Privacy Policy

CheckYourVibe ("we," "us," "our," or "the Service") is a web application security scanning platform. This Privacy Policy explains what data we collect, how we use it, who we share it with, and what rights you have. It applies to all users of our website, dashboard, scanner, API, and related services.

By using CheckYourVibe, you agree to the collection and use of information as described in this policy. If you do not agree, please do not use the Service.

We collect only the information necessary to provide and improve the Service. Here is a complete list of what we collect and why.

1.1 Account Information

• Email address — used for authentication, transactional emails, and account recovery.
• Password — stored as a secure, one-way hash. We never store or have access to your plain-text password.
• Account status — whether your email is verified, your plan type, and subscription status.

1.2 Site and Scan Data

• URLs you submit — the web addresses you ask us to scan.
• Site configuration — site name, technology stack selections, scan schedule preferences, and active/inactive status.
• Scan results — vulnerability findings, severity ratings, categories, evidence, remediation guidance, and AI-generated fix prompts.
• Site metadata — publicly available information collected during scans, including page title, favicon URL, meta description, HTTP headers, and final URL after redirects.

1.3 Payment Information

• Stripe customer ID and subscription status — this is all we store. We never see, process, or store your full credit card number, CVV, or billing address.
• All payment data is collected and processed entirely by Stripe, which is PCI DSS Level 1 certified.

1.4 Usage and Analytics Data

• Page views and feature usage — collected via PostHog and Google Analytics to understand how the product is used and to identify issues.
• Session recordings — PostHog may record anonymized sessions to help us understand user experience. All form inputs and sensitive text are automatically masked. No passwords, credit card numbers, or other PII appear in recordings.
• Web performance metrics — Largest Contentful Paint (LCP), First Input Delay (FID), and Cumulative Layout Shift (CLS) to monitor site performance.
• Error events — unexpected application errors with stack traces (server-side) and error context (client-side) to identify and fix bugs.

1.5 Attribution Data

• UTM parameters — utm_source, utm_medium, and utm_campaign from the URL you used to arrive at our site, stored to understand which channels bring users to the Service.
• Ad platform identifiers — such as Reddit click IDs, used solely for conversion tracking with the originating ad platform.

1.6 Transactional Email Data

• If you request a scan without creating an account, we collect your email address solely to deliver your scan results.
• We log which email templates were sent and their delivery status to ensure reliable email delivery and to detect bounces.

We use the information we collect for the following purposes:

• Provide the Service — run security scans on your URLs, generate findings, and deliver scan results and AI-powered remediation prompts.
• Manage your account — authenticate you, manage your subscription, and enforce plan limits.
• Scheduled scans — run automatic scans on sites you have configured for monitoring (paid plans only).
• Send transactional emails — scan completion notifications, security alerts, magic link login emails, and account-related communications.
• Process payments — manage billing, subscriptions, trials, and refunds through Stripe.
• Improve the Service — analyze aggregated, anonymous usage patterns to identify bugs, improve performance, and develop new features.
• Prevent abuse — detect and prevent fraud, Terms of Service violations, unauthorized scanning, and other malicious activity.
• Respond to support requests — address your questions, feedback, and bug reports.

CheckYourVibe performs read-only, non-invasive scans of publicly accessible URLs. Understanding what the scanner does — and does not do — is important for transparency.

What the scanner does

• Examines HTTP response headers (security headers, server identification, cookie flags).
• Inspects TLS/SSL configuration (certificate issuer, expiry, protocol version, cipher suites).
• Checks DNS records (SPF, DMARC, DKIM for email authentication).
• Probes commonly exposed paths (such as /admin, /.git, /.env, /robots.txt).
• Analyzes client-side JavaScript for outdated libraries, dangerous patterns, and missing subresource integrity.
• Tests CORS configuration for overly permissive policies.
• Collects page metadata (title, favicon, meta description, redirects).

What the scanner does NOT do

• It does not modify, write to, or alter your application in any way.
• It does not attempt to exploit, penetrate, or gain unauthorized access.
• It does not submit forms, create accounts, or interact with authenticated areas.
• It does not brute-force passwords or attempt credential stuffing.
• It examines only publicly accessible information — the same information available to any web browser or HTTP client.

Scanner identification

Our scanner identifies itself via the HTTP User-Agent header as CheckYourVibe-Scanner/0.1. Site owners can use this identifier to recognize, allow, or block our scanner. In certain cases where a site requires browser-like access for a successful page load, the scanner may use a standard browser User-Agent string.

We use cookies and local storage strictly for functionality and analytics — never for advertising or cross-site tracking.

No third-party advertising cookies. We do not use cookies for ad targeting, retargeting, or cross-site tracking. Authentication cookies are httpOnly and cannot be accessed by JavaScript, protecting against XSS attacks.

We rely on the following third-party services to operate CheckYourVibe. Each receives only the minimum data necessary for its function.

Your scan results, site URLs, and vulnerability findings are never shared with any third party. This data stays within our own infrastructure.

We take the security of your data seriously and implement the following measures:

• Encryption in transit — all communication between your browser and our servers uses TLS (HTTPS). API-to-database connections are also encrypted.
• Encryption at rest — your data is stored in a managed PostgreSQL database with server-level encryption on US-based infrastructure.
• Password hashing — passwords are stored using secure, one-way hashing algorithms. We cannot retrieve your original password, and passwords are never logged or exposed in error reports.
• Short-lived tokens — authentication access tokens expire after 30 minutes. Refresh tokens extend sessions up to 30 days without re-entering credentials.
• httpOnly cookies — authentication tokens are stored in httpOnly, SameSite=Strict cookies that cannot be accessed by client-side JavaScript, protecting against cross-site scripting (XSS) attacks.
• Same-origin proxy — the frontend proxies API requests through a same-origin server route, eliminating cross-origin token exposure.
• No credit card storage — all payment data is handled by Stripe. We never see, process, or store your full card number.
• Rate limiting — login attempts and API requests are rate-limited to prevent brute-force attacks and abuse.

While we implement industry-standard security practices, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security, but we are committed to protecting your data to the best of our ability and promptly addressing any security incidents.

We retain your data only as long as necessary for the purposes described in this policy.

Regardless of where you are located, we provide the following rights to all users:

• Access — view your scan history, site data, and account information at any time through your dashboard.
• Deletion — request deletion of your account and all associated data by contacting us at privacy@checkyourvibe.dev. Deletion is completed within 30 days.
• Correction — update your email address and account settings through the Service. For other corrections, contact us.
• Data export — request a copy of your data in a standard, machine-readable format by contacting us.
• Opt-out of analytics — disable PostHog and Google Analytics using a browser extension that blocks analytics scripts, or contact us to opt out server-side.
• Email preferences — manage notification preferences in your account settings. Transactional emails essential to the Service (such as magic link logins) cannot be disabled.
• Withdraw consent — you can stop using the Service and request account deletion at any time.

To exercise any of these rights, email us at privacy@checkyourvibe.dev. We will respond within 30 days.

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights regarding your personal information:

• Right to know — you can request that we disclose what personal information we have collected about you, the categories of sources, the business purpose for collecting it, and the categories of third parties with whom we share it.
• Right to delete — you can request that we delete the personal information we have collected from you, subject to certain exceptions.
• Right to non-discrimination — we will not discriminate against you for exercising your CCPA rights.
• No sale of personal information — we do not sell your personal information as defined by the CCPA. We have not sold personal information in the preceding 12 months.

To submit a CCPA request, email privacy@checkyourvibe.dev with the subject line "CCPA Request."

CheckYourVibe is hosted on US-based infrastructure. If you access the Service from outside the United States, including from the European Economic Area (EEA), your data will be transferred to and processed in the United States.

Legal basis for processing (GDPR)

If you are in the EEA, we process your personal data on the following legal bases:

• Contract performance — processing necessary to provide the Service you requested (account management, scans, results delivery).
• Legitimate interests — improving the Service, preventing fraud, and ensuring security, where these interests are not overridden by your rights.
• Consent — where applicable, such as for optional analytics and marketing communications. You can withdraw consent at any time.
• Legal obligation — processing required to comply with applicable laws.

Your additional rights under GDPR

• Data portability — receive your personal data in a structured, commonly used, machine-readable format.
• Restriction of processing — request that we limit how we use your data in certain circumstances.
• Object to processing — object to processing based on legitimate interests.
• Lodge a complaint — you have the right to lodge a complaint with your local data protection authority.

We apply the same data protection standards to all users regardless of location. By using the Service, you acknowledge that your data will be transferred to and processed in the United States.

CheckYourVibe is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children. If you believe a child under 18 has provided us with personal information, please contact us at privacy@checkyourvibe.dev and we will promptly delete the information.

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (to the address on file with your account) or by posting a prominent notice on the Service. The "Last updated" date at the top of this page reflects the most recent revision.

Non-material changes (such as formatting or clarifications) may take effect immediately. Continued use of the Service after changes take effect constitutes acceptance of the updated policy. If you do not agree to a revised policy, you should stop using the Service and may request account deletion.

If you have any questions about this Privacy Policy, how we handle your data, or wish to exercise any of your rights, contact us at:

privacy@checkyourvibe.dev

We aim to respond to all privacy-related inquiries within 30 days.

CheckYourVibe