Privacy Policy
Last updated: January 6, 2026
Vibe Build Lab LLC ("VBL", "we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you access or use any of our services, including:
- vibebuildlab.com - Our SaaS products and services (VBL Starter Kit, QA Architect, Idea Validator, MVP Factory, Growth Autopilot)
- AI Second Act - Our newsletter and related content (aisecondact.com)
- Stark Program Intelligence - Our consulting and advisory services
Please read this Privacy Policy carefully. By using our Services, you consent to the practices described herein.
1. Information We Collect
1.1 Information You Provide Directly
| Category | Examples | Purpose |
|---|---|---|
| Account Information | Name, email address, password | Create and manage your account |
| Payment Information | Credit card details, billing address | Process payments (via Stripe) |
| Business Information | Company name, business ideas, product concepts | Provide validation and MVP services |
| Communications | Emails, support tickets, feedback | Respond to inquiries and improve services |
| Application Information | Project requirements, technical specifications | Assess project fit and deliver services |
1.2 Information Collected Automatically
| Category | Examples | Purpose |
|---|---|---|
| Device Information | Browser type, operating system, device type | Optimize website experience |
| Usage Data | Pages visited, time spent, click patterns | Analyze and improve services |
| Log Data | IP address, access times, referring URLs | Security and troubleshooting |
| Location Data | Country, region (derived from IP) | Compliance and analytics |
1.3 Information from Third Parties
- Payment Processors: Stripe provides transaction details and fraud prevention data.
- Analytics Providers: Vercel Analytics provides aggregated usage statistics.
- Authentication Providers: If you sign in via Google or GitHub, we receive your name and email.
1.4 CLI Tools (QA Architect)
Our CLI tools collect no personal information by default. Optional telemetry (disabled by default) collects only:
- Node.js version and platform (e.g., "darwin", "linux")
- Feature usage counts (anonymized, no project names)
- Error types for debugging (no stack traces with personal paths)
Telemetry can be enabled with VBL_TELEMETRY=true and disabled at any time by removing this environment variable.
1.5 Artificial Intelligence Data Processing
IMPORTANT: Our Services use artificial intelligence provided by third-party providers (including OpenAI, Anthropic, Google, and Perplexity) to generate, analyze, and summarize content.
What AI Processes:
- User prompts and inputs you provide to AI-powered features
- Content for analysis, summarization, or generation
- Business ideas submitted for validation
What We Do NOT Do:
- We do NOT use your personal data to train AI models
- We do NOT sell your data to AI providers for their model training
Data Handling: Inputs are processed by third-party AI providers under their commercial terms. We maintain data processing agreements with all AI providers.
For more information, see: OpenAI Privacy Policy, Anthropic Privacy Policy
2. How We Use Your Information
2.1 Primary Purposes
- Service Delivery: Provide, maintain, and improve our products and services.
- Payment Processing: Process transactions, send receipts, and manage subscriptions.
- Communication: Respond to inquiries, provide support, and send service updates.
- Security: Detect, prevent, and address fraud, abuse, and security issues.
2.2 Secondary Purposes
- Analytics: Understand how users interact with our services to make improvements.
- Marketing: Send promotional communications (with your consent; you can opt out anytime).
- Legal Compliance: Comply with applicable laws, regulations, and legal processes.
2.3 Legal Basis for Processing (GDPR)
If you are in the European Economic Area (EEA), we process your data based on the following legal grounds:
| Legal Basis | Processing Activities |
|---|---|
| Contract Performance | Providing services you purchased, account management |
| Legitimate Interests | Analytics, security, service improvement, fraud prevention |
| Consent | Marketing emails, optional telemetry, cookies |
| Legal Obligation | Tax records, responding to legal requests |
3. How We Share Your Information
3.1 We Do Not Sell Your Personal Information
We do not sell, rent, or trade your personal information to third parties for their marketing purposes.
3.2 Service Providers
We share data with trusted third parties who assist in operating our business:
| Provider | Purpose | Data Shared |
|---|---|---|
| Stripe, Inc. | Payment processing | Payment details, billing address |
| Vercel, Inc. | Website hosting, analytics | Usage data, IP addresses |
| GitHub, Inc. | Code hosting, authentication | Repository data (if authorized) |
| Google LLC | Authentication (optional) | Email, name (if you use Google sign-in) |
| Resend / SendGrid | Email delivery | Email address, message content |
3.3 Other Disclosures
We may disclose your information:
- Legal Requirements: When required by law, subpoena, or legal process.
- Protection: To protect our rights, privacy, safety, or property.
- Business Transfers: In connection with a merger, acquisition, or sale of assets (you will be notified).
- Consent: With your explicit consent for other purposes.
4. Cookies and Tracking Technologies
4.1 Types of Cookies We Use
| Type | Purpose | Duration |
|---|---|---|
| Essential | Site functionality, authentication, security | Session / 1 year |
| Analytics | Understand usage patterns (Vercel Analytics) | 1 year |
| Preferences | Remember your settings and choices | 1 year |
4.2 Managing Cookies
You can control cookies through your browser settings. Note that disabling essential cookies may affect site functionality.
- Chrome: Settings → Privacy and security → Cookies
- Firefox: Settings → Privacy & Security → Cookies
- Safari: Preferences → Privacy → Cookies
4.3 Do Not Track
We currently do not respond to Do Not Track (DNT) browser signals. We will update this policy if we implement DNT support in the future.
5. Data Retention
5.1 Retention Periods
| Data Type | Retention Period | Reason |
|---|---|---|
| Account data | Duration of account + 30 days | Service provision |
| Transaction records | 7 years | Tax and legal requirements |
| Validation reports | 2 years | Customer reference, disputes |
| MVP project files | 1 year after delivery | Support, warranty claims |
| Support communications | 3 years | Service improvement, disputes |
| Analytics data | 26 months | Service improvement |
| Marketing preferences | Until opt-out + 30 days | Compliance with preferences |
5.2 Deletion
After the retention period, data is securely deleted or anonymized. You may request earlier deletion (see Section 7).
6. Data Security
6.1 Security Measures
We implement industry-standard security measures including:
- Encryption: TLS/SSL encryption for data in transit; encryption at rest for sensitive data.
- Access Controls: Role-based access, multi-factor authentication for administrative access.
- Secure Payments: PCI-DSS compliant payment processing through Stripe.
- Regular Audits: Periodic security assessments and vulnerability testing.
- Incident Response: Procedures to detect, respond to, and notify of security incidents.
6.2 Your Responsibilities
You are responsible for maintaining the confidentiality of your account credentials and notifying us immediately of any unauthorized access.
6.3 No Guarantee
While we strive to protect your data, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.
7. Your Privacy Rights
7.1 Rights for All Users
Regardless of your location, you have the right to:
- Access: Request a copy of the personal information we hold about you.
- Correction: Request correction of inaccurate or incomplete information.
- Deletion: Request deletion of your personal information (subject to legal obligations).
- Opt-Out: Unsubscribe from marketing communications at any time.
- Data Portability: Request your data in a machine-readable format.
7.2 European Economic Area (EEA) - GDPR Rights
If you are in the EEA, you have additional rights under the General Data Protection Regulation (GDPR):
- Right to Object: Object to processing based on legitimate interests.
- Right to Restrict: Request restriction of processing in certain circumstances.
- Right to Withdraw Consent: Withdraw consent at any time for processing based on consent.
- Right to Lodge Complaint: File a complaint with your local data protection authority.
Data Controller: Vibe Build Lab LLC is the data controller for your personal information.
7.3 California Residents - CCPA/CPRA Rights
If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
- Right to Know: Request information about the categories and specific pieces of personal information we collect, use, and disclose.
- Right to Delete: Request deletion of your personal information.
- Right to Correct: Request correction of inaccurate personal information.
- Right to Opt-Out of Sale/Sharing: We do not sell or share your personal information for cross-context behavioral advertising.
- Right to Limit Use of Sensitive Information: We do not use sensitive personal information for purposes beyond what is necessary to provide services.
- Right to Non-Discrimination: We will not discriminate against you for exercising your rights.
CCPA Categories Disclosure
In the preceding 12 months, we have collected the following categories of personal information:
- Identifiers (name, email, IP address)
- Commercial information (purchase history)
- Internet activity (browsing history on our site)
- Professional information (business ideas, company name)
We have not sold personal information in the preceding 12 months.
7.4 Other US State Privacy Laws
Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and other states with comprehensive privacy laws have similar rights to access, correct, delete, and opt-out. Contact us to exercise these rights.
7.5 How to Exercise Your Rights
To exercise any of these rights, contact us at:
- Email: privacy@vibebuildlab.com
We will respond to your request within 30 days (or 45 days for complex requests, with notice). We may need to verify your identity before processing your request.
8. International Data Transfers
8.1 Data Location
Our services are hosted in the United States. If you access our services from outside the US, your data will be transferred to and processed in the US.
8.2 Transfer Safeguards
For transfers from the EEA, UK, or Switzerland, we rely on:
- Standard Contractual Clauses (SCCs): EU-approved contractual terms for data transfers.
- Data Processing Agreements: Contracts with service providers ensuring equivalent protection.
8.3 EU-US Data Privacy Framework
Our key service providers (Stripe, Vercel, Google) participate in the EU-US Data Privacy Framework, providing additional safeguards for transatlantic data transfers.
9. Children's Privacy
Our services are not directed to individuals under 18 years of age. We do not knowingly collect personal information from children under 18. If we learn that we have collected information from a child under 18, we will delete it promptly. If you believe we have collected information from a child, please contact us at privacy@vibebuildlab.com.
10. Third-Party Links
Our website may contain links to third-party websites. We are not responsible for the privacy practices of these websites. We encourage you to read the privacy policies of any third-party sites you visit.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by:
- Posting the updated policy on this page with a new "Last updated" date
- Sending an email notification for significant changes
- Displaying a prominent notice on our website
We encourage you to review this policy periodically. Your continued use of our services after changes constitutes acceptance of the updated policy.
12. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
- Privacy Inquiries: privacy@vibebuildlab.com
- General Support: support@vibebuildlab.com
- Legal: legal@vibebuildlab.com
Data Protection Officer
For GDPR-related inquiries, you may contact our designated privacy contact at privacy@vibebuildlab.com.
Vibe Build Lab LLC
A Delaware Limited Liability Company
United States