AuditMyVibesAuditMyVibes← Back to home

Legal

Privacy Policy

Effective date: March 17, 2026

Overview

AuditMyVibes ("we", "our", or "us") is a security and quality audit service for vibe-coded applications. This Privacy Policy explains what information we collect, why we collect it, and how we handle it when you use https://www.auditmyvibes.com and any related services.

We built AuditMyVibes for founders who ship fast. That philosophy extends to how we handle your data: collect only what we need, protect it seriously, and never surprise you.

The short version

We analyze your app to produce a security and quality report. We store your account details, audit results, and findings - but we never store your source code. Your GitHub access token is encrypted at rest and used only to read files during an active audit.

What We Collect

Account & profile data

  • Email address and display name (via Supabase Auth - email/password or OAuth)
  • Profile metadata: plan tier, billing cycle, usage counters
  • Timestamps for account creation and last sign-in

Project & audit data

  • Project name and the URL(s) you submit for scanning
  • Connected GitHub repository name (owner/repo slug, not full clone)
  • Audit results: overall score, per-module scores, severity breakdown
  • Findings: issue title, description, severity, file path, and line reference
  • Shareable report slugs and view counts
  • Audit status and timestamps (created, started, completed)

Technical & usage data

  • Monthly scan usage counters (URL scans used, repo audits used)
  • File-level analysis cache entries: file path, content hash, and cached finding output (30-day TTL)
  • Audit file manifests: per-file hashes used to detect changes for incremental re-scans (purged 30 days after audit completion)
  • Browser type, IP address, and referrer (standard server logs - retained for 30 days)

Billing data

  • Subscription plan and status (free, launch_pack, pro, team)
  • Payment processing is handled entirely by DodoPayments - we never see or store card numbers, CVVs, or full payment details
  • Webhook events from DodoPayments to update your plan status

What We Never Store

Your source code is never stored on our servers.

When you connect a GitHub repository, we read your files directly from the GitHub API during the audit run. No files are cloned to disk, written to a database, or retained after the audit finishes. The only file-related data we keep is a hash of each file (for incremental re-scan detection) and cached AI analysis output keyed to that hash - never the raw file content itself.

Specifically, we never store:

  • Source code file contents of any kind
  • Full repository clones or archives
  • Raw secrets or credentials found during scanning (findings describe the location and pattern, not the secret value itself)
  • Screenshots of your live app beyond what is transiently processed by Lighthouse during a URL scan
  • Any data from your users - we only analyze your code and your deployed URL

How We Use Your Data

  • To run security, performance, SEO, legal, payment, and code-quality audits on your project
  • To display your audit results, findings, and score history in your dashboard
  • To generate shareable report links you can send to clients or teammates
  • To enforce plan limits (scan counts, project limits) and reset usage on billing cycles
  • To detect changed files on re-scans using file hashes, avoiding redundant AI calls
  • To send transactional emails (audit completion, billing receipts) - we do not send marketing email without opt-in
  • To improve audit accuracy and detection patterns over time (using aggregated, anonymised findings - never your identifiable code)

We do not sell your data, use it for ad targeting, or share it with third parties for their own marketing purposes.

Data Retention

DataRetention
Account & profileUntil you delete your account
Projects & audit metadataUntil you delete the project or account
Findings & scoresUntil you delete the project or account
Shareable reportsUntil you delete the project or account
File analysis cache30 days from last cache write (auto-purged nightly)
Audit file manifests30 days after audit completion (auto-purged nightly)
GitHub access tokenUntil you disconnect GitHub or delete your account
Server / access logs30 days (rolling)
Source code file contentsNever stored

When you delete your account, all associated data (projects, audits, findings, reports, GitHub token, and usage records) is permanently deleted within 30 days.

GitHub Integration

Connecting a GitHub repository requires granting AuditMyVibes read access to your code. Here is exactly what we do with that access:

  • We request only read-only repository access - we never write to your repo
  • Your GitHub access token is stored encrypted using pgsodium vault encryption (AES-256). Even our own database queries use a decrypted view accessible only to the service role - the raw token is never exposed in logs or responses
  • The token is used exclusively to call the GitHub REST API during active audit runs (reading file trees and file contents)
  • File contents are streamed to our AI analysis pipeline and immediately discarded - they are never written to disk or database
  • You can disconnect GitHub at any time from your account settings, which immediately deletes the stored token

We do not access your GitHub data for any purpose other than running the audit you explicitly trigger.

Cookies & Analytics

AuditMyVibes uses a minimal set of cookies necessary to operate the service.

Essential cookies

  • Authentication session cookies (set by Supabase Auth) - required to keep you signed in
  • CSRF protection tokens - required for form security

Analytics

We currently do not run any analytics on this site. We plan to add privacy-friendly analytics (such as Google Analytics 4 or a self-hosted alternative like Plausible) in the future to understand general usage patterns - page views, feature adoption, and funnel drop-offs. When we do:

  • We will update this policy before enabling analytics
  • We will configure Google Analytics with IP anonymisation enabled
  • We will not use analytics data to build individual user profiles or for ad retargeting
  • Data shared with analytics providers will be subject to their respective privacy policies

No tracking pixels or third-party ad cookies

We do not use advertising cookies, social media tracking pixels, or any cross-site tracking technology.

Your Rights

Depending on where you are located, you may have the following rights regarding your personal data:

  • Access - request a copy of the personal data we hold about you
  • Correction - ask us to correct inaccurate or incomplete data
  • Deletion - request that we delete your account and all associated data
  • Portability - request your audit results and findings in a machine-readable format
  • Objection - object to certain processing activities (e.g., use of data for service improvement)
  • Withdrawal of consent - disconnect GitHub at any time, which immediately revokes our access to your repositories

To exercise any of these rights, email us at support@auditmyvibes.com. We will respond within 30 days. If you are located in the EU/EEA, you also have the right to lodge a complaint with your local data protection authority.

Deleting your account

You can delete your account at any time from Settings → Account. This permanently removes your profile, all projects, audits, findings, reports, and your encrypted GitHub token. Deletion is irreversible and completes within 30 days.

Security

We take reasonable technical and organisational measures to protect your data:

  • All data in transit is encrypted via TLS 1.2+
  • Data at rest is encrypted by Supabase (AES-256)
  • GitHub tokens are double-encrypted - stored via pgsodium vault on top of Supabase's at-rest encryption
  • Database access is restricted to service role credentials not exposed in client-side code
  • Audit job payloads contain only audit IDs, not raw credentials or code
  • We follow the principle of least privilege - each service component accesses only the data it needs

No method of transmission or storage is 100% secure. If you discover a security vulnerability in AuditMyVibes, please disclose it responsibly by emailing support@auditmyvibes.com.

Policy Changes

We may update this Privacy Policy from time to time. When we make material changes, we will:

  • Update the effective date at the top of this page
  • Post a notice in the app dashboard for signed-in users
  • For significant changes affecting how we process your data, send an email to the address on your account

Continued use of AuditMyVibes after a policy update constitutes acceptance of the revised policy. If you do not agree with the changes, you may delete your account at any time.

Contact

For any questions about this Privacy Policy or how we handle your data:

AuditMyVibes

Privacy enquiries

support@auditmyvibes.com

Also see our Terms of Service.

© 2026 AuditMyVibes. All rights reserved.