VIBECOP

VibeCop Privacy Policy

Effective date: July 3, 2026
Version: 1.0


VibeCop ("VibeCop", "we", "us") is an AI-native code review service operated by Maiife Private Limited, No. 29, Thatha Muthiappan Street, Sowcarpet, Chennai – 600001, Tamil Nadu, India, and made available at vibecop.maiife.ai, via the VibeCop CLI, and via the VibeCop API.

This policy explains what data we collect, why, where it goes, and what your rights are. VibeCop is a business product: you use it on behalf of an organization. For your account and billing data, Maiife acts as the data controller. For the source code and repository content your organization connects, Maiife acts as a processor on your organization's behalf.

1. Data we collect

1.1 Account and organization data

When you sign up (email/password, or Google/GitHub OAuth) we collect:

  • Email address and display name
  • Organization name and slug, team memberships, and your role within the organization
  • Authentication data managed by our auth provider (Supabase Auth): hashed password, OAuth identity, email verification status

We verify email addresses with a one-time code sent to your email. We never see or store your Google or GitHub password.

1.2 Repository and code data

When your organization connects a GitHub repository, you authorize VibeCop (via GitHub OAuth, repo and admin:repo_hook scopes) to read that repository. To perform reviews we process:

  • Repository contents (source files fetched per scan, subject to size limits), pull request diffs, commit metadata, branch names
  • Pull request titles, URLs, and the GitHub username of the PR author

From this we derive and store:

  • Review findings: rule name, title, description, severity, file path, and line numbers (not full source files)
  • A code structure graph: symbol names (classes, functions), file paths, relationships (calls, imports, inheritance), commit SHAs
  • Pattern fingerprints: hashed representations of recurring code patterns
  • Scan run records: repository name, PR metadata, timestamps, status, error messages

We do not permanently store full copies of your repository. Source files are fetched per scan and processed in memory or in ephemeral working directories; what persists is the derived analysis above.

1.3 Ask conversations

When you use the Ask feature (questions about your codebase), we store the full conversation — your questions and the AI's answers — together with vector embeddings of those messages, so that threads persist and search works. You can archive threads yourself; organization admins can permanently delete them.

1.4 Developer tooling events (CLI and hooks)

If your organization installs the VibeCop CLI or coding-agent hooks, we receive and store events from your development sessions, which can include: the tool used, session identifiers, branch names, edited file paths, prompt text, and session transcripts (used to compute cost and usage). CLI access tokens are stored only as SHA-256 hashes.

1.5 Billing data

Payments are processed by Razorpay. We send Razorpay your email address, name, and organization identifier. We store the resulting references — customer ID, subscription ID, payment IDs, amounts, currency, payment method type (e.g. card, UPI), and payment status. We never receive or store card numbers or bank credentials.

1.6 Usage and operational data

  • Credit usage records (which scans and Ask requests consumed credits)
  • Request metadata: model used, token counts, latency, status codes — not prompt or response bodies
  • Audit records of administrative actions (who changed what, when)
  • Server logs, which include IP addresses (used for rate limiting and abuse prevention)
  • In-product notifications addressed to you

1.7 What we deliberately do not collect

  • No third-party analytics, advertising trackers, or session recording on the VibeCop web app
  • No payment card data
  • No data from repositories you have not explicitly connected

2. How we use data

  • Provide the service: run code reviews, build the code graph, answer Ask questions, post review results back to your pull requests when enabled
  • Operate billing: meter credits, process subscriptions and top-ups, prevent abuse
  • Secure the service: authentication, rate limiting, audit logging, fraud and abuse prevention
  • Communicate: transactional emails (verification codes, password resets) and in-product notifications
  • Improve the service: aggregate, non-identifying usage statistics

We do not use your source code or repository contents to train AI models, and we do not sell your data.

3. AI processing disclosure

VibeCop's analysis is performed in part by a third-party large language model provider. During a scan or an Ask request, relevant portions of your code — diffs, file excerpts, findings context, and your questions — are transmitted over an encrypted connection to our model provider's API and used solely to generate the review output returned to you. Our provider is listed in Section 4. We do not authorize our model provider to use your content to train its models. We are working to secure a zero-data-retention arrangement with our provider; until then, our provider's standard API data-use terms apply.

4. Who we share data with (subprocessors)

ProviderPurposeData involved
Supabase (AWS ap-southeast-1, Singapore)Database and authenticationAll stored data described in Section 1
Vercel (global edge network)Web application hostingRequests to the web app, auth cookies
Railway (US region)API and background worker hostingAll data in transit through the API; server logs
DeepSeek (People's Republic of China)LLM analysis — review synthesis, detectors, and Ask answersCode excerpts, diffs, findings context, Ask questions
GitHub (US)Repository access, PR comments/writeback, webhooksOAuth tokens, repo contents read, findings posted to PRs
Razorpay (India)Payment processingEmail, name, organization ID, payment amounts
npm registry / OpenSSF ScorecardDependency health checksPackage names and versions only — never your code
Slack, Linear, Jira (optional)Notifications and issue sync — only if your organization connects themFinding summaries, issue metadata
Google FontsWeb font deliveryYour browser requests fonts from Google (IP address visible to Google)

Partikle (embeddings and facts service) is Maiife-operated infrastructure, not a third party.

We will maintain a current subprocessor list at this page. We will give at least 30 days' advance notice of any new subprocessor by email or in-product notification, during which you may object.

5. International transfers

Your data crosses borders: the database is in Singapore (AWS ap-southeast-1), API compute runs on Railway in the United States, the web app is served from Vercel's global network, and our model provider (DeepSeek) processes data in the People's Republic of China. By using VibeCop you acknowledge these transfers. Where GDPR applies, we work to ensure appropriate safeguards, such as standard contractual clauses, are in place with our subprocessors.

6. Retention and deletion

  • Review findings, scan history, and the code graph are retained for the life of your organization's account so that trends (e.g. the Architecture Integrity Index) work over time.
  • Ask threads: you can archive threads at any time; organization admins can permanently delete a thread and its messages and embeddings.
  • Disconnecting a codebase permanently deletes its code graph, pattern fingerprints, and repo associations.
  • Account and organization deletion: request it at contact@maiife.ai and we will delete your organization's data within 30 days, except records we must keep for legal, tax, or security purposes (e.g. payment records).
  • Data export: request a copy of your organization's data at contact@maiife.ai.

7. Security

  • All traffic is encrypted in transit (TLS)
  • Data at rest is encrypted by our database provider (AES-256, AWS-managed keys)
  • CLI and hook tokens are stored only as SHA-256 hashes; webhook secrets are stored encrypted (AES-256-GCM)
  • Access is segregated per organization and enforced at the API layer; role-based permissions apply within organizations
  • Rate limiting and CORS restrictions protect the API
  • GitHub access tokens are stored in our database and protected by infrastructure-level encryption and access controls; you can revoke VibeCop's access at any time from your GitHub settings, which immediately invalidates the token

No system is perfectly secure. If we become aware of a breach affecting your data, we will notify affected organizations and the relevant authorities as required by applicable law.

8. Your rights

Depending on your jurisdiction (including under the GDPR and India's Digital Personal Data Protection Act, 2023), you may have the right to access, correct, export, delete, or restrict processing of your personal data, and to object to processing or withdraw consent. To exercise any of these rights, email contact@maiife.ai. We respond within 30 days. If you are in the EU/EEA you may also lodge a complaint with your supervisory authority; if you are in India you may approach the Data Protection Board of India.

Grievance Officer (India, DPDP Act): Sakthivel Chandrasekaran — contact@maiife.ai

Note that most repository and code data belongs to your organization; requests concerning it may need to come from your organization's administrator.

9. Cookies

VibeCop uses only functional cookies: a per-product authentication cookie (e.g. sb-vibecop-auth-token) that keeps you signed in. It is scoped to the VibeCop subdomain, marked Secure in production, and SameSite=Lax. We set no advertising or analytics cookies, so we do not show a cookie consent banner.

10. Children

VibeCop is a business tool and is not directed at children. You must be at least 18 years old to create an account.

11. Changes to this policy

We may update this policy as the service evolves. Material changes will be announced in-product or by email, with the effective date updated above. Continued use after the effective date constitutes acceptance.

12. Contact

Maiife Private Limited
No. 29, Thatha Muthiappan Street, Sowcarpet, Chennai – 600001, Tamil Nadu, India
contact@maiife.ai