
The Service currently sets a single essential session cookie (_django_session_) and relies on cookieless analytics served from umami.vibesecurity.io. We may introduce additional cookies or similar technologies (e.g., to remember preferences, perform A/B tests, or measure traffic with other analytics tools) in the future. If we do, this Policy and our cookie banner will be updated accordingly.
You may block cookies in your browser, but the Service may not function properly without essential cookies.
The Service is not directed to children under 13 (or the minimum age in your jurisdiction). We do not knowingly collect their data. If you believe a child has provided PI, contact us for deletion.
We may update this Policy from time to time. Material changes will be announced by e-mail or prominent notice at least 14 days before taking effect. Your continued use after the effective date constitutes acceptance.
6GL Software Inc. | 1505 Laperriere Ave, Suite 509 | Ottawa ON K1Z 7T1 | Canada
📧 [email protected]
By using Vibe Security you acknowledge that you have read and understood this Privacy Policy and agree to the collection and processing of your information as described above.