Privacy Policy

Last updated: 6 May 2026

1. Data controller

Vibe Code is operated by FremTech AS, org.nr. 937 616 236, Norway. For questions about your personal data, contact: contact@vibe-code.no

2. What data we collect

  • Account data: name, username, email address, password (hashed)
  • Profile data: bio, interests, city, county, LinkedIn URL, GitHub URL, avatar image
  • Content you create: snippets, tools, comments, hub memberships
  • Visibility context: your username and contributions are visible to other members in shared hubs, and to all logged-in users in public hubs
  • Usage data: likes, code requests, join requests
  • Saved snippets (bookmarks): when you save a snippet, we store the snippet's identifier, your user ID, and the time you saved it. Your saved list is private — only you can see it. You can remove any bookmark at any time from your saved list
  • OAuth data: GitHub account ID and access token (if you sign in via GitHub)

When you begin registration, we temporarily store your email address, display name, username, and a hashed version of your password in a pending registration record. Your plaintext password is never stored. This record exists solely to complete email verification and is automatically deleted after 24 hours if unconfirmed.

2a. Anonymous use of /check (run and scan)

The page at /check is available without an account. Both the security scan and the in-browser runner (Python via Pyodide, R via WebR, HTML in a sandboxed iframe) execute entirely in your browser. Code you paste or run is never transmitted to, stored on, or processed by our servers.

For traffic monitoring and abuse prevention, we record one row per visit with the following fields:

  • The language you selected (e.g. “python”)
  • Whether you ran the code in the browser
  • The resulting safety score (1–10), if you scanned
  • The number of issues found, if you scanned
  • Whether you downloaded the result and whether you clicked “Post to Vibe Code”
  • A timestamp

These records contain no IP address, no user identifier, and no part of your code or any data files you uploaded. They cannot be linked back to you. Legal basis: legitimate interest (Art. 6(1)(f) GDPR) — operating and improving a public service. Retention: 12 months, after which records are deleted. Server access logs (see section 7a) record IP addresses for any visit to the site, including /check, but are not linked to these records.

The runner downloads its language runtime (Pyodide for Python, WebR for R) from third-party CDNs (jsdelivr.net, r-wasm.org) the first time you click Run. Those CDNs see your IP address as part of the standard HTTP request, the same as any external resource your browser fetches. We do not control or have access to those logs.

2b. Audit / event log

For platform security, abuse prevention, and accountability we record certain events when registered users take material actions. Each event row contains:

  • The event type (e.g. user.register, hub.create, snippet.create, user.delete)
  • Your user ID and email (the “actor”)
  • The type and ID of the affected resource (the “target”)
  • A short structured detail (e.g. snippet title, hub slug)
  • A timestamp

We do not log IP addresses, browser information, or location in the event log. Legal basis: legitimate interest (Art. 6(1)(f) GDPR) — operating a secure, accountable platform. Retention: 24 months, then deleted.

We log registration attempts — including the email address submitted and the requester's IP address — for security monitoring. This includes attempts where the email is already associated with an existing account.

You may request a copy of event log entries where you are the actor, via Settings → Your data or by contacting us.

When you exercise your right to erasure (Art. 17), we anonymise your prior event log rows — your user ID and email are nulled, while the event type, target, and timestamp are retained as anonymous records under Art. 17(3)(e) for the defence of legal claims. The single user.delete event recording your erasure request retains your email as evidence you yourself invoked the deletion; this one row is also defensible under Art. 17(3)(e).

3. Why we process your data

Contract (Art. 6(1)(b)): Account creation, authentication, and delivering the service you signed up for — including saved snippets (bookmarks). Bookmarking is a feature of the platform you signed up to use; we process this data only to show you your saved list and to let you navigate back to snippets you have marked.

Legitimate interest (Art. 6(1)(f)): Security monitoring, rate limiting, preventing abuse. These activities are limited to what is necessary for platform security and do not involve profiling or tracking of user behaviour.

Consent (Art. 6(1)(a)): Optional profile fields (bio, interests, city, LinkedIn, GitHub). You can remove these at any time in Settings. You may withdraw your consent at any time; withdrawal does not affect the lawfulness of processing carried out before withdrawal.

Pre-contractual measure (Art. 6(1)(b)): Pending registration data (email, name, username, hashed password) is processed at your request to complete email verification before account creation.

Legitimate interest, security (Art. 6(1)(f)): Registration-attempt logging and duplicate-email security notifications. If someone attempts to register using an email already in our system, we notify the existing account holder. The submitted password is never associated with the existing account.

4. How long we keep your data

  • Account data: until you delete your account
  • Pending registration records: deleted automatically after 24 hours, or immediately upon successful confirmation. Also deleted if the associated email requests account deletion.
  • Password reset tokens: 1 hour
  • Hub invitations: 7 days
  • Declined join requests: deleted immediately on decline
  • Session data: until you sign out or the session expires
  • Hub content after leaving a professional hub: snippets and tools you created there remain in the hub — they belong to the hub, not your personal account
  • Account deletion — personal hub: all your snippets, tools, and personal data are permanently deleted
  • Account deletion — professional hubs: content you created there is kept and attributed to "Deleted user", unless you choose to delete it during the account deletion flow. This is based on the legitimate interest of the hub and its members (GDPR Art. 6(1)(f))
  • Saved snippets: retained for as long as your account exists. When you delete your account, all your saved snippet records are deleted automatically. You can also remove individual bookmarks at any time, which deletes the record immediately. If a snippet you saved later becomes inaccessible to you (for example, the hub owner removed you), the bookmark is retained as a placeholder you can clear yourself — the underlying snippet data is not exposed
  • Code checker (/check) scan records: 12 months from the scan date, then deleted
  • Event log entries (see section 2b): 24 months from the event date, then deleted. Entries are anonymised immediately on account deletion.

4a. Professional hubs

When a user creates a Professional hub for work or client purposes, Vibe Code acts as a data processor on behalf of the hub owner, who is the data controller for content uploaded to that hub. Hub owners accept our Data Processing Agreement when creating a Professional hub and are responsible for ensuring the content complies with applicable data protection law. Data subjects with requests relating to hub content should contact the hub owner directly.

5. Where your data is stored

All data is stored on servers located in Norway, operated by Deploi. This includes platform data (database, files) and contact email (contact@vibe-code.no is hosted on Deploi's email service). No data is transferred to third-party cloud providers, except as described below.

5a. International data transfers

Two third-party services process limited personal data outside the EEA:

  • Resend (resend.com) — used for transactional emails (invitations, password resets). Only your email address and email content are sent. Resend is a US-based company. Transfers are covered by Standard Contractual Clauses (SCCs) under Art. 46(2)(c) GDPR. See resend.com/privacy.
  • GitHub OAuth (GitHub, Inc. / Microsoft) — only if you choose to sign in with GitHub. Your GitHub account ID and access token are processed by GitHub servers in the US. Transfers are covered by Standard Contractual Clauses. See GitHub Privacy Statement. If you prefer no data to leave the EEA, use email/password login instead.

6. Your rights under GDPR

  • Right of access (Art. 15): Download all your data from Settings → Your data. The export includes your account details, content, saved snippets, and usage data
  • Right to data portability (Art. 20): Export your data in a structured, machine-readable format from Settings → Your data
  • Right to erasure (Art. 17): Delete your account from Settings → Delete account
  • Right to rectification (Art. 16): Edit your profile at any time in Settings
  • Right to object / restrict processing (Art. 21): Contact us at contact@vibe-code.no
  • Right to withdraw consent (Art. 7(3)): Remove optional profile data at any time in Settings. Withdrawal does not affect prior processing.
  • Right to lodge a complaint: You may contact Datatilsynet at datatilsynet.no

7. Cookies and sessions

Vibe Code uses a single session cookie to keep you logged in. The cookie expires after 30 days of inactivity or when you sign out. No tracking cookies, analytics cookies, or third-party advertising cookies are used.

7a. Server access logs

Our web server (Nginx) automatically logs each request, including your IP address, the URL requested, timestamp, and browser user agent. These logs are used solely for security monitoring and abuse prevention. Logs are rotated daily and retained for 14 days, after which they are automatically deleted.

7b. Backups

The platform database is backed up periodically for disaster recovery purposes. Backups are stored on the same server in Norway and are retained for 30 days, after which they are permanently deleted. Backups are not used for any purpose other than restoring the platform in the event of data loss. If you delete your account, your data will be removed from live data immediately; it may remain in backups for up to 30 days before being purged automatically.

8. Tools used to build this platform

Vibe Code is built with the following technologies and third-party services:

  • Next.js — web framework (open source, self-hosted)
  • PostgreSQL + Prisma — database, self-hosted in Norway
  • Auth.js — authentication (open source, self-hosted)
  • Deploi email hosting— contact@vibe-code.no is hosted on Deploi's email service, located in Norway. Only data you include in emails you send to this address is processed. See deploi.no
  • Resend — transactional email delivery. Only your email address and the content of system emails (invitations, password resets) are processed by Resend. See resend.com/privacy
  • GitHub OAuth — optional sign-in method. Only used if you choose to sign in with GitHub. See GitHub Privacy Statement
  • Claude (Anthropic) — used by the platform developer to build and maintain this codebase. No user data is sent to Anthropic as part of normal platform operation.

9. Security measures

We protect your data using HTTPS/TLS encryption in transit, bcrypt password hashing, server-level access controls, and rate limiting on sensitive endpoints. The server is maintained and updated by the data controller.

9a. Policy changelog

  • 6 May 2026: Added email-verified registration flow. New disclosures: temporary storage of pending registration data (up to 24 h, Art. 6(1)(b)), registration-attempt audit logging, and duplicate-email security notifications (Art. 6(1)(f))
  • 5 May 2026: Updated section 2a — /check now also offers in-browser code execution (Pyodide / WebR / sandboxed iframe). Code still never reaches our servers. Anonymous record now also tracks whether code was run; safety score and issue count become optional fields recorded only when a scan was performed. Added note about third-party CDN runtime downloads
  • 1 May 2026 (later):Added section 2b covering the audit / event log — what's recorded, legal basis (legitimate interest), 24-month retention, and the Art. 17 anonymisation pattern on account deletion
  • 1 May 2026: Added section 2a covering the anonymous code checker (/check) — what scan records contain, legal basis (legitimate interest), and 12-month retention
  • 27 April 2026: Updated data controller from Ragnhild Lereim to FremTech AS (org.nr. 937 616 236)
  • 26 April 2026: Added backup retention policy (section 7b); updated minimum age from 13 to 16 (Personopplysningsloven §5)
  • 15 April 2026: Added saved snippets (bookmarks) — new data category, legal basis Art. 6(1)(b), retention clarification, included in data export

10. Changes to this policy

If we make material changes to this policy, we will notify registered users by email or by a notice on the platform. The "last updated" date at the top of this page always reflects the most recent revision.

11. Review this policy yourself

You are welcome to copy the full text of this privacy policy and paste it into an AI assistant (such as Claude, ChatGPT, or similar) and ask: "Is this privacy policy in line with GDPR regulations? Are there any privacy concerns I should be aware of?" We believe transparency includes making it easy for you to verify our claims independently.

12. Age restriction

Vibe Code is not intended for users under 16 years of age, in line with the minimum age for consent to data processing under Norwegian law (Personopplysningsloven §5). We do not knowingly collect personal data from children. If you believe a child has registered an account, please contact us at contact@vibe-code.no and we will delete the account promptly.

13. Contact

For any privacy-related questions or requests: contact@vibe-code.no