Vibe Toolbox

Privacy Policy

Your repo stays local. Accounts and billing live in the cloud.

Last updated May 21, 2026. This policy explains what Vibe Toolbox processes for the public website, account console, desktop entitlement system, and support workflows.

Default Boundary

Local-first

Source code, prompts, diffs, terminal output, and model responses stay on your machine by default.

Cloud Purpose

Accounts

Vibe Toolbox Cloud handles identity, billing state, release access, entitlements, and opt-in support.

Telemetry

No prompt telemetry

We do not silently collect prompts, diffs, terminal output, or model responses.

Data Boundary

What stays local, and what touches cloud.

Local by default

  • Project files, repositories, worktrees, and base branch metadata
  • Prompts, model output, transcripts, and structured agent events
  • Execution diffs, prompt markers, checkpoint commits, and review notes
  • Terminal output, test runs, browser sessions, and Playwright artifacts
  • Rules, hooks, MCP capability data, audit entries, todos, and recovery state

Owned by the desktop app, local daemon, and your local project storage.

Processed by cloud services

  • Email address, GitHub identity, and account identifiers used for sign-in
  • Stripe customer, subscription, invoice, and entitlement status metadata
  • Signed desktop license entitlement and device activation records
  • Release access metadata, such as which version is available to your account
  • Support diagnostics only when you intentionally export and send them

Used for sign-in, billing, license entitlement, release access, support, and future team collaboration.

Local-first by design

Your repo stays local. The cloud handles accounts, not your source.

Vibe Toolbox runs agent CLIs locally, stores project and session state in a local SQLite database, and only talks to the cloud for what the cloud should actually do.

On your machine

  • desktop app + daemon
  • local SQLite store
  • agent CLIs (Codex, Claude)
  • local repos + worktrees
  • prompts · diffs · terminal output

Vibe Toolbox Cloud

  • account + GitHub identity
  • signed entitlement (Stripe)
  • release access
  • hosted team relay (planned)
  • opt-in diagnostics
default boundary: source code, prompts, diffs, terminal output, and model responses never leave the device.

What stays on your machine

  • Project files and worktrees
  • Prompts and model output
  • Execution diffs and checkpoint commits
  • Terminal, test, browser, and Playwright output
  • Audit events, todos, rules, and MCP capability data

What the cloud touches

  • Email + GitHub identity for sign-in
  • Stripe subscription + signed entitlement
  • Up to 3 device activations + offline grace
  • Hosted relay (only when paid Team ships)
  • Diagnostics — only when you export them
windows-first · signed updater

Policy Details

How specific data is handled.

Website And Account Data

The public website is mostly static. Account pages use browser-safe Supabase configuration for GitHub sign-in, subscription state, and license management. We process the minimum account data needed to authenticate you, show billing state, issue entitlements, and enforce device limits.

  • Supabase stores account identity, auth session records, license state, and device activation metadata.
  • GitHub provides OAuth identity information when you choose GitHub sign-in.
  • The website may generate standard CDN or server access logs, including IP address, user agent, request path, and timestamp.
  • We do not use Google Analytics. If privacy-conscious analytics are added later, this policy will be updated before launch.

Billing

Payments, subscriptions, payment methods, invoices, tax details, and card data are handled by Stripe. Vibe Toolbox stores Stripe identifiers and subscription status so the website and desktop app can determine whether an account has an active trial or paid entitlement.

Desktop App Boundary

Vibe Toolbox is designed around a local daemon and per-project local storage. The product does not upload your repositories, prompts, diffs, terminal output, or model responses to Vibe Toolbox Cloud by default.

  • Local data stays in storage owned by the desktop app and local daemon.
  • Cloud services are used for account identity, subscription entitlement, release access, and explicit support workflows.
  • A future hosted Team relay may transmit shared-session presence and read-only collaboration payloads only when a team member opens a shared session.

AI Providers

Vibe Toolbox launches agent CLIs and configured runtimes locally. If you use Codex, Claude Code, Ollama, LM Studio, or another OpenAI-compatible endpoint, that provider or local runtime receives whatever you send through its own toolchain. Vibe Toolbox Cloud does not proxy prompts or source code for those runtimes.

Diagnostics And Support

Diagnostics are opt-in. The app can prepare a support bundle locally, and you decide whether to send it. Review diagnostics before sharing and remove secrets, credentials, proprietary source, or any other data you do not want included.

  • Diagnostics are intended for troubleshooting crashes, account state, updater issues, and support requests.
  • We do not silently collect prompts, diffs, terminal output, or model responses as telemetry.
  • Support messages and attachments may be retained as long as needed to resolve the request and maintain operational records.

Cookies And Browser Storage

The website uses essential browser storage for account sessions and product flows. Supabase may store authentication tokens in the browser when you sign in. Stripe may use cookies or storage on Stripe-hosted checkout and billing portal pages under Stripe policies.

Retention And Deletion

We retain account, entitlement, and device activation records while your account is active or as needed for billing, security, abuse prevention, legal, and operational requirements. You can request account deletion or data access by contacting us.

  • Billing records may need to be retained for tax, accounting, dispute, and fraud-prevention requirements.
  • Deleting a Vibe Toolbox account does not automatically delete records held by GitHub, Stripe, your AI provider, or any local files on your machine.
  • Local project data is under your control on your device and can be removed from the desktop app or filesystem.

Security

Production secrets such as Stripe secret keys, Supabase service-role keys, webhook secrets, and entitlement signing keys are kept out of browser code and out of this website repository. Account and billing flows use HTTPS and provider-hosted authentication or payment surfaces.

Subprocessors

Vibe Toolbox uses a small set of infrastructure providers to run account, billing, release, and website workflows. These providers process data only for the services described in this policy.

  • Supabase: authentication, account database, license state, and Edge Functions.
  • Stripe: checkout, billing, subscriptions, invoices, and payment method handling.
  • GitHub: OAuth identity and repository-related flows that you authorize.
  • DigitalOcean and Cloudflare: website hosting, delivery, DNS, TLS, and related access logs.

Contact

Questions, access, or deletion requests

Email [email protected] for privacy questions, data access requests, correction requests, or deletion requests.