Privacy Policy
Last updated: March 17, 2026
Short version: We collect only what we need to run the service — your email, subscription status, and anonymous usage signals from the CLI. We never sell your data. We never scan or store your source code.
1. Who We Are
VibeLint ("we", "us", "our") is a security scanning tool for AI-assisted codebases, operated by Rachid Elharrak ("Operator"). Our service is accessible at vibelint.dev.
For questions about this policy, contact us at support@vibelint.dev.
2. What Data We Collect
2.1 Account data
When you create an account, we collect:
- Email address
- Name (if provided via Google OAuth)
- Authentication tokens (managed by Clerk — see Section 5)
2.2 Subscription and billing data
When you subscribe to VibeLint Pro, our payment processor Dodo Payments collects your payment details. We never see or store your full card number. We store only:
- Your subscription status (free or pro)
- Dodo customer ID and subscription ID (for billing management)
- Subscription start and cancellation dates
2.3 License key data
For Pro subscribers, we store:
- A SHA-256 hash of your license key — the plain key is never stored on our servers
- The timestamp of the last time your CLI validated its license (
last_validated_at) — used to power the "Connected" indicator in your dashboard
2.4 CLI telemetry (anonymous)
The VibeLint CLI sends a small telemetry ping when it starts. This ping contains:
- VibeLint version number
- Operating system type (e.g. "Windows", "macOS", "Linux")
- A randomly generated anonymous session ID (not linked to your account)
- Whether the scan succeeded or failed (no details, no code)
We do not collect, transmit, or store any of your source code, file names, file paths, or scan results through telemetry. Telemetry is used only to understand aggregate usage patterns (e.g. which OS versions to support).
You can disable telemetry by setting the environment variable VIBELINT_NO_TELEMETRY=1 in your shell.
2.5 Scan results (Pro — optional)
If you are a Pro subscriber and the dashboard sync feature is enabled, VibeLint may send scan summaries (issue counts and severity levels) to your dashboard. We never receive the actual code that triggered an issue — only the detector name, severity, and file path.
Dashboard sync is opt-in and can be disabled by setting VIBELINT_NO_SYNC=1.
2.6 Website usage data
We use Vercel Analytics to collect anonymous, aggregate data about visits to vibelint.dev, including page views and referrer information. No cookies are used for analytics. No personal identifiers are collected.
3. How We Use Your Data
| Data | Purpose | Legal basis (GDPR) |
|---|---|---|
| Email address | Account creation, transactional emails (receipts, license keys) | Contract performance |
| Subscription status | Controlling access to Pro features | Contract performance |
| License key hash | Validating the CLI at startup | Contract performance |
| last_validated_at | Powering the Connected status in your dashboard | Legitimate interest |
| CLI telemetry | Understanding aggregate usage to improve the product | Legitimate interest |
| Scan summaries (opt-in) | Displaying results in your dashboard | Consent |
| Website analytics | Understanding traffic to improve the landing page | Legitimate interest |
4. Data Retention
- Active accounts: Data is retained for as long as your account is active.
- After cancellation: Account data is deleted within 30 days of account closure on request. Billing records may be retained for up to 7 years for tax and legal compliance.
- License keys: Revoked key hashes are deleted within 90 days of revocation.
- Telemetry: Anonymous telemetry data is retained for up to 12 months in aggregate form.
5. Third-Party Sub-Processors
We share data with the following third-party services to operate VibeLint. Each has been assessed for GDPR compliance.
| Service | Purpose | Data shared |
|---|---|---|
| Clerk (clerk.com) | Authentication (sign up, sign in, sessions) | Email, name, OAuth tokens |
| Supabase (supabase.com) | Database — stores account and license data | Email, subscription status, key hashes |
| Dodo Payments (dodopayments.com) | Payment processing and subscriptions | Email, billing details |
| Vercel (vercel.com) | Hosting the web application and API | Request logs (IP, user agent) |
We do not sell your data to any third party. We do not use your data for advertising.
6. Your Rights
Under GDPR and similar privacy laws, you have the right to:
- Access: Request a copy of all data we hold about you
- Correction: Ask us to correct inaccurate data
- Deletion: Request that we delete your account and associated data
- Portability: Receive your data in a machine-readable format
- Objection: Object to processing based on legitimate interest
- Restriction: Ask us to pause processing while a dispute is resolved
To exercise any of these rights, email support@vibelint.dev. We will respond within 30 days.
7. Cookies
VibeLint uses cookies only for authentication — specifically, Clerk sets a session cookie when you sign in so you stay logged in. We do not use advertising cookies, tracking cookies, or third-party analytics cookies.
You can delete cookies at any time in your browser settings. Deleting the session cookie will sign you out.
8. Security
We take reasonable technical and organizational measures to protect your data, including:
- License keys are stored only as SHA-256 hashes — the plain key never touches our servers
- All data in transit is encrypted via HTTPS/TLS
- Database access is restricted to server-side API routes using a service role key
- Row-level security is enabled on all user data tables
- Payment processing is handled entirely by Dodo Payments — we never see card numbers
To report a security vulnerability in VibeLint itself, see our Security Policy.
9. Children's Privacy
VibeLint is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us at support@vibelint.dev.
10. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will update the "last updated" date at the top of this page. For material changes, we will notify you by email. Continued use of VibeLint after changes constitutes acceptance of the updated policy.
11. Contact
For privacy-related questions, data requests, or to request a Data Processing Agreement (DPA) for your organization:
- Email: support@vibelint.dev