VibeVaults

Privacy Policy

Last updated: April 28, 2026

This Privacy Policy describes how VibeVaults (“we”, “us”, “our”) collects, uses, and protects personal data in connection with the use of our service, as described in our Terms of Service.

1. Who We Are

Service name: VibeVaults
Operator: József Tar
Contact email: support@vibe-vaults.com
Location: European Union (Hungary)

We operate a hosted feedback widget and administrative dashboard service.

2. Scope of This Policy

This Privacy Policy applies to:

  • visitors of our website
  • customers using the administrative dashboard
  • end users submitting feedback through embedded widgets

Use of the Service is also governed by our Terms of Service.

3. What Data We Collect

3.1 Admin Users (Customers)

We collect:

  • Email address
  • Authentication data (handled via Supabase, stored securely; includes Google OAuth profile data such as name and avatar if you sign in with Google)
  • Subscription and billing status (handled by Stripe)

We do not store full payment card details.

3.2 End Users (Feedback Widget)

When feedback is submitted via a widget, we may collect:

  • Feedback content submitted voluntarily
  • Email address (provided by the end user to receive replies)
  • Technical metadata such as IP address and user agent (for security and abuse prevention)

We do not require end users to create accounts.

IP addresses collected for rate-limiting and abuse prevention are retained for up to 30 days, then purged or anonymized.

4. Data Controller and Data Processor Roles

  • Our customers act as data controllers for feedback collected through widgets.
  • VibeVaults acts as a data processor, processing feedback data solely on behalf of customers.

Customers are responsible for informing their end users about data collection and usage.

5. How We Use the Data

We use personal data only to:

  • Provide and operate the Service
  • Authenticate admin users
  • Store, display, and manage feedback
  • Prevent abuse, spam, and misuse
  • Process subscriptions and payments
  • Communicate service-related information

We do not use personal data for advertising purposes.

6. Legal Basis for Processing (GDPR)

For users in the European Union, we process personal data based on:

  • Contractual necessity (providing the Service)
  • Legitimate interest (security, abuse prevention)
  • Legal obligation (billing and compliance)

7. Third-Party Services

We rely on the following third-party service providers:

  • Supabase – authentication and database services
  • Vercel – hosting and deployment infrastructure
  • Stripe – payment processing
  • Resend – transactional email delivery (notifications, digests)
  • Cloudflare Turnstile – anti-bot verification during authentication
  • PostHog – product analytics, session replays, and error tracking

These providers process data only as necessary to deliver their services and under their own privacy policies.

8. Cookies and Analytics

We use cookies and similar technologies for:

  • Essential cookies – authentication sessions and workspace/project preferences. These are required for the Service to function and do not require consent.
  • Analytics (consent-based) – PostHog (EU-hosted) collects usage data, including page views, session replays, and error tracking, to help us improve the Service. These are loaded only after you accept via the cookie banner. Form inputs are masked by default in session replays.
  • Anti-bot verification – Cloudflare Turnstile may set cookies to verify human users during authentication. This is essential to prevent abuse.

Visitors from the EU, EEA, UK, and Switzerland see a consent banner on first visit. You can change your choices at any time via the “Cookie preferences” link in the footer.

We do not use cookies for advertising or third-party tracking.

9. Data Storage and Retention

  • Data is stored on secure servers provided by our infrastructure partners.
  • We retain data only as long as necessary to provide the Service or comply with legal obligations.
  • Customers may delete feedback data via the dashboard or request deletion.

10. Data Security

We implement reasonable technical and organizational measures to protect personal data.

However, no system can be guaranteed to be 100% secure.

11. User Rights

Depending on applicable law, users may have the right to:

  • Access their personal data
  • Request correction or deletion
  • Restrict or object to processing
  • Request data portability

Requests can be made by contacting us at the email address below.

12. Children

The Service is not intended for children. You must be at least 16 years old to create an account or submit feedback. If we learn that we have collected personal data from a child under 16 without parental consent, we will delete it.

13. Data Breach Notification

In the event of a personal data breach likely to result in a risk to the rights and freedoms of affected individuals, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, in accordance with GDPR Article 33. Where the breach is likely to result in a high risk, we will also notify affected users without undue delay.

14. California Residents (CCPA / CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the CPRA:

  • Right to know what personal information we collect and how we use it
  • Right to delete your personal information
  • Right to correct inaccurate personal information
  • Right to non-discrimination for exercising your rights

We do not sell or share your personal information for cross-context behavioral advertising, and we do not use it for targeted advertising. To exercise your rights, contact us at the email address below.

15. Changes to This Policy

We may update this Privacy Policy from time to time.

Changes will be posted on this page with an updated “Last updated” date.

16. Contact

If you have questions about this Privacy Policy or data protection matters, contact:

Email: support@vibe-vaults.com