Privacy Policy
Last updated: 24 February 2026
VibeCodes (vibecodes.co.uk) is an AI-powered idea board for developers. This policy explains what data we collect, why we collect it, how we store it, and what rights you have over it. We've written this in plain English — no legal jargon.
Data Controller
VibeCodes is operated by Nicholas Ball (sole trader).
Contact: info@vibecodes.co.uk
Address: United Kingdom (full address available on written request)
No Data Protection Officer has been appointed as VibeCodes operates at a scale that does not require one under UK GDPR Article 37.
Data We Collect
We only collect data that is necessary for VibeCodes to function. Here's everything we store:
Account Information
When you sign up, we store your email address, display name, and avatar (either from your OAuth provider or uploaded manually). You may optionally provide a bio, GitHub username, and contact information (e.g. Discord, Twitter). If you sign up via GitHub or Google, we receive your public profile information from those services.
Ideas & Content
Everything you create on VibeCodes — ideas (titles, descriptions, tags, linked GitHub repository URLs), comments, votes, and collaborator relationships. Ideas can be set to public (visible to everyone) or private (visible only to you, your collaborators, and admins).
Board & Task Data
Kanban board columns, tasks, labels, workflow steps, due dates, task comments, activity logs, and file attachments (up to 10MB per file). Profile pictures are stored in a publicly accessible storage bucket. Task file attachments are stored in a private bucket with time-limited signed download URLs.
AI Interaction Data
When you use AI features (idea enhancement, task generation), we send your prompts and relevant idea/task content to Anthropic's Claude API. We log the token counts, model used, and action type for rate limiting and analytics. We do not store the full AI responses separately. If you provide your own Anthropic API key (BYOK), it is encrypted using AES-256-GCM before storage and only decrypted server-side when processing your AI requests. BYOK users are exempt from platform rate limits. If you save custom AI prompt templates, we store the template name and prompt text linked to your account.
Agent Profiles
If you create AI agent personas, we store the agent name, role, system prompt, and avatar URL. These are linked to your account.
Feedback
If you submit feedback (bug reports, suggestions, questions) via the in-app feedback dialog, we store the feedback content, category, and the page URL you submitted it from.
Notification Preferences
Your per-type notification settings (votes, comments, collaborator joins, status changes, task mentions) are stored so we only send you notifications you want.
Cookies & Client-Side Storage
We set essential authentication cookies (Supabase session tokens) to keep you logged in. These are strictly necessary for the service to function and do not track you across websites. We also use localStorage in your browser for dashboard layout preferences, collapsed section states, and theme preference (light/dark). Our service worker caches static assets locally on your device to improve performance; this data stays on your device and is cleared when you uninstall the app or clear browser storage. We do not use third-party tracking cookies or analytics cookies.
API Access (MCP)
VibeCodes exposes a remote API (Model Context Protocol) that allows authorised third-party tools (such as Claude Code) to read and write your data on your behalf. Access requires your explicit authorisation via OAuth 2.1 with PKCE. When you authorise a client, we store the OAuth client registration and temporary authorisation codes. You can revoke access at any time by removing the MCP connection in your client application.
Legal Basis for Processing
Under UK GDPR Article 6, we process your data on the following lawful bases:
| Processing Activity | Legal Basis |
|---|---|
| Account creation, authentication, profile | Contract (Art 6(1)(b)) — necessary to provide the service |
| Ideas, boards, tasks, comments, votes, collaborations | Contract (Art 6(1)(b)) — core service functionality |
| AI features (idea enhancement, task generation) | Consent (Art 6(1)(a)) — you explicitly initiate each AI request |
| BYOK API key storage (encrypted) | Consent (Art 6(1)(a)) — you choose to provide your own key |
| In-app notifications | Contract (Art 6(1)(b)) — part of the service, controlled by your preferences |
| Rate limiting, abuse prevention, AI usage logging | Legitimate interest (Art 6(1)(f)) — protecting the service and other users |
| Aggregate landing page statistics | Legitimate interest (Art 6(1)(f)) — anonymous counts only |
| MCP API access (third-party tool authorisation) | Consent (Art 6(1)(a)) — you explicitly authorise each client |
| Feedback submissions | Consent (Art 6(1)(a)) — you choose to submit feedback |
Third-Party Services
VibeCodes relies on the following third-party services:
| Service | Purpose | Data Shared |
|---|---|---|
| Supabase | Authentication, database, file storage, realtime updates | All user data |
| Vercel | Hosting and edge functions | Request logs, IP addresses |
| GitHub OAuth | Authentication | Profile info (email, name, avatar) |
| Google OAuth | Authentication | Profile info (email, name, avatar) |
| Anthropic (Claude) | AI features | Idea descriptions, prompts (only when you use AI features) |
We do not sell your data to any third party. Data shared with these services is limited to what's necessary for their function.
International Data Transfers
Your data is transferred to and processed in the United States by the following providers:
- Supabase (AWS US) — database, authentication, file storage
- Vercel (US, global edge network) — hosting, serverless functions
- Anthropic (US) — AI processing (only when you use AI features)
- GitHub / Google (US) — OAuth authentication
These transfers are protected by the UK-US Data Bridge (where applicable) and Standard Contractual Clauses (SCCs) incorporated into our agreements with these providers.
How We Use Your Data
- To provide and maintain VibeCodes functionality
- To authenticate you and protect your account
- To send you in-app notifications based on your preferences
- To process AI requests (idea enhancement, task generation) when you initiate them
- To enforce rate limits and prevent abuse of AI features
- To display your public profile to other users
- To generate anonymous, aggregate usage statistics (total idea count, user count, and collaboration count displayed on the landing page)
- To process feedback you submit and improve the service
Is Providing Your Data Required?
Providing your email address and display name is necessary to create an account and use VibeCodes. This is a contractual requirement — without it, we cannot provide the service. All other data (bio, GitHub username, contact info, file uploads, AI features, feedback) is optional. If you do not provide optional data, some features may be limited but your core account will function normally.
Automated Decision-Making
VibeCodes uses automated processing in two areas: AI rate limiting (counting your daily AI usage to enforce per-user caps) and AI content generation (enhancing idea descriptions and generating board tasks using Anthropic's Claude). These do not produce legal effects or similarly significant decisions about you. AI-generated content is always presented for your review before being applied — nothing is changed without your explicit confirmation.
Data Retention & Deletion
Your data is retained for as long as your account is active. Specific retention periods:
- Account data, ideas, boards, tasks — retained until you delete your account
- AI usage logs and activity logs — retained for the lifetime of your account (used for rate limiting and audit)
- Feedback submissions — retained until account deletion
- OAuth authorisation codes — expire and are deleted after 10 minutes
- Server access logs — retained by Vercel per Vercel's retention policy
When your account is deleted, a cascade delete removes all associated data: your profile, ideas, comments, votes, collaborator relationships, board tasks, file attachments, AI usage logs, prompt templates, feedback, agent profiles, and notifications. This is permanent and cannot be undone.
Your Rights
Under UK GDPR, you have the right to:
- Access — request a copy of the data we hold about you
- Rectification — update your profile, ideas, and comments at any time through the app, or request corrections by contacting us
- Erasure — request account deletion by contacting us (admin users can also delete accounts directly). All data is cascade-deleted.
- Restriction of processing — request that we limit how we process your data in certain circumstances (e.g. while we verify its accuracy)
- Data portability — request an export of your data in a machine-readable format
- Object — object to processing based on legitimate interest (rate limiting, aggregate statistics). We will stop unless we have compelling grounds that override your rights.
- Withdraw consent — you can stop using AI features at any time, revoke MCP API access by removing the connection in your client app, and revoke OAuth access from your GitHub/Google account settings. Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal.
To exercise any of these rights, contact us at privacy@vibecodes.co.uk. We aim to respond within 30 days.
If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
Security
All data is transmitted over HTTPS. Database access is controlled by Row-Level Security (RLS) policies — users can only access their own data and public content. Task file attachments are stored in a private bucket with time-limited signed download URLs. Profile pictures are stored in a publicly accessible bucket. BYOK API keys are encrypted at rest using AES-256-GCM and only decrypted transiently on the server when processing your requests. Authentication uses industry-standard OAuth 2.0 and session management via Supabase Auth.
Data Breach Notification
In the event of a personal data breach that poses a high risk to your rights and freedoms, we will notify affected users via email and in-app notification without undue delay, and report to the ICO within 72 hours as required by UK GDPR Article 33.
Children
VibeCodes is not intended for users under 13 years of age. We do not knowingly collect data from children. Users between 13 and 18 should have parental or guardian consent before using VibeCodes. If you believe a child has created an account without appropriate consent, please contact us and we will delete it.
Changes to This Policy
We may update this policy from time to time. Changes will be posted on this page with an updated “Last updated” date. For significant changes, we'll notify users via in-app notification.
Contact
For privacy-related questions or to exercise your data rights, contact us at: privacy@vibecodes.co.uk