privacy policy.

Public summary. Canonical master in /legal/privacy-policy-v1-2026-04-19.md (bilingual EN / ES).

1. controller

Javier (individual, Spain, trading as Vibe Coding Eye). Contact for data subject requests: dsr@vibecodingeye.com.

2. what we process

• Of the Customer: email, name, GitHub username/org, optional company name, optional MRR range, industry, Polar customer data.
• Of the Customer's repository: full repository content accessed via read-only GitHub App. The Customer warrants that its repositories do not contain special categories of data (Art. 9 GDPR) or data of minors.
• Metadata: scan logs, findings, health-score history, AI Concierge messages.

3. legal basis (Art. 6 GDPR)

• Delivery of contracted service: Art. 6(1)(b).
• Compliance with tax/legal obligations: Art. 6(1)(c).
• Legitimate interest in product security and fraud prevention: Art. 6(1)(f).
• Marketing and optional AI routing: consent, Art. 6(1)(a).

4. sub-processors & third-country transfers

Full list, purposes and transfer mechanisms in /legal/subprocessors. US transfers (Anthropic, OpenRouter, HeyGen) happen under EU Standard Contractual Clauses. The Customer expressly consents to this routing at signup.

5. retention

• Scan snapshots: 12 months (enables Sentinel diff over time).
• Audit PDFs: 12 months from delivery.
• AI Concierge messages: 14 days active access + 90 days in logs for support.
• Webhook event logs: 90 days.
• Backups: 30 days.
• Post-account-deletion purge: 30 days.
• Legal / tax records (invoices): 6 years (Spanish accounting law).

A weekly cron records every purge in the data_lifecycle_log table as evidence under Art. 5(1)(e).

6. data subject rights (Art. 15-22 GDPR)

Access, rectification, erasure, portability, restriction, objection and the right not to be subject to solely automated decisions with significant effects. Request via dsr@vibecodingeye.com; response within 30 days. You may also lodge a complaint with the AEPD (Spain).

7. automated decision-making

The scanner suggests findings; the Customer decides whether to act. The AI Concierge assists but does not make decisions with significant effects on the Customer. No Art. 22(1) profiling is performed.

8. security

• Encryption at rest (Supabase) and in transit (TLS 1.3).
• Row-Level Security policies scoped to profile_id.
• MFA required for administrative access.
• Signed webhooks; ephemeral scan sandbox in Vercel Functions.
• Incident notification ≤72h per Art. 33 GDPR.

9. cookies

Only essential cookies (auth) are set by default. Optional Sentry error-reporting cookie is set only after explicit consent via banner. Details in /legal/cookies.

10. changes

Material changes will be emailed to active Customers 30 days in advance. Current version: v1-2026-04-19.