Legal
Privacy Policy
Last updated: 2026-04-20
⚠️ Pre-launch draft
This document is under review by legal counsel. It reflects our current data practices and is binding. Material revisions may be published before 2026-05-20; users will be notified of substantive changes by email.
1. Who we are
VibeMap operates vibemap.ai and the associated API and MCP server. For privacy enquiries, contact privacy@vibemap.ai. For operational or support questions, support@vibemap.ai.
2. Data we collect
| Category | Source | Retention |
|---|---|---|
| Account (email, name, OAuth identifiers) | User signup | Until account deletion |
| Authentication tokens, sessions | Supabase Auth | Until account deletion |
| Project content (inputs, generated artefacts) | User submissions + LLM outputs | Until user deletes |
| Billing records (invoices, payment status) | Stripe webhooks | 7 years (tax requirement) |
| Usage analytics (events, pageviews) | PostHog instrumentation | 12 months rolling |
| Error + performance logs | Sentry instrumentation | 90 days |
| Email engagement (opens, clicks) | Brevo | 24 months |
| Support conversations | Email + in-app chat | 5 years |
We never store your payment card details — Stripe handles payment processing on our behalf and stores card data in their PCI-DSS-compliant infrastructure.
3. How we use your data
- Provide the service. Generate artefacts, store your projects, authenticate sessions, process payments
- Communicate with you. Transactional emails (account, billing, security), product updates, and marketing emails (only with consent — opt out anytime)
- Improve the service. Aggregate, anonymised usage data for product analytics and UX research
- Ensure safety. Monitor generations for abuse, harmful content, or automated scraping
- Legal compliance. Retain billing data for tax, fulfil data subject requests, respond to lawful requests from authorities
4. Legal bases (GDPR)
For EU and UK users, our legal bases for processing are:
- Contract (Art. 6(1)(b)): delivering the service you signed up for
- Legitimate interest (Art. 6(1)(f)): product improvement, fraud prevention, anonymised analytics
- Consent (Art. 6(1)(a)): marketing emails, optional cookies
- Legal obligation (Art. 6(1)(c)): tax records, responding to lawful requests
5. Subprocessors
We use the following subprocessors. Each has signed appropriate data-processing agreements. We will notify users of material changes to this list.
| Subprocessor | Purpose | Region |
|---|---|---|
| Supabase | Database + Auth | US / EU |
| Vercel | Hosting + edge network | Global |
| Stripe | Payments | US / Global |
| Anthropic (Claude) | LLM inference | US |
| OpenAI (GPT) | LLM inference | US |
| Google Cloud (Gemini) | LLM inference | US / Global |
| Brevo | Transactional + marketing email | EU |
| PostHog | Product analytics | US / EU |
| Sentry | Error monitoring | US |
| Inngest | Background jobs | US |
| Pusher | Realtime messaging | US / EU |
6. AI-specific practices
- No model training. Your inputs and generated outputs are not used by us or our LLM providers to train foundation models. We have verified API-level opt-outs with Anthropic, OpenAI, and Google.
- Content forwarded to providers. To generate artefacts, we transmit your input to one of the LLM providers listed above. The provider processes the request and returns an output. No persistent training takes place.
- Safety monitoring. We apply automated filters and, where abuse is flagged, may manually review the flagged content. Manual review is limited to safety-relevant inputs.
- AI labelling. All VibeMap-generated artefacts are clearly identified as AI-generated within the product UI.
7. Your rights
If you are in the European Union, United Kingdom, California, or similar privacy-forward jurisdictions, you have the following rights regarding your data:
- Access (GDPR Art. 15): export a copy of your data as JSON
- Rectification (Art. 16): correct inaccurate data via account settings
- Deletion (Art. 17): delete your account and associated data (billing records retained per tax law)
- Portability (Art. 20): export generated content in Markdown / JSON
- Objection (Art. 21): opt out of marketing emails and optional analytics
- Restriction (Art. 18): pause processing during a dispute
To exercise any right, email privacy@vibemap.ai. We respond within 30 days of a verified request (extendable once to 60 days where complexity warrants).
8. International data transfers
If you are located outside the United States, your data may be transferred to and processed in the US. For transfers out of the EU/UK, we rely on Standard Contractual Clauses (SCCs) and, where relevant, the EU-US Data Privacy Framework.
9. Cookies
We use cookies and similar technologies for essential site functionality (authentication, session state) and, with your consent, analytics. You can manage cookie preferences through your browser or through our consent banner (where displayed). Essential cookies cannot be disabled without affecting service functionality.
10. Children
VibeMap is not directed at children. We do not knowingly collect data from anyone under 13 (or under 16 in the European Union). If you believe a child has created an account, contact privacy@vibemap.ai and we will delete the account promptly.
11. Security
We use industry-standard safeguards: TLS 1.3 for data in transit, AES-256 for data at rest, role-based access controls, and regular security reviews. Passwords are hashed (never stored in plaintext) by Supabase. Despite these measures, no system is perfectly secure — contact us immediately if you suspect compromise.
12. Changes to this Policy
We may update this Privacy Policy. Material changes will be notified by email at least seven (7) days before taking effect. The "Last updated" date at the top of this page reflects the most recent revision.
13. Contact
Privacy enquiries and data subject requests: privacy@vibemap.ai.
See also: Terms of Service.