Privacy Policy

When you use CheckYourVibe ("we," "us," or "the Service"), we collect only what is necessary to provide the Service:

• Account information: Email address and a securely hashed password when you create an account. We never store your password in plain text.
• Scan targets: The URLs you submit for scanning and any site configuration you provide (such as technology stack selections).
• Scan results: Findings generated by our security scanner, including vulnerability details, severity ratings, and AI-generated remediation prompts.
• Site metadata: When scanning your URL, we collect publicly available metadata such as page title, favicon, meta description, HTTP status code, server header, and final URL after redirects.
• Usage data: Anonymous, aggregated analytics to understand how the product is used (via PostHog). This includes page views, feature usage, and error events. We do not track individual user behavior for profiling purposes.
• Payment information: Billing details are collected and processed entirely by Stripe, our payment processor. We receive and store only your Stripe customer ID and subscription status. We never see, process, or store your full credit card number.
• Transactional email address: If you request a scan without creating an account, we collect your email address solely to deliver the scan results.

We use the data we collect for the following purposes:

• To run security scans on the URLs you provide and deliver results.
• To generate AI-powered remediation prompts tailored to your site's technology stack.
• To run scheduled automatic scans on sites you have configured for monitoring (paid plans only).
• To send transactional emails, including scan completion notifications, security alerts, and password reset links.
• To process payments and manage subscriptions for paid plans.
• To improve the Service based on aggregated, anonymous usage patterns.
• To detect and prevent abuse, fraud, and Terms of Service violations.
• To respond to your support requests and communications.

We do not sell, rent, or share your personal data with third parties for marketing or advertising purposes. We do not use your scan results or site data to train AI models.

CheckYourVibe performs read-only scans. Our scanner examines publicly accessible information about your application, including HTTP response headers, TLS/SSL configuration, DNS records (SPF/DMARC), commonly exposed paths, CORS policies, and client-side code. It does not modify, write to, or exploit your application in any way.

Scanner identification: Our scanner identifies itself via the HTTP User-Agent header as CheckYourVibe-Scanner/0.1 in its requests. Site owners can use this identifier to recognize or block our scanner. In certain cases where a site requires browser-like access, the scanner may use a standard browser User-Agent to successfully retrieve the page.

What the scanner collects from your site: HTTP response headers, TLS certificate details (issuer, expiry, protocol version), DNS records, responses from commonly probed paths (such as /admin, /.git, /.env), inline and external JavaScript, and CORS header behavior. All of this information is publicly accessible to any HTTP client.

We use cookies strictly for authentication and session management:

• Authentication cookies: When you log in, we set httpOnly, SameSite=Strict cookies containing your encrypted session token. These cookies cannot be accessed by JavaScript and are only sent to our servers.
• No tracking cookies: We do not use third-party advertising cookies or cross-site tracking cookies.
• Analytics: PostHog analytics may use first-party cookies or local storage to maintain anonymous session continuity. No personally identifiable information is stored in these cookies.

We take the security of your data seriously:

• All data is stored in a managed PostgreSQL database hosted on Render (US-based infrastructure).
• Data is encrypted in transit using TLS and at rest on the database server.
• Passwords are stored using secure, one-way hashing. We cannot retrieve your original password.
• Authentication tokens are short-lived (30 minutes for access tokens) and stored in httpOnly cookies that are inaccessible to client-side scripts.
• All API communication between the frontend and backend occurs over HTTPS.
• We do not store your credit card information. All payment data is handled by Stripe, which is PCI DSS Level 1 certified.

• Anonymous users (scan without account): Scan results are automatically deleted after 90 days.
• Free Preview accounts: Account and scan data are retained during the evaluation period. Expired free accounts that are not upgraded may be subject to data deletion after a reasonable retention period.
• Registered users (active paid subscription): Scan results are retained as long as your account is active.
• Canceled accounts: Upon subscription cancellation, your data is retained until the end of the billing period. After that, data is retained for a reasonable period to allow for re-subscription, after which it may be deleted.
• Deleted accounts: Upon account deletion request, all account data, scan history, and associated records are permanently removed within 30 days.
• Anonymized and aggregated analytics data (which cannot be linked back to an individual) is not subject to deletion requests.

We use the following third-party services to operate CheckYourVibe. Each service receives only the minimum data necessary for its function:

• Stripe — Payment processing. Receives your email address and payment details. Stripe handles all billing data under their own privacy policy. We receive only your Stripe customer ID and subscription status.
• Resend — Transactional email delivery. Receives your email address and email content for scan notifications, security alerts, and password resets.
• PostHog — Product analytics and error tracking. Receives anonymized usage events and error reports. Data is used solely to improve the Service, not for advertising or profiling.
• Render — Application hosting and database infrastructure. Hosts our application servers and PostgreSQL database. Data is stored on US-based infrastructure.

We do not share your scan results, site URLs, or vulnerability findings with any third party. Scan data stays within our infrastructure.

You have the following rights regarding your data:

• Access: You can view your scan history, site data, and account information at any time through your dashboard.
• Deletion: You can request deletion of your account and all associated data by contacting us at privacy@checkyourvibe.dev. Deletion is completed within 30 days.
• Correction: You can update your email address and account settings through the Service. For other corrections, contact us.
• Data export: You can request a copy of your scan data by contacting us. We will provide your data in a standard, machine-readable format within a reasonable timeframe.
• Opt-out of analytics: You can disable PostHog analytics by using a browser extension that blocks analytics scripts, or by contacting us to opt out.
• Email preferences: You can manage your email notification preferences in your account settings. Transactional emails required for the Service (such as password resets) cannot be disabled.

CheckYourVibe is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children. If you believe a child under 18 has provided us with personal information, please contact us at privacy@checkyourvibe.dev and we will promptly delete the information.

CheckYourVibe is hosted on US-based infrastructure. If you access the Service from outside the United States, your data will be transferred to and processed in the United States. By using the Service, you consent to this transfer. We apply the same data protection standards to all users regardless of location.

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or by posting a prominent notice on the Service. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of the Service after changes take effect constitutes acceptance of the updated policy.

If you have any questions about this Privacy Policy, how we handle your data, or wish to exercise any of your rights, contact us at:

privacy@checkyourvibe.dev

CheckYourVibe