Privacy Policy

Last updated: March 2026

This Privacy Policy describes how VibeStack ("we", "us", "our") collects, uses, and shares your personal data when you use our AI-powered app builder platform. We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

1. Data Controller

The data controller responsible for your personal data is:

VibeStack
Email: hello@vibestackhq.com

2. What Data We Collect

We collect and process the following categories of personal data:

• Account data: Email address and account credentials, managed through Supabase Auth.

• Project data: Prompts you submit, generated code, and chat history associated with your projects.

• Usage metrics: Token counts, credit consumption, and generation metadata.

• Payment information: Billing details processed through Stripe. We do not store your full payment card details on our servers.

• Technical data: Error logs, performance data, and browser metadata collected through Sentry for error monitoring.
  
  

3. Legal Basis for Processing

We process your personal data under the following legal bases as defined by GDPR Article 6:

• Contractual necessity (Article 6(1)(b)): Account data, AI code generation (including sending prompts to AI providers), and payment processing are necessary to deliver the core service you signed up for.

• Legitimate interest (Article 6(1)(f)): Error monitoring via Sentry and AI observability via Langfuse are processed under our legitimate interest in maintaining service quality and reliability. You may opt out of non-essential monitoring through your cookie preferences.
  
  
  

4. Third-Party Recipients

We share your data with the following third-party processors to deliver our service:

Anthropic (US) serves as the AI model provider receiving prompts and conversation history for code generation; Stripe (US) handles payment processing; Supabase (US, AWS) manages database and authentication; Sentry (US) provides error monitoring and performance tracking; Langfuse (EU) handles AI observability and prompt tracing; GitHub (US) hosts code repositories for generated apps; Daytona provides a sandbox execution environment for code generation; and Vercel (US) handles deployment hosting for generated apps.

5. AI Processing Disclosure

VibeStack is an AI-powered code generation platform. It is important that you understand how your data is used in this context:

• Your prompts and conversation history are sent to Anthropic's Claude AI models for code generation. This is the core service you signed up for and is processed under contractual necessity.

• Anthropic processes your data under their Data Processing Agreement (DPA) and does not use your prompts or generated outputs to train their models.

• Generated code is stored in private GitHub repositories linked to your account.

• AI observability data, including traces, token counts, and prompt metadata, may be sent to Langfuse for quality monitoring and service improvement.

• No automated decision-making with legal or significant effects is performed. AI generation is a tool you direct through your prompts..
  
  

6. International Data Transfers

Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA), primarily the United States. These transfers are safeguarded by Standard Contractual Clauses (SCCs) approved by the European Commission, as well as additional technical and organizational measures where appropriate.

7. Data Retention

We retain your data for the following periods:

• Account data: Retained until you delete your account, plus 30 days for backup and recovery purposes.

• Projects and chat history: Retained until you delete the project or your account.

• Usage events: Retained for 7 years to meet accounting and legal requirements.

• Sandbox data: Automatically deleted within 30 minutes of session end. Sandbox environments are ephemeral and not persisted.

• Payment records: Retained per Stripe's data retention policy and applicable financial regulations.
  
  

8. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

• Right of access (Article 15): You may request a copy of the personal data we hold about you.

• Right to rectification (Article 16): You may request correction of inaccurate or incomplete personal data.

• Right to erasure (Article 17): You may request deletion of your personal data, subject to legal retention obligations.

• Right to data portability (Article 20): You may request your data in a structured, commonly used, machine-readable format.

• Right to object (Article 21): You may object to processing based on legitimate interest, including error monitoring and AI observability.

• Right to withdraw consent (Article 7): Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

• Right to lodge a complaint: You have the right to lodge a complaint with your local data protection supervisory authority.

To exercise any of these rights, contact us at hello@vibestackhq.com. We will respond within 30 days.

9. Cookies

We use cookies and similar technologies for authentication, user preferences, and analytics. You can manage your cookie preferences through our cookie consent banner. Essential cookies required for the service to function cannot be disabled.

10. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through a notice on our platform. Your continued use of VibeStack after any changes constitutes acceptance of the updated policy.

11. Contact

For any questions, concerns, or data requests related to this Privacy Policy, please contact us at:

hello@vibestackhq.com