Privacy Policy

Last updated: [UPDATE THIS DATE - e.g., January 15, 2025]

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

  • Email address - Required for account creation and authentication
  • Name - Optional, for personalization
  • Profile picture - Optional, if you upload one or sign in with Google

Note: We use passwordless authentication via one-time codes (OTP). We do NOT collect or store passwords.

1.2 Google OAuth Data

If you sign in with Google, we receive from Google:

  • Your Google email address
  • Your Google profile name
  • Your Google profile picture (if public)
  • A unique Google user ID (to link your account)

We do NOT receive access to your Google account, Gmail, or other Google services. See Google's Privacy Policy for how Google handles your data.

1.3 Payment Information

If you purchase a paid subscription or product, payment is processed by Stripe. We collect:

  • Stripe Customer ID - To manage your subscription
  • Billing email - For receipts
  • Subscription status - Active, canceled, past_due, etc.

We do NOT store credit card numbers, CVV, or full payment details. Stripe securely handles all payment data. See Stripe's Privacy Policy.

1.4 User Content

Vibe to Ship allows you to upload and store files. We collect:

  • Files you upload - Stored in cloud storage (S3-compatible)
  • File metadata - Filename, size, type, upload date
  • Any content you create - [e.g., notes, documents, form submissions]

1.5 Usage Data

We automatically collect:

  • IP address - For security and fraud prevention
  • Browser type and version - For compatibility
  • Device type - Desktop, mobile, tablet
  • Pages visited and features used - To improve the service
  • Access times and dates - For security monitoring

1.6 Communications

We collect:

  • Support messages - When you contact customer support
  • Feedback submissions - If you use our feedback form
  • Email correspondence - Communications with our team

2. How We Use Your Information

We use your information to:

  • Provide the service - Create your account, authenticate you, deliver features
  • Process payments - Manage subscriptions and billing through Stripe
  • Send transactional emails - Login codes, receipts, service updates (cannot opt out)
  • Send marketing emails - Product updates, tips (you can opt out anytime)
  • Provide customer support - Respond to your questions and issues
  • Improve the service - Analyze usage patterns, fix bugs, add features
  • Prevent fraud and abuse - Detect suspicious activity, enforce terms
  • Comply with legal obligations - Respond to court orders, legal requests

3. Third-Party Services

We use the following third-party services to operate Vibe to Ship. Each has access to certain data as described:

Mailgun (Email Delivery)

Purpose: Sends one-time login codes and transactional emails

Data Shared: Email address, email content

Privacy Policy: mailgun.com/legal/privacy-policy

Stripe (Payment Processing)

Purpose: Processes payments and manages subscriptions

Data Shared: Email, name, Stripe Customer ID, payment data (handled by Stripe)

Privacy Policy: stripe.com/privacy

Google OAuth (Authentication)

Purpose: Allows sign-in with Google account

Data Shared: Google email, name, profile picture, user ID

Privacy Policy: policies.google.com/privacy

MongoDB Atlas (Database)

Purpose: Stores user accounts, metadata, and application data

Data Shared: All user data (encrypted at rest)

Privacy Policy: mongodb.com/legal/privacy-policy

Cloudflare R2 / AWS S3 (File Storage)

Purpose: Stores uploaded files

Data Shared: Uploaded files and metadata

Privacy Policy: cloudflare.com/privacypolicy

Vercel (Frontend Hosting)

Purpose: Hosts the web application

Data Shared: IP addresses, page visits (server logs)

Privacy Policy: vercel.com/legal/privacy-policy

Fly.io (Backend Hosting)

Purpose: Hosts the API backend

Data Shared: API requests, IP addresses (server logs)

Privacy Policy: fly.io/legal/privacy-policy

4. Data Storage & Security

4.1 Where We Store Data

Your data is stored in the following locations:

  • Database: MongoDB Atlas ([US/EU] region)
  • File Storage: Cloudflare R2 / AWS S3 ([US/EU] region)
  • Backend Servers: Fly.io ([US/EU] region)

4.2 Security Measures

We implement industry-standard security measures:

  • Encryption in transit - All data transmitted over HTTPS/TLS
  • Encryption at rest - Database and file storage encrypted
  • Secure authentication - JWT tokens with short expiry (15 min), refresh tokens (30 days)
  • Access controls - Limited employee access, role-based permissions
  • Regular backups - Automated daily backups with [X] day retention

Note: No security system is 100% secure. While we implement strong protections, we cannot guarantee absolute security.

5. Cookies & Tracking

5.1 Essential Cookies

We use cookies that are essential for the service to function:

  • jwt_token - Authentication token (expires: 15 minutes, HttpOnly, Secure)
  • refresh_token - Session refresh token (expires: 30 days, HttpOnly, Secure)

These cookies are strictly necessary and cannot be disabled. Without them, you cannot use Vibe to Ship.

5.2 Optional Cookies

[IF YOU ADD ANALYTICS: We use analytics cookies to understand how users interact with our service. You can opt out via our cookie banner or your browser settings.]

[IF YOU DON'T USE OPTIONAL COOKIES: We do not use analytics, marketing, or tracking cookies beyond the essential authentication cookies listed above.]

5.3 Managing Cookies

You can control cookies through your browser settings. However, blocking essential cookies will prevent you from using Vibe to Ship. Learn how to manage cookies:

6. Data Retention

We retain your data as follows:

  • Active accounts: Data retained indefinitely while account is active
  • Deleted accounts: Data permanently deleted after 30 days (allows recovery period)
  • Uploaded files: Deleted immediately when you delete them, or 30 days after account deletion
  • Backups: Retained for [30-90] days for disaster recovery
  • Legal obligations: Some data may be retained longer to comply with tax, accounting, or legal requirements

7. Your Rights

You have the following rights regarding your data:

  • Access: Request a copy of your data (via Account Settings or contact hello@vibetoship.co)
  • Correction: Update inaccurate information (via Account Settings)
  • Deletion: Request deletion of your account and data (via Account Settings or contact hello@vibetoship.co)
  • Export: Download your data in portable format [JSON/CSV]
  • Objection: Object to processing of your data (contact hello@vibetoship.co)
  • Withdraw Consent: Opt out of marketing emails (unsubscribe link or Account Settings)

We will respond to requests within 30 days. Some requests may require identity verification.

8. GDPR Rights (EU Users)

If you are located in the European Union (EU), European Economic Area (EEA), or United Kingdom (UK), you have additional rights under the General Data Protection Regulation (GDPR):

8.1 Legal Basis for Processing

We process your data under the following legal bases:

  • Contract Performance: To provide the service you signed up for
  • Legitimate Interest: To improve our service and prevent fraud
  • Legal Obligation: To comply with tax and accounting laws
  • Consent: For marketing emails (you can withdraw anytime)

8.2 GDPR-Specific Rights

  • Right to be Forgotten: Request complete deletion of your data
  • Data Portability: Receive your data in machine-readable format
  • Restrict Processing: Limit how we use your data
  • Object to Processing: Object to data processing based on legitimate interest
  • Automated Decision-Making: We do not use automated decision-making or profiling

8.3 Data Protection Officer

[IF YOU HAVE A DPO: Our Data Protection Officer can be reached at: hello@vibetoship.co]

[IF NO DPO: For privacy questions, contact: hello@vibetoship.co]

8.4 Right to Complain

You have the right to lodge a complaint with your local data protection authority. Find your authority: EDPB Member List

9. CCPA Rights (California Users)

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA):

9.1 Your California Privacy Rights

  • Right to Know: Request disclosure of data collected, used, and shared in the past 12 months
  • Right to Delete: Request deletion of your personal information
  • Right to Opt-Out: Opt out of sale of your personal information (see below)
  • Right to Non-Discrimination: We will not discriminate against you for exercising your rights

9.2 Do Not Sell My Personal Information

We do NOT sell your personal information to third parties. We have not sold personal information in the past 12 months and do not plan to do so.

9.3 Categories of Data Collected

In the past 12 months, we have collected the following categories of personal information:

  • Identifiers (email, name)
  • Commercial information (subscription status, purchase history)
  • Internet activity (usage data, IP address)
  • User-generated content (uploaded files)

9.4 How to Exercise Your Rights

Email us at: hello@vibetoship.co with subject line "CCPA Request"

We will verify your identity and respond within 45 days.

10. Information Sharing

We do NOT sell your data. We only share data in these limited circumstances:

  • Service Providers: Third-party services listed in Section 3 (necessary to operate the service)
  • Legal Compliance: When required by law, court order, or government request
  • Business Transfers: If we are acquired or merge with another company (users will be notified)
  • Protection of Rights: To enforce our terms, prevent fraud, or protect safety
  • With Your Consent: Any other sharing requires your explicit consent

11. Data Breach Notification

In the event of a data breach that affects your personal information:

  • Notification Timeline: We will notify affected users within 72 hours of discovery (GDPR requirement)
  • Notification Method: Email to your registered address and website notice
  • Information Provided: Nature of the breach, data affected, steps we're taking, steps you should take
  • Authorities: We will report to relevant data protection authorities as required by law

12. International Data Transfers

Your data may be transferred to and processed in countries other than your own. We ensure adequate protection through:

  • Adequacy Decisions: Transferring to countries with EU adequacy decisions when possible
  • Standard Contractual Clauses: Using EU-approved data transfer agreements
  • Service Provider Safeguards: All third-party providers implement appropriate security measures

13. Children's Privacy

Vibe to Ship is not intended for children under [13/16/18] years old. We do not knowingly collect personal information from children.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us at hello@vibetoship.co. We will delete such information within 30 days.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

  • Updating the "Last updated" date at the top of this page
  • Sending an email to your registered address (for significant changes)
  • Displaying a prominent notice on the website

Changes take effect immediately upon posting for new users, and 30 days after notification for existing users. Continued use after that date constitutes acceptance.

15. Contact Us

For questions, concerns, or requests regarding this Privacy Policy or your data:

  • Email: hello@vibetoship.co
  • Address: [YOUR COMPANY ADDRESS]
  • Data Protection Officer: [DPO EMAIL, if applicable]

We will respond to all requests within 30 days.