VibeXPVibeXP

Privacy Policy

Last Updated: January 5, 2026

1. Introduction

Shaharia Lab OÜ ("we," "us," or "our") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, and share information about you when you use our website (vibexp.io) and our AI workflow platform (the "Service").

Data Controller:

Shaharia Lab OÜ
Registry Code: 16738191
Address: Ahtri tn 12, Tallinn, Estonia
Email: hello@vibexp.io

2. Information We Collect

We collect information in three categories:

A. Information You Provide

  • Account Data: When you register, we collect your email address, name, and password (hashed).
  • User Content (The "VibeXP Core"): We store the content you upload to the infrastructure, including:
    • Prompts & Templates
    • Memories (Context Data)
    • Artifacts (Code, Text, Files)
    • A2A Agent Configurations & Conversation Logs
    • API Keys (Stored encrypted) for third-party tools
  • Billing Information: If you subscribe to a paid plan, our payment processor (e.g., Stripe) collects your payment details. We do not store full credit card numbers on our servers.

B. Information Collected Automatically

  • Usage Logs: Information about how you access the Service (timestamps, feature usage, API calls) to ensure system stability and security.
  • Device Data: IP address, browser type, and operating system.
  • Cookies & Trackers: We use Google Analytics and Google Tag Manager. We only activate these non-essential cookies after you have given explicit consent via our Cookie Banner.

3. How We Use Your Data

We process your data for the following purposes and legal bases (GDPR Art. 6):

PurposeType of DataLegal Basis
To Provide the Service (Authentication, storing prompts, running MCP)Account Data, User ContentContractual Necessity
Billing & PaymentsBilling DataContractual Necessity
Security & Fraud PreventionUsage Logs, IP AddressesLegitimate Interest
Analytics & ImprovementsAnonymized Usage DataConsent (via Cookie Banner)
Legal Compliance (Accounting, Tax)Transaction HistoryLegal Obligation (Estonian Law)

Important Note on AI Training:
We DO NOT use your User Content (Prompts, Memories, Artifacts, Conversation Logs) to train our own foundational AI models. Your workspace data remains private to you.

4. Data Sharing and Sub-Processors

We do not sell your data. We share data only with third-party service providers ("Sub-processors") who help us run the infrastructure.

  • Hosting Providers: (e.g., AWS, Vercel, Supabase) – To host the database and application.
  • Payment Processors: (e.g., Stripe) – To process payments.
  • Analytics: (Google Analytics) – Only if you opt-in via the banner.
  • Legal Authorities: If required by Estonian law or a valid court order.

5. International Data Transfers

Your personal data may be processed outside the European Economic Area (EEA). Whenever we transfer your data outside the EEA (e.g., to US-based cloud providers), we ensure protection through:

  • Adequacy Decisions: Transferring to countries deemed "safe" by the EU Commission.
  • Standard Contractual Clauses (SCCs): Legal contracts approved by the EU Commission to guarantee data protection.

6. Data Retention

  • Account Data: We keep your account active until you request deletion.
  • User Content: Retained as long as your account is active.
    • Deletion: If you delete your account, your content is removed from our live databases immediately (and from backups within 30 days).
    • Expired Subscriptions: If you downgrade or lapse on payment, we may retain "locked" data for a limited period (e.g., 90 days) to allow you to resubscribe, after which it may be permanently deleted.
  • Analytics Data: Retained for 14-26 months in Google Analytics.

7. Your Data Rights (GDPR)

Under the GDPR, you have the following rights:

  1. Right to Access: Request a copy of the personal data we hold about you.
  2. Right to Rectification: Correct inaccurate data.
  3. Right to Erasure ("Right to be Forgotten"): Request that we delete your account and all associated data.
  4. Right to Data Portability: Request an export of your Prompts, Memories, and Artifacts in a machine-readable format (JSON/CSV).
  5. Right to Object: Withdraw consent for cookies/tracking at any time.

To exercise these rights, email us at hello@vibexp.io. We will respond within 30 days.

8. Security

We use industry-standard security measures to protect your data, including:

  • Encryption: Data is encrypted in transit (TLS/SSL) and at rest (database encryption).
  • Access Control: Internal access to User Content is restricted to authorized personnel only for debugging critical issues.
  • API Key Safety: We encrypt the API keys you store with us.

However, no method of transmission over the Internet is 100% secure. You are responsible for keeping your password and API keys confidential.

9. Cookies

We use cookies to manage your session. For analytics (Google Analytics), we use a Consent Mode. These scripts are blocked until you click "Accept" on our Cookie Banner. You can manage your preferences at any time via the footer link on our website.

10. Updates to This Policy

We may update this policy from time to time. If we make significant changes, we will notify you via email or a prominent notice on the dashboard.

11. Contact Us

If you have questions about this Privacy Policy or your data, please contact our Data Protection Officer (DPO) / Privacy Team at:

Shaharia Lab OÜ
Email: hello@vibexp.io