Privacy Policy

1. Controller and contact

The controller responsible for VibeMole is Sergej Weber, P.O. Box 1123, 64355 Mühltal, Germany.

For privacy requests, contact info@vibemole.com. No data protection officer has been appointed because VibeMole is not currently required to appoint one.

2. Scope of this policy

This policy covers VibeMole's public website, localized legal pages, authenticated product areas, web scan creation, worker-backed crawling and analysis, generated reports, billing flows, support communications, and the CLI/local evidence upload flow.

If you submit a website, application, repository, or local evidence for scanning, VibeMole processes the submitted material to provide the requested scan and report. You are responsible for ensuring that you are allowed to submit that material to VibeMole.

3. Categories of personal data

• Account and authentication data: email address, Supabase user ID, session tokens and authentication cookies, login metadata, OAuth provider metadata where used, profile or display details, and account settings.
• Scan target and crawl data: target URLs and origins, selected pages, privacy policy and terms page URLs, excerpts from public policies, consent banner observations, cookie and storage names, request and tracker domains, security headers, screenshots or evidence snippets where collected, and scan configuration.
• CLI and local evidence data: scan IDs, project metadata, dependency and configuration signals, local runtime/security evidence, and uploaded evidence packages. Sensitive values should be redacted before upload, and VibeMole processes the package to produce the requested report.
• Reports and workflow data: generated scan reports, scores, compliance checks, manual review decisions, privacy-scope answers, remediation notes, quotas, usage state, and product preferences.
• Billing and subscription data: plan, credits, checkout and subscription status, Stripe customer/subscription/price identifiers, billing periods, invoice or tax-relevant records, and webhook event identifiers. Payment card details are processed by Stripe and are not stored by VibeMole.
• Analytics and product events: PostHog distinct IDs, page and app events, route names, feature usage, checkout events, scan/check decisions, and account identifiers used after login. VibeMole does not intentionally send raw scanned page content to analytics.
• Cookies, storage, and device data: Supabase authentication cookies, the cc_locale language cookie, theme/settings storage, PostHog analytics storage through /relay, IP-derived request metadata, user agent, device/browser data, logs, diagnostics, rate-limit records, and security events.
• Support and privacy request data: messages, email addresses, request metadata, and any information you choose to include when contacting VibeMole.

4. Controller and processor roles

VibeMole acts as controller for account management, billing, product analytics, support, security, legal compliance, and operation of the service.

For website, app, repository, or local evidence content submitted by a customer for a requested scan, the customer may be the controller and VibeMole may act as processor or service provider for that submitted content, depending on the context and applicable agreement.

5. Purposes and legal bases

• Providing accounts, authentication, scans, reports, CLI upload flows, billing, and customer-requested product functionality: Article 6(1)(b) GDPR, performance of a contract or pre-contractual measures.
• Maintaining security, preventing abuse, debugging, improving reliability, measuring non-sensitive product usage, preserving evidence quality, and establishing or defending legal claims: Article 6(1)(f) GDPR, legitimate interests.
• Optional analytics, non-essential cookies, marketing communications, or waitlist/newsletter consent where offered: Article 6(1)(a) GDPR, consent. You may withdraw consent at any time with effect for the future.
• Tax, accounting, payment, consumer protection, and other legal retention duties: Article 6(1)(c) GDPR, legal obligation.

6. Recipients and processors

VibeMole uses processors and infrastructure providers only as needed to operate the service, provide scans, secure the platform, process payments, answer requests, and comply with legal obligations.

• Supabase for authentication, database, storage, and related backend services.
• Vercel and hosting/infrastructure providers for the website, application hosting, networking, deployment, and logs.
• VibeMole worker infrastructure for crawling target sites, processing evidence, and generating reports.
• OpenAI API for AI-assisted classification, report generation, or analysis of submitted scan evidence and policy excerpts where used.
• PostHog EU for product analytics and event measurement, routed through VibeMole's /relay proxy path where configured.
• Stripe for checkout, payment processing, invoices, subscriptions, taxes, and payment-related webhooks.
• Support mailbox, email, logging, monitoring, security, and professional service providers by category where needed.
• Authorities, courts, advisers, or counterparties if disclosure is required by law or needed to establish, exercise, or defend legal claims.

7. AI-assisted analysis and Article 22 GDPR

VibeMole may send relevant scan evidence, policy excerpts, cookie observations, security signals, prompts, and report context to the OpenAI API or similar model infrastructure to classify findings and draft reports.

Scan scores, compliance labels, and generated reports are advisory product outputs. VibeMole does not use them to make decisions that produce legal effects concerning you or similarly significantly affect you within the meaning of Article 22 GDPR.

8. International transfers

Some recipients may process personal data outside the European Economic Area. Where this happens, VibeMole relies on adequacy decisions, the EU-U.S. Data Privacy Framework where applicable, Standard Contractual Clauses, supplementary safeguards, or another lawful transfer mechanism under Chapter V GDPR.

9. Retention

Account data, scan records, generated reports, uploaded evidence, manual decisions, and product settings are generally retained for the lifetime of your account so the service can preserve your history and provide continuing access.

After account deletion or a verified deletion request, VibeMole deletes or anonymizes personal data unless continued retention is required for legal obligations, billing/tax documentation, security, fraud prevention, dispute resolution, backups, or legal claims.

Billing and tax-relevant records are retained for the periods required by applicable commercial and tax law. Logs, analytics events, backups, and provider-side operational records expire according to security, reliability, and provider retention schedules.

10. Cookies and local storage

VibeMole uses strictly necessary cookies and storage for authentication, session security, localization, and product preferences. This includes Supabase authentication cookies, the cc_locale language cookie, and theme/settings storage.

VibeMole may use PostHog analytics cookies or local storage and route analytics traffic through /relay. Where consent is legally required for non-essential analytics, VibeMole will rely on consent and you can withdraw it with effect for the future.

11. Your GDPR rights

Subject to the legal requirements, you may request access, rectification, erasure, restriction of processing, data portability, and objection to processing based on legitimate interests. You may also withdraw consent at any time where processing is based on consent. Send requests to info@vibemole.com.

You have the right to lodge a complaint with the competent German data protection supervisory authority. The Federal Commissioner for Data Protection and Freedom of Information (BfDI) also provides information about data protection rights and supervisory authorities in Germany.

12. Required data and consequences of not providing it

Account, authentication, billing, scan target, and evidence data may be necessary to provide the requested service. If you do not provide required data, VibeMole may be unable to create an account, run a scan, generate a report, process a subscription, answer a request, or comply with legal duties.

13. Google Sign-In and Google user data

VibeMole offers Google Sign-In as an optional way to create and access your VibeMole account. Using Google Sign-In is not required; you can also register with an email address and password.

When you choose Google Sign-In, Google shares basic profile information with VibeMole, which may include your name, email address, profile image, and a Google account identifier. VibeMole uses this information only to authenticate you, create and secure your account, and display your account identity inside the product.

VibeMole requests only basic sign-in scopes. VibeMole does not access Gmail, Google Drive, Google Calendar, Google Contacts, or other Google services, and does not read the contents of your Google account. VibeMole does not use Google account data to scan websites.

VibeMole's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. VibeMole does not sell Google user data and does not use it for advertising. Google account data is processed by our authentication provider (Supabase) as described in this policy. You can revoke VibeMole's access at any time from your Google Account security settings or by deleting your VibeMole account at info@vibemole.com.

14. Changes to this policy

VibeMole may update this Privacy Policy to reflect product, legal, or operational changes. The current version is published on this page.