Privacy Policy

Last updated: April 22, 2026

This Privacy Policy explains how VibeNest ("we", "us", "the Service") collects, uses, shares, and protects personal data when you use our platform-as-a-service for deploying applications, hosting project wikis, and related features. It is designed to meet the standards of the EU General Data Protection Regulation (GDPR) and to apply equivalent protections globally.

Please also read our Terms of Service.

1. Data Controller & Contact

The data controller (operator) for personal data processed through the Service is:

  • Individual Entrepreneur Nikita Babenko Vladimir
  • Registered in the State Register of Legal Entities of the Ministry of Justice of the Republic of Armenia under No. 87.1393328, issued 12 June 2024
  • TIN / ՀՎՀՀ: 75479903
  • Registered office: 1 Myasnikyan Street, Sevan 1501, Gegharkunik Province, Republic of Armenia
  • Contact for data protection: info@vibenest.net

Processing by the controller is subject to the Law of the Republic of Armenia on the Protection of Personal Data (HO-49-N of 18 May 2015, as amended). Where applicable to users located in the European Economic Area, the United Kingdom, or Switzerland, we also apply the standards of the EU General Data Protection Regulation (GDPR).

2. Information We Collect

2.1 Account & authentication data

  • Email address, username, and (optionally) your display name
  • Password hash (we never store your password in plain text)
  • Optional phone number if you choose to add one
  • Preferred language (detected from your browser's Accept-Language header on registration and used to localize our emails)
  • Two-factor authentication state and, if you enable TOTP, a server-side authenticator secret
  • Passkey / WebAuthn credentials (credential identifier and public key only — we never see your biometric or device PIN)
  • External login links (e.g., Google) — see Section 6

2.2 Deployment data

  • Git repository URLs, branch, build pack, base directory, and other deployment configuration you provide
  • Environment variable keys and values. Values are encrypted at rest with AES-256-GCM using per-value nonces. They are decrypted only when synchronizing with our deployment orchestrator and are never logged.
  • Build and deployment logs produced by the deployment infrastructure. These logs are operational output and may incidentally contain information printed by your application during build.

2.3 Billing data

  • Credit balance, credit transactions (purchases, AI-feature spend, refunds, bonuses), hardware subscription state, and the order ID / receipt reference issued by our payment provider for each purchase
  • We do not see or store your card number, CVV, expiry date, or full billing address. Those fields are collected and stored by our payment provider under its own Privacy Policy (see Section 5 for details)
  • For tax compliance and fraud-pattern review, the payment provider may pass us back a country code and a last-4 or masked card reference; we store these alongside the order ID for tax-report reconciliation and to detect abusive refund patterns

2.4 Platform usage analytics

Interactions within the logged-in dashboard (pages visited, features used) to help us improve the Service.

2.5 Visitor analytics for your deployed wiki pages

When a visitor views a public wiki page hosted by a VibeNest-deployed project, we collect:

  • A daily-salted SHA-256 hash of their IP address and user-agent — we do not store raw IP addresses. The hash changes every 24 hours and cannot be reversed into an IP.
  • Request path, referrer URL and referrer domain
  • UTM campaign parameters (utm_source, utm_medium, utm_campaign) if present in the URL
  • A primary language code derived from the Accept-Language header, and a coarse country code inferred from it
  • Parsed browser, operating system, and device type (mobile / tablet / desktop) from the user-agent string

Project owners see only aggregated statistics and opaque visitor hashes — they cannot see any individual visitor's IP address.

2.6 AI usage logs

When you use AI-powered features we record metadata about the call — operation type (e.g., repo analysis, wiki beautification, SEO), model used, input and output token counts, cost in USD, and credits charged. We do not persistently store the prompts or responses themselves.

2.7 Email delivery logs

For each transactional email we attempt to send (confirmation, password reset, deployment or subscription notice) we log the recipient address, template type, delivery status, and the provider's message identifier. Email bodies are not logged.

2.8 Audit trail

Certain sensitive operations (e.g., creating, updating, or deleting environment variables) are recorded in an internal audit log for security investigation purposes. Only metadata (user, action, timestamp, variable key name) is recorded — never the secret values.

2.9 Service and security logs

Standard server logs (timestamps, request paths, status codes, error traces) used for operating and securing the platform. These may incidentally contain IP addresses. Container stdout/stderr logs are rotated by the container runtime (size-capped, retained for up to 30 days of typical traffic) and are not archived after rotation.

2.10 Deployments from Synth Cabal

Synth Cabal is another service operated by the same controller named in Section 1. When you create an application in Synth Cabal and choose to deploy it to VibeNest, Synth Cabal transmits to us the build artefact, deployment configuration, and — where you authorise it — environment-variable values. Status callbacks about the deployment are sent back to the Synth Cabal webhook URL, signed with HMAC-SHA256. Because both services are operated by the same controller, no third-party transfer takes place; the data remains within the infrastructure described in Section 5.

3. Legal Basis for Processing (GDPR Art. 6)

We rely on the following legal bases:

  • Performance of a contract — to create your account, run your deployments, process your credit purchases, and provide the features you request
  • Legitimate interests — to secure the platform (audit logs, abuse prevention), measure platform performance, and produce aggregated visitor analytics for project owners
  • Legal obligations — to retain billing records for tax and accounting purposes
  • Consent — for any processing that is not covered above (e.g., optional future communications); you can withdraw consent at any time without affecting prior processing

4. How We Use Your Information

  • To provide and maintain the Service (deploying your applications, serving your wiki pages, routing traffic to your subdomains)
  • To authenticate you and protect your account
  • To process billing, credit balances, and subscriptions
  • To send service-related communications (deployment status, subscription warnings, security notices)
  • To provide AI-powered features (repo analysis, wiki content generation, SEO) when you initiate them
  • To compute aggregated analytics that help you understand traffic to your deployed wiki pages
  • To improve the platform, detect abuse, and debug issues
  • To comply with legal obligations

5. Third-Party Services (Processors & Sub-Processors)

We rely on the following third parties to run the Service. We share only the minimum data each provider needs to perform its function. The "Region" column shows where each provider processes the data; see Section 11 on international transfers.

  • Google (Sign-In) — optional social login. Used only if you choose to sign in with Google. See Section 6 for details. Region: United States.
  • Resend (transactional email) — recipient email address, template type, and message body at send time. Delivery status is returned to us. Region: United States.
  • OpenRouter and, through it, Anthropic (Claude), OpenAI, DeepSeek, and other model providers — used for AI features. The data we send depends on the feature you invoke: repository analysis sends your Git repository's file tree plus the contents of manifest files (for example package.json, Dockerfile, docker-compose.yml, project-file manifests); wiki beautification, translation, and SEO features send the text of the wiki page you are editing. We configure these API calls so that inputs and outputs are not used by the model providers to train their models, where the provider's API offers this option — Anthropic and OpenAI API traffic is excluded from training by default, and OpenRouter forwards this preference to downstream providers. Region: United States (model inference may also run in other regions selected by the model provider).
  • GitHub API — to validate that a repository exists and is accessible, to read the file tree, and to fetch manifest files for repository analysis. For private repositories we rely on the deploy key or access configuration you set up with the @VibeNest GitHub account. Region: United States.
  • Coolify (our self-hosted deployment orchestrator) — receives your Git repository URL, build configuration, resource limits, and the plaintext values of your environment variables so it can build and run your applications. Access to the Coolify instance is restricted to our operations team. Region: European Union (self-hosted on VibeNest-operated infrastructure).
  • ClickHouse — the analytics database that stores the visitor-analytics events described in Section 2.5. Access is restricted to our operations team. Region: European Union (self-hosted on VibeNest-operated infrastructure).
  • Payment provider (Merchant of Record) — a licensed third-party payment provider acting as Merchant of Record for all paid transactions (credit purchases and hardware subscriptions). When you initiate a purchase we redirect you to the provider's checkout, where they collect your billing email, name, billing country, and card details directly. The provider returns to us only the order ID, purchase amount, currency, country code for tax reporting, and a masked card reference. The provider is the legal seller and handles applicable sales tax / VAT / GST. Governed by the provider's own Terms and Privacy Policy.

We do not sell your personal data to any third party.

Changes to this list. We update this list before adding a materially new sub-processor and will notify active users at least 30 days in advance by email or in-app notification, so that you have an opportunity to object or close your account before processing begins.

6. Google Account Sign-In

When you choose to sign in with your Google account, VibeNest requests the following non-sensitive OAuth scopes: openid, email, and profile. From these scopes we receive and store:

  • Your Google account email address
  • Your name (as displayed on your Google profile)
  • Your Google account ID (an opaque identifier used to link your login)
  • Your profile picture URL, which we store as an identity claim; we do not download or host the image itself

How we use Google account data:

  • To create and authenticate your VibeNest account
  • To display your name in the VibeNest dashboard
  • To send you service-related emails (deployment status, subscription notices)

What we do NOT do with Google account data:

  • We do not access any other Google services (Gmail, Drive, Calendar, Contacts, etc.)
  • We do not store your Google OAuth access token or refresh token — they are discarded immediately after login
  • We do not share, sell, transfer, or use your Google data for advertising, marketing, or analytics
  • We do not allow humans to read your Google data except (a) with your explicit consent, (b) for security purposes such as investigating abuse, or (c) when required by law
  • We do not use Google data to develop, improve, or train generalized AI or machine learning models

Compliance. VibeNest's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Revoking access. You may revoke VibeNest's access to your Google account at any time by visiting https://myaccount.google.com/permissions. You may also delete your VibeNest account entirely from account settings; this removes all personal data we hold about you and stops all deployments.

Data retention. Google account data is retained for as long as your VibeNest account exists. When you delete your VibeNest account, the linked Google account data is deleted from our systems.

7. Authentication Methods

VibeNest supports email + password, Google sign-in, passkeys (WebAuthn), and two-factor authentication (TOTP).

  • Passwords are hashed using ASP.NET Identity's default key-stretching algorithm and never stored in plain text.
  • Passkeys / WebAuthn — your authenticator generates a key pair on your device. We store only the public key and a credential identifier. We never receive your biometric data, device PIN, or private key.
  • Two-factor authentication (TOTP) — if you enable it, a shared secret is generated and stored server-side to validate the six-digit codes from your authenticator app.

8. Data Security

  • All connections use HTTPS with automatically provisioned TLS certificates
  • Environment variables are encrypted at rest with AES-256-GCM using per-value nonces
  • Passwords are hashed with industry-standard key-stretching algorithms (ASP.NET Identity)
  • Visitor analytics use daily-salted hashing — raw IP addresses are never stored
  • Administrative access to production systems is restricted and authenticated
  • Session cookies are issued with HttpOnly and Secure flags and appropriate SameSite settings

Support-access sessions. To investigate support requests, abuse reports, and billing issues, a small number of authorised VibeNest operators can temporarily access your account from an internal admin console ("support-access sessions"). This capability is restricted to operators holding the Admin role, takes place under our legitimate interest in operating, securing, and supporting the Service (GDPR Art. 6(1)(f)), is visually indicated by a banner in the active session, and is recorded in our security audit log with a hashed user identifier. No payment credentials or passkey private keys are ever accessible via this mechanism. You may request an audit-log excerpt of support-access events affecting your account by emailing info@vibenest.net.

No system is perfectly secure; you are responsible for keeping your own credentials safe and for enabling two-factor authentication or passkeys where available.

9. Data Retention

We retain personal data for as long as your account is active and for as long as we need it to provide the Service, comply with legal obligations (for example tax retention of billing records), and resolve disputes. Where we are legally required to delete data or where you ask us to delete it, we do so unless a legal obligation requires us to keep it for longer.

  • Visitor analytics are retained for 12 months, after which events are automatically deleted from our analytics store.
  • Deployment logs stored on VibeNest are automatically purged after 30 days. Build and runtime logs fetched live from our self-hosted Coolify orchestrator follow Coolify's default retention (approximately 30 days); because Coolify runs on VibeNest-operated infrastructure, we are the provider for this purpose.
  • Billing records (credit transactions, subscription charges, payment references) are retained for the period required by applicable tax and accounting law, even after account deletion. On deletion they are anonymized — the link to your user account is removed so the rows survive as aggregate financial records only.
  • Email delivery logs and AI usage logs are anonymized on account deletion: the recipient address is replaced with an opaque placeholder and the user identifier is removed, so the entries remain only as aggregate deliverability / cost analytics.
  • Environment-variable audit trail and per-user admin notifications are deleted outright when you delete your account, since they are tightly scoped to projects and a user.
  • Security audit log. When an account is deleted we write a single append-only row recording that the event happened, keyed by a one-way SHA-256 hash of the user id (never the original id, email, or IP). This allows us to investigate repeated abuse patterns without re-introducing identifying data.

10. Your Rights

Regardless of where you live, you may exercise the following rights with respect to your personal data:

  • Access — obtain a copy of the personal data we hold about you. The "Download Personal Data" button in account settings returns a JSON file with your core account record (identity fields such as email, username, phone number, two-factor status, external logins, and your preferred language). For a consolidated export that additionally covers your projects, wiki pages, environment-variable keys (values are never exported in plaintext), billing transactions, and audit entries, email info@vibenest.net and we will produce the full export within one month.
  • Rectification — correct inaccurate or incomplete data
  • Erasure — delete your account and associated personal data yourself, at any time, via the "Delete Personal Data" option in account settings. The flow requires you to re-enter your password (where applicable) and to type your email as a confirmation step; once you confirm, your projects are stopped and removed from our infrastructure, your personal data is deleted, and you receive a final confirmation email. Retained categories (anonymized billing records, deliverability / cost analytics, the security audit row above) are listed in Section 9.
  • Restriction of processing — ask us to limit how we process your data in certain cases
  • Data portability — receive your account record in a structured, machine-readable JSON format via "Download Personal Data" in account settings, or request the broader consolidated export described above
  • Objection — object to processing that relies on legitimate interests
  • Withdraw consent — where processing is based on consent, withdraw it at any time without affecting prior processing

For any right you cannot exercise in-app — or if the self-service deletion flow does not work for you — email info@vibenest.net and we will respond within one month.

You also have the right to lodge a complaint with a data-protection supervisory authority if you believe we have not handled your data lawfully:

  • In Armenia — the Personal Data Protection Agency of the Staff of the Ministry of Justice of the Republic of Armenia (Ministry of Justice, 3/8 Vazgen Sargsyan Street, Yerevan 0010, Republic of Armenia).
  • In the European Economic Area, the United Kingdom, or Switzerland — your local data-protection authority.
  • In California — the California Privacy Protection Agency (CPPA) or the California Attorney General.

11. International Data Transfers

The data controller is established in the Republic of Armenia (see Section 1). Some of our third-party processors (including Google, Resend, OpenRouter, Anthropic, OpenAI, DeepSeek, GitHub, and our payment provider) operate infrastructure in the United States and other countries outside your own. Where such transfers take place, we rely on the transfer mechanisms adopted by each processor, such as the EU–US Data Privacy Framework (where applicable) and Standard Contractual Clauses, to provide a level of protection consistent with applicable law.

The Service's own infrastructure (the Coolify orchestrator and the ClickHouse analytics database) is hosted on servers located in the European Union, under the direct operational control of the Armenian controller named in Section 1. The EU is recognised by the European Commission as providing an adequate level of data protection under the GDPR, so transfers from EEA users to this infrastructure do not require additional safeguards. Access to the infrastructure is restricted to the controller's operations personnel and is not shared with any third party.

EU representative. Under GDPR Article 27, controllers established outside the EU must appoint an EU representative if they regularly and systematically process personal data of EEA residents on a significant scale. At our current scale and user base this threshold is not met, and no representative has been appointed. EEA users may exercise their GDPR rights directly with the controller via info@vibenest.net, and we will respond within the statutory one-month period. We will appoint a formal Article 27 representative and name them on this page once processing of EEA users' data becomes regular and systematic at scale.

11a. Additional Rights for California Residents (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act, gives you the following rights in addition to those listed in Section 10:

  • Right to know the categories and specific pieces of personal information we have collected about you, the sources, the purposes of collection, and the categories of third parties with whom we share it
  • Right to delete personal information we have collected from you (subject to the retention exceptions listed in Section 9)
  • Right to correct inaccurate personal information
  • Right to data portability (same mechanism as Section 10)
  • Right to limit use of sensitive personal information to what is reasonably necessary to provide the Service
  • Right to non-discrimination for exercising any of these rights
  • Right to opt out of the "sale" or "sharing" of personal information for cross-context behavioural advertising

We do not "sell" and do not "share" personal information for cross-context behavioural advertising, as those terms are defined by the CCPA, and we have not done so in the preceding 12 months. We do not knowingly sell or share personal information of any consumer under 16. Because we do not sell or share, there is no "Do Not Sell or Share" link required; your rights are exercised through the same channel as GDPR requests: via account settings (self-service download and deletion) or by emailing info@vibenest.net. You may authorise an agent to submit a request on your behalf; we will ask for proof of the agent's authority and of your identity before acting.

12. Automated Decision-Making

We do not make decisions that produce legal or similarly significant effects about you based solely on automated processing or profiling.

13. Data Breach Notification

If we become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority and, where required, affected users without undue delay, consistent with applicable law.

14. Cookies

We use only essential cookies required to operate the Service. We do not use advertising or cross-site tracking cookies.

Since we use only strictly necessary cookies under Article 5(3) of the ePrivacy Directive (2002/58/EC), no prior consent is required to set them and no reject mechanism is provided. If we ever introduce cookies that fall outside this exemption (for example third-party analytics or advertising), we will deploy a proper consent interface with equally prominent Accept and Reject controls before those cookies are set.

  • .AspNetCore.Identity.Application — your signed-in session. HttpOnly, Secure. Lifetime: up to 14 days, sliding (renewed on activity); cleared on logout.
  • .AspNetCore.Identity.External — transient cookie used during the external (Google) sign-in flow. Lifetime: ~15 minutes; cleared as soon as the sign-in completes.
  • ASP.NET Core antiforgery cookie — protects against cross-site request forgery. Lifetime: browser session.
  • OAuth correlation / state / nonce cookies — issued while completing an external sign-in redirect. Lifetime: ~15 minutes; cleared when the redirect completes.

The cookie notice shown on public pages records your dismissal in your browser's localStorage, not in a cookie, so it does not require consent under ePrivacy rules.

Global Privacy Control (GPC). We do not sell or share personal information and do not operate behavioural advertising, so a GPC signal carries no additional processing effect. We do not disregard the signal, and if our practices ever change in a way that would make GPC meaningful, we will honour it.

15. Children's Privacy

The Service is not intended for children under 13 globally, or under 16 for users located in the European Economic Area and the United Kingdom. We do not knowingly collect personal information from children below these ages. If you believe a child has provided us with personal data, contact info@vibenest.net and we will delete it.

16. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify users of significant changes via email or in-app notification. The "Last updated" date at the top of this page reflects the most recent revision.

17. Contact

For privacy-related questions or data requests, contact us at info@vibenest.net. See also our Terms of Service.

Reconnecting to the server...

Reconnecting in sec.

Failed to reconnect.
The page will reload automatically.

Session paused by the server.

Failed to resume the session.
Reloading the page...