1. Introduction

This Privacy Policy describes how AB Tech Drummondville ("we", "us", "our"), operator of VibeGuardian ("the Service"), collects, uses, and protects your personal information. We are committed to complying with applicable privacy laws, including the California Consumer Privacy Act (CCPA/CPRA), applicable US state privacy laws (Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Texas TDPSA), Canada's PIPEDA, and Quebec's Law 25.

2. Information We Collect

2.1 Account Information

When you sign in, we collect:

Email address — from your GitHub, Google, or email magic link provider
Display name — from your OAuth provider profile
Profile image URL — from your OAuth provider (not stored locally, fetched on demand)
OAuth tokens — stored encrypted in our database for repository access

2.2 Source Code (Temporary)

When you scan a repository or upload a .zip file:

Your code is cloned/extracted into a temporary, isolated directory
It is scanned by automated security tools and an AI model
The source code is deleted within minutes of scan completion
We never store, retain, or share your source code after the scan

Important: While the Service processes source code, it is not designed to process personal data. You should ensure that the code you submit does not contain real personal information (names, addresses, social security numbers, etc.) or live credentials (API keys, passwords, database connection strings). If your codebase contains such data, it may be temporarily transmitted to our AI provider (Anthropic) during the scan. You are responsible for removing or redacting sensitive data before submitting code to the Service.

2.3 Scan Results

We retain the following scan metadata:

Security score, grade, and finding summaries
Individual findings (severity, category, file name, line number, descriptions, suggested fixes)
Languages detected, file count, line count
AI audit cost and performance metrics

2.4 Payment Information

Payment processing is handled entirely by Stripe, Inc. (PCI DSS Level 1 certified). We never see, store, or process your credit card number, CVV, or full billing details. We only receive from Stripe: payment status, amount, currency, and a reference ID.

2.5 PDF Reports

Generated PDF reports are stored on our servers for 14 days from the date of purchase, then permanently deleted by an automated cleanup process. You are encouraged to download and save a local copy within this period.

2.6 Usage Data

We collect basic usage data including: pages visited, scan initiation events, error logs, and browser type. This data is used solely to improve the Service and diagnose technical issues. We do not use third-party analytics or advertising trackers.

3. How We Use Your Information

Provide the Service — scan your code, generate reports, deliver findings
Process payments — via Stripe for purchased reports
Send transactional emails — payment confirmations, PDF delivery, magic login links
Improve the Service — aggregate, anonymized usage metrics (scan counts, error rates)
Security — prevent abuse, rate limiting, fraud detection
Legal compliance — respond to lawful requests from authorities

We do not sell, rent, or share your personal information with third parties for marketing or advertising purposes. We have not sold personal information in the preceding 12 months and do not intend to do so.

4. AI Processing

Your code is processed by an AI model (Claude, by Anthropic) during the security audit. The AI analysis is performed via API — your code is sent to Anthropic's servers for processing and is subject to Anthropic's Privacy Policy. Anthropic does not use API inputs to train their models.

5. Third-Party Services

We use the following third-party services that may process your data:

Supabase (database hosting) — PostgreSQL, hosted in US-East
Vercel (web hosting) — serverless deployment, US
Railway (engine hosting) — scanning infrastructure, US
Cloudflare R2 (file storage) — temporary upload storage
Stripe, Inc. (payment processing) — PCI DSS Level 1 certified, US
Resend (email delivery) — transactional emails only, US
Anthropic (AI processing) — Claude API for security audit, US
GitHub / Google (authentication) — OAuth sign-in

Each third-party service processes data in accordance with its own privacy policy. We have selected providers that maintain industry-standard security practices.

6. Data Retention

Data Type	Retention Period
Source code	Deleted within minutes of scan completion
PDF reports	14 days from purchase, then permanently deleted
Scan results / findings	Retained until account deletion
Account information	Retained until account deletion
Payment records	Retained as required by tax law (up to 7 years)
Uploaded .zip files	Deleted within minutes of scan completion

7. Your Rights — US Residents

If you are a resident of California, Virginia, Colorado, Connecticut, Texas, or another US state with applicable privacy legislation, you have the following rights:

Right to Know — You may request that we disclose the categories and specific pieces of personal information we have collected about you, the sources of collection, the business purpose, and the categories of third parties with whom we share it.
Right to Delete — You may request that we delete the personal information we have collected about you, subject to certain exceptions (e.g., legal obligations, fraud prevention).
Right to Correct — You may request that we correct inaccurate personal information.
Right to Opt-Out of Sale — We do not sell your personal information. We do not share your personal information with third parties for cross-context behavioral advertising. No opt-out is necessary, but you may contact us to confirm at any time.
Right to Non-Discrimination — We will not discriminate against you for exercising any of your privacy rights.

California Residents (CCPA/CPRA): Under the CCPA, "sale" includes sharing personal information for monetary or other valuable consideration. We do not engage in such practices. We do not use or disclose sensitive personal information for purposes beyond what is necessary to provide the Service.

To exercise any of these rights, contact us at support@vibeguardian.dev. We will respond to verified requests within 45 days as required by applicable law.

8. Your Rights — Canadian Residents

Under Quebec's Law 25 and Canada's PIPEDA, you have the right to:

Access your personal information held by us
Correct inaccurate or incomplete information
Delete your account and associated data
Withdraw consent for data processing (by deleting your account)
Data portability — export your scan data
File a complaint with the Commission d'accès à l'information du Québec (CAI) or the Office of the Privacy Commissioner of Canada

To exercise these rights, contact us at support@vibeguardian.dev.

9. Your Rights — EU/EEA Residents (GDPR)

If you are a resident of the European Union, the European Economic Area, or the United Kingdom, you have the following rights under the General Data Protection Regulation (GDPR · EU 2016/679) and the UK GDPR:

Article 15 — Right to access · request a copy of the personal data we process about you, along with the processing context (purposes · third-party recipients · retention periods · your rights).
Article 16 — Right to rectification · request correction of inaccurate or incomplete data. Most fields are user-controlled via account settings.
Article 17 — Right to erasure · request deletion of your account and associated personal data. We anonymize financial records (payments · subscriptions · wallet ledger) per Article 6(1)(c) tax law obligations (typically 7 years post-deletion · jurisdiction-dependent) and delete everything else.
Article 18 — Right to restriction of processing · request that we limit how we process your data while a dispute about accuracy or lawfulness is being resolved.
Article 20 — Right to data portability · receive a copy of your data in a structured, commonly used, machine-readable format (JSON). You can transmit this data to another service.
Article 21 — Right to object · object to processing based on legitimate interest (e.g. opt out of marketing analytics · we PII-hash analytics payloads but you can still object). Account-related processing is contract-based and cannot be objected to without account deletion.
Article 22 — Automated decision-making · we do not use automated decision-making (including profiling) that produces legal or similarly significant effects on you. Our AI security audit analyzes code, not people.

Lawful basis for processing · we rely on Article 6(1)(b) (contract) for account management and service delivery, Article 6(1)(b)+(c) (contract + legal obligation) for payment processing, and Article 6(1)(f) (legitimate interest) for marketing analytics (with PII hashing).

Service Level Agreement · we respond to verified GDPR requests within 30 days per Article 12(3), extendable by 60 days for complex requests with notification.

Right to lodge a complaint · you may file a complaint with the supervisory authority of the EU/EEA member state in which you reside or where the alleged infringement occurred. A list of national Data Protection Authorities is available at edpb.europa.eu.

EU Representative (Article 27) · vibeguardian is established outside the EU (Quebec, Canada) and is in the process of designating an EU representative. Until then, EU/EEA users may contact us directly at support@vibeguardian.dev for any GDPR-related request.

To exercise any of these rights, contact us at support@vibeguardian.dev. We may need to verify your identity (typically via email magic link to the account email) before processing the request to prevent unauthorized access.

10. Cross-Border Data Transfers

AB Tech Drummondville is located in Quebec, Canada. However, the majority of our infrastructure and third-party service providers are located in the United States (Supabase, Vercel, Railway, Stripe, Anthropic, Resend). By using the Service, you acknowledge and consent that your personal information and source code may be transferred to, stored, and processed in the United States and Canada.

Data stored or processed in the United States is subject to US law, including potential access by US government agencies under applicable legal processes (e.g., court orders, subpoenas, or national security requests). We will comply with lawful requests from authorities in the jurisdictions where we operate.

We take appropriate safeguards to ensure that your personal information receives an adequate level of protection in the jurisdictions in which we process it, including contractual obligations with our service providers.

11. Do Not Track Signals

Some web browsers transmit "Do Not Track" (DNT) signals. Since we do not use third-party tracking cookies or advertising trackers, we do not currently respond to DNT signals in a different manner. Our privacy practices remain the same regardless of DNT settings — we do not track you across third-party websites.

12. Cookies

We use essential cookies only, required for authentication (NextAuth session tokens, CSRF protection). We do not use tracking cookies, advertising cookies, or third-party analytics cookies. The only localStorage item is a banner dismissal preference.

13. Security Measures

All data transmitted over HTTPS (TLS 1.3)
Database hosted on Supabase with encryption at rest
OAuth tokens stored encrypted in the database
Stripe handles all payment data (PCI DSS Level 1)
Source code never persisted — temporary processing only
Non-root Docker containers for the scanning engine
Rate limiting on all public endpoints
Timing-safe token comparison for authentication endpoints

14. Children's Privacy (COPPA)

The Service is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected personal information from a child under 13 without verifiable parental consent, we will take steps to delete that information promptly. If you believe a child under 13 has provided us with personal information, please contact us at support@vibeguardian.dev.

15. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date. If we make material changes, we will make reasonable efforts to notify you (e.g., via email or a prominent notice on the Service). We encourage you to review this page periodically.

16. Contact

For privacy inquiries or to exercise your rights under applicable privacy laws:

AB Tech Drummondville
Drummondville, Quebec, Canada
support@vibeguardian.dev