Privacy Policy

1. Data controller

VibeCoded Tools is operated by Martino Cesaratto (P.IVA: 17127741001).

Privacy contact email: team@vibecodedtools.com.

No Data Protection Officer (DPO) has been appointed — the controller does not meet the GDPR Art. 37 mandatory criteria (no large-scale systematic monitoring, no large-scale special category processing).

2. What data we collect and why

Waitlist: name, email address, locale preference (en/it), product slug. Collected via our website form and stored in our Supabase database. Confirmation email is sent by a Supabase edge function via IONOS SMTP — we do not use third-party email-marketing platforms.

Paid customers (future): license key, machine-id hash (no plaintext hardware identifier), billing email via Lemon Squeezy.

Orchestrator telemetry: defaults to OFF. The installer asks you explicitly; if you select No (default), no data is ever sent. You can change this any time in launcher settings.

Cookies: only basic technical cookies. Analytics/marketing cookies require explicit consent (see Cookies section below).

3. Legal basis for processing (GDPR Art. 6)

Waitlist: legitimate interest (Art. 6.1.f) in communicating with users who explicitly asked to be notified at launch. You can object at any time (see Rights section).

Subsequent marketing emails (newsletter): explicit consent (Art. 6.1.a). Separate opt-in checkbox, unambiguous, one-click revocation.

Paid customers: contract performance (Art. 6.1.b).

Minimal security log retention: legitimate interest in protecting infrastructure (Art. 6.1.f).

4. Recipients of personal data

Supabase Inc. (United States, us-east-1 region) — operational database, backend, and edge functions that send transactional email. SCC + DPA. We are evaluating migration to the eu-central region to reduce extra-EU transfer.

IONOS SE (Germany, EU) — transactional SMTP provider (single channel) invoked by the Supabase edge function for waitlist confirmation emails and GDPR-request acknowledgements. Processing inside the EEA; no extra-EU transfer for the email flow.

We do not use third-party email-marketing platforms (e.g. Mailchimp, Loops, ConvertKit, Resend). All transactional email is sent directly from our own Supabase + IONOS infrastructure.

Vercel Inc. (United States) — site hosting and access logs. SCC + DPA.

Lemon Squeezy LLC (United States, Stripe subsidiary) — payment and invoicing handling, paid customers only. SCC + DPA.

We do not sell, rent, or transfer your data to third parties for profiling or targeted advertising.

5. Transfer outside the EU (GDPR Art. 44-49)

Supabase, Vercel, and Lemon Squeezy are based in the United States. Transfers are based on the Standard Contractual Clauses adopted by the EU Commission in 2021 (Decision 2021/914) and, where the vendor is currently certified, on the EU-US Data Privacy Framework. IONOS is EEA-based and does not involve an extra-EU transfer.

Each non-EU vendor's DPF certification status (Vercel, Supabase, Lemon Squeezy) is verified against the public DPF list at https://www.dataprivacyframework.gov/list and tracked in our internal compliance register (site/docs/PRIVACY_COMPLIANCE.md). Signed DPAs with all sub-processors are on file with the controller and available on request.

Before the paid Pro launch we plan to migrate Supabase to an EU region (Frankfurt or Ireland) — trigger: 50+ EU customers, or a Garante ruling on Schrems II risk for US-hosted Supabase.

6. Retention period

Waitlist: 12 months from last interaction (email open, click). After this period, data is deleted or anonymised.

Paid customers: for the duration of the subscription + 10 years for Italian tax obligations (DPR 633/1972 + Art. 2220 Civil Code). Operational details (machine-id-hash, logs) are deleted 12 months after the contract ends.

Site access logs (Vercel): 30 days.

Opt-in orchestrator telemetry (if user-enabled): retained in aggregated form for 90 days; individual events deleted after 30 days.

7. Your rights (GDPR Art. 15-22)

You have the right to access your data, rectify it, erase it, obtain its portability, object to processing, and withdraw consent at any time.

To exercise any of these rights, write to team@vibecodedtools.com. We respond within 30 days (Art. 12.3 GDPR), extendable once by another 60 days for complex requests.

You also have the right to lodge a complaint with the Italian Garante (https://www.gpdp.it), Piazza Venezia 11, 00187 Rome, Italy — phone +39 06 696771 — or with the supervisory authority of your EU member state of residence.

8. Required vs optional data

Waitlist: providing name and email is optional. If you don't provide them, we simply cannot notify you at launch.

Paid customers: providing email and billing data is required to complete purchase (contract performance and tax obligations). Without these, purchase is not possible.

9. Automated decision-making and profiling

We do not perform automated decision-making or profiling producing legal effects on the user (GDPR Art. 22).

The Pro tier RL reranker is a client-side component running on your machine; it sends no data to us and has no effect on other users.

10. Cookies

We use only technical cookies for essential site functions (language preference, cookie consent state). These do not require prior consent.

Analytics and marketing cookies: we currently do not install third-party analytics cookies (no Google Analytics, no Plausible, no Vercel Analytics). If we introduce them in the future, a consent banner compliant with the Italian Garante guidelines (10 June 2021) will appear: X in upper right to close without consent, equally weighted 'Reject' and 'Accept All' buttons, 'Customize' option with categories deselected by default.

Current consent state and revocation: click 'Cookie settings' in the footer.

11. Privacy by design (open-source orchestrator)

The orchestrator is designed to minimise data collection. Telemetry defaults to OFF; the installer asks you explicitly, and if you select No (default) no data is ever sent.

You can toggle telemetry any time in the launcher: Settings → Preferences → Privacy.

You can audit what would be sent by running `vct-cli telemetry pending` — it returns the exact pending payload.

All knowledge graph and code graph data stays on your machine. It is never transmitted to our servers.

12. Changes to this policy

Last updated: 2026-04-26 — version 1.

Material changes (recipient changes, legal basis changes, retention period changes) will be notified via email to registered users with at least 30 days' notice.

Version history is available in the website repository's GitHub changelog.

Jurisdiction-specific rights

We detected your likely jurisdiction as Other / Not listed. This is an estimate based on your browser timezone and language — it is not authoritative. You can change it here, and your selection will be saved on this device: