Privacy Policy

This Privacy Policy applies to information we collect through the VibeShield website, product interfaces, APIs, scan workflows, and related support and security operations.

If you use VibeShield on behalf of an organization, that organization is responsible for its own internal privacy notices, lawful basis, and authorization for the targets and data it submits through the service.

Depending on how you use the service, we may collect:

• contact and account-related information you provide to us, if any;
• scan submission data, including target URLs, scope-related inputs, scan preferences, and your attestation that you are authorized to test the asset;
• scan-generated data, such as HTTP responses, headers, cookies, endpoint paths, metadata, stack traces, findings, score summaries, remediation prompts, and supporting evidence snippets;
• technical and usage data, including IP address, device and browser metadata, timestamps, logs, request identifiers, and abuse or rate limiting signals; and
• communications with us, such as support requests, feedback, or security reports.

We may use information we collect to:

• provide, operate, maintain, and secure the service;
• run scans and generate reports, summaries, and fix prompts;
• detect abuse, verify policy compliance, investigate misuse, and enforce our agreements;
• debug, monitor, improve, and train internal product features;
• comply with legal obligations, respond to lawful requests, and protect users, targets, the service, and the public; and
• communicate with you about product, support, or legal matters.

We may disclose information to:

• service providers and subprocessors that help us host, secure, analyze, store, or support the service;
• AI providers used to generate remediation content or summaries, when those features are enabled;
• affiliates, advisers, auditors, insurers, or acquirers in connection with legitimate business operations;
• authorities, courts, regulators, counterparties, or affected parties where required by law or reasonably necessary to investigate misuse, respond to legal process, or protect rights, systems, and people; and
• other parties at your direction or with your consent.

We do not sell personal information or share it for cross-context behavioral advertising.

Because scans may surface credentials, confidential files, personal data, or regulated content, you should submit targets only where you have authority to do so and only where the processing is lawful.

We may store scan data, evidence snippets, and findings for service operation, abuse prevention, troubleshooting, customer support, quality review, and legal compliance. We may redact or remove content at our discretion where it appears overly sensitive, unnecessary, or unlawfully obtained.

We and our providers may use cookies, local storage, server logs, and similar technologies to keep the service working, secure sessions, remember preferences, measure performance, and detect abuse.

If we add analytics or marketing tooling, we may update this policy to describe those tools and any controls available to you.

We retain information for as long as reasonably necessary for the purposes described in this policy, including providing the service, maintaining security logs, enforcing our agreements, resolving disputes, and complying with legal obligations.

Retention periods may vary based on the type of data, the sensitivity of the content, the nature of the scan, account status, abuse investigations, and legal requirements.

We use reasonable administrative, technical, and organizational safeguards designed to protect information. No system is perfectly secure, and we cannot guarantee absolute security.

You are responsible for protecting your own environments, internal access controls, exported scan data, and any secrets or regulated data present in your systems.

Depending on where you live, you may have rights under applicable U.S. state privacy laws, which can include rights to know, access, correct, delete, or appeal decisions about personal information.

We will process rights requests to the extent required by applicable law and may need to verify your identity and authority before acting on a request.

The service is not directed to children and must not be used to submit child-directed services or data relating to minors without an appropriate legal basis and authorization.

You must not use the service to process highly sensitive data in ways that are unlawful, excessive, or outside the scope of your authorization.

VibeShield may operate and store information in the United States and other locations where we or our providers maintain operations. By using the service, you understand that information may be transferred to and processed in jurisdictions that may not provide the same level of legal protection as your home jurisdiction.

We may update this Privacy Policy from time to time. Updated versions become effective when posted on the site or otherwise communicated. Continued use of the service after the effective date of the updated policy constitutes acceptance of the revised policy.

This Privacy Policy should be read together with the Terms of Service and Acceptable Use Policy.