Privacy Policy

Account identifiers: when you sign in via GitHub or Google, we receive a unique user ID, your display name, email, and avatar URL. We do not receive or store your password.

Device information: the type, operating system, and a random device identifier generated during QR-code pairing. This is used to route messages to the correct device.

Session metadata: timestamps of pairings, approvals, rejections, and errors. This is used for audit logs and troubleshooting.

Session content: AI messages and prompts that are transmitted between VS Code and your mobile device. This content is encrypted in transit and not persisted on our servers beyond what is required to deliver it.

Camera: the app uses your device camera solely to scan QR codes during device pairing. No images or video are captured, stored, or transmitted.

To provide the Service: pairing your devices, routing messages, delivering notifications, and processing action approvals.

To keep the Service secure: detecting abuse, enforcing rate limits, and maintaining audit logs for your account.

To improve the Service: aggregated and anonymized usage metrics help us prioritize features and fix bugs.

We do not sell your personal information and we do not use your code or prompts to train AI models.

We process your data on the basis of: (a) performance of a contract, to deliver the Service you requested; (b) legitimate interests, to keep the Service secure and improve it; and (c) your consent, where required (e.g., for optional analytics).

All network traffic is protected with HTTPS/WSS. Session content is end-to-end encrypted between your VS Code and mobile device when possible.

Access tokens are short-lived (15 minutes) and refresh tokens are rotated on each use. OAuth state is HMAC-signed to prevent CSRF.

We store the minimum metadata needed to operate the Service and retain audit logs for up to 90 days.

We do not sell your personal data. We only share it with: identity providers (GitHub, Google) when you authenticate; cloud infrastructure providers that host our Service under strict data processing agreements; and authorities when required by law.

VibeSync may process data in countries other than the one where you live. When we transfer personal data outside your jurisdiction, we use appropriate safeguards such as Standard Contractual Clauses.

Depending on your location, you may have rights to access, correct, delete, or port your personal data, and to object to or restrict certain processing. You can also withdraw consent at any time.

To exercise these rights, email legal@vibesync.dev. We will respond within the timeframe required by applicable law.

We keep account information while your account is active. When you delete your account, we remove personal data within 30 days, except where retention is required by law or for legitimate security purposes.

The Service is not directed to children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us so we can remove it.

Prompts and AI responses may pass through third-party AI providers (e.g., Anthropic, OpenAI, GitHub). Their handling of your content is governed by their own privacy policies.

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date and, where appropriate, notify you via the Service.

Questions about this Policy? Email legal@vibesync.dev and we will get back to you as soon as possible.