Website And Account Data
The public website is mostly static. Account pages use browser-safe Supabase configuration for GitHub sign-in, subscription state, and license management. We process the minimum account data needed to authenticate you, show billing state, issue entitlements, and enforce device limits.
- Supabase stores account identity, auth session records, license state, and device activation metadata.
- GitHub provides OAuth identity information when you choose GitHub sign-in.
- The website may generate standard CDN or server access logs, including IP address, user agent, request path, and timestamp.
- We do not use Google Analytics. If privacy-conscious analytics are added later, this policy will be updated before launch.
Billing
Payments, subscriptions, payment methods, invoices, tax details, and card data are handled by Stripe. Vibe Toolbox stores Stripe identifiers and subscription status so the website and desktop app can determine whether an account has an active trial or paid entitlement.
Desktop App Boundary
Vibe Toolbox is designed around a local daemon and per-project local storage. The product does not upload your repositories, prompts, diffs, terminal output, or model responses to Vibe Toolbox Cloud by default.
- Local data stays in storage owned by the desktop app and local daemon.
- Cloud services are used for account identity, subscription entitlement, release access, and explicit support workflows.
- A future hosted Team relay may transmit shared-session presence and read-only collaboration payloads only when a team member opens a shared session.
AI Providers
Vibe Toolbox launches agent CLIs and configured runtimes locally. If you use Codex, Claude Code, Ollama, LM Studio, or another OpenAI-compatible endpoint, that provider or local runtime receives whatever you send through its own toolchain. Vibe Toolbox Cloud does not proxy prompts or source code for those runtimes.
Diagnostics And Support
Diagnostics are opt-in. The app can prepare a support bundle locally, and you decide whether to send it. Review diagnostics before sharing and remove secrets, credentials, proprietary source, or any other data you do not want included.
- Diagnostics are intended for troubleshooting crashes, account state, updater issues, and support requests.
- We do not silently collect prompts, diffs, terminal output, or model responses as telemetry.
- Support messages and attachments may be retained as long as needed to resolve the request and maintain operational records.
Cookies And Browser Storage
The website uses essential browser storage for account sessions and product flows. Supabase may store authentication tokens in the browser when you sign in. Stripe may use cookies or storage on Stripe-hosted checkout and billing portal pages under Stripe policies.
Retention And Deletion
We retain account, entitlement, and device activation records while your account is active or as needed for billing, security, abuse prevention, legal, and operational requirements. You can request account deletion or data access by contacting us.
- Billing records may need to be retained for tax, accounting, dispute, and fraud-prevention requirements.
- Deleting a Vibe Toolbox account does not automatically delete records held by GitHub, Stripe, your AI provider, or any local files on your machine.
- Local project data is under your control on your device and can be removed from the desktop app or filesystem.
Security
Production secrets such as Stripe secret keys, Supabase service-role keys, webhook secrets, and entitlement signing keys are kept out of browser code and out of this website repository. Account and billing flows use HTTPS and provider-hosted authentication or payment surfaces.
Subprocessors
Vibe Toolbox uses a small set of infrastructure providers to run account, billing, release, and website workflows. These providers process data only for the services described in this policy.
- Supabase: authentication, account database, license state, and Edge Functions.
- Stripe: checkout, billing, subscriptions, invoices, and payment method handling.
- GitHub: OAuth identity and repository-related flows that you authorize.
- DigitalOcean and Cloudflare: website hosting, delivery, DNS, TLS, and related access logs.
Contact
Questions, access, or deletion requests
Email [email protected] for privacy questions, data access requests, correction requests, or deletion requests.