Privacy Policy
Last updated: May 6, 2026
Summary
VibeVersity, Inc. ("VibeVersity," "we," "us," or "our") collects the minimum personal data we need to run your account, deliver courses, and keep the service reliable and safe. We do not sell your personal data. We do not share it for cross-context behavioral advertising. We honor Global Privacy Control (GPC) signals as opt-outs. For any privacy question or to exercise a privacy right, contact our privacy team.
Who we are
VibeVersity, Inc. is a Delaware corporation that provides an AI-training platform at vibeversity.com. The data controller for personal data we collect is VibeVersity, Inc. The “VibeVersity” name and mark are owned by Seeking Sunrise, LLC, a Delaware limited liability company, and used by VibeVersity, Inc. under license; this licensing arrangement does not affect how your personal data is handled. For GDPR purposes we do not have an EU establishment; EU/UK users may contact our privacy team.
What we collect and why
We collect only the categories described below, for the purposes listed.
- Account data — email, name (optional), password hash (via Clerk). Used to create and secure your account. Legal basis (EU/UK): contract performance.
- Billing data — billing address, tax status, and payment card details (tokenized by Stripe; we never see the raw card number). Used to charge your subscription and issue receipts. Legal basis: contract performance + legal obligation (tax, fraud).
- Course data— lessons you've started, exercise submissions, grades, completion timestamps. Used to deliver and improve the curriculum. Legal basis: contract performance.
- Usage data — page views, clicks, and product events captured by PostHog; error payloads captured by Sentry. Used to debug and improve the product. Legal basis: legitimate interests (running and improving the service).
- Security telemetry — IP address (truncated and salted-hashed for rate-limit and abuse detection), request headers, Turnstile challenge tokens. Legal basis: legitimate interests (security and fraud prevention).
- Communications — emails you send us and replies from us, retained for 2 years for continuity and dispute resolution. Legal basis: legitimate interests.
How we use AI on your data
We do not train third-party AI models on your submitted exercises, code, or messages. Submitted content is not shared with model providers for training purposes. When we process your content with a model vendor (e.g. to grade an exercise), we use vendor APIs with training opt-out enabled and retention configured to the minimum offered by that vendor. If this changes, we will update this policy and notify active customers at least 14 days before the change takes effect.
Sub-processors
We use the vendors listed below to operate the service. Each vendor has its own privacy policy; click the name to review it. We review this list at least annually and update it here before a new sub-processor goes live.
| Vendor | Purpose | Data categories | Location |
|---|---|---|---|
| Stripe | Payment processing, subscription billing, customer portal | Name, email, billing address, payment card (tokenized) | United States (EU SCCs in place) |
| Clerk | Authentication, session management, account recovery | Email, password hash, auth events, IP, user agent | United States |
| Supabase | Application database (profiles, course progress, submissions) | User ID, email, course/progress data, submitted exercise content | United States |
| Vercel | Application hosting, edge functions, analytics | IP (truncated), user agent, request path, approximate geolocation | United States |
| Upstash | Rate limiting, idempotency keys | Hashed IP, user ID (opaque) | United States |
| PostHog | Product analytics, feature-flag evaluation | User ID (opaque), page views, event properties, session recordings (off by default) | United States |
| Sentry | Error and performance monitoring | Error payload, stack trace, user ID (opaque), browser info | United States |
| Resend | Transactional email (receipts, renewal reminders, DSR replies) | Email address, delivery events | United States |
| Cloudflare Turnstile | Bot / abuse protection on forms | Challenge token, IP, user agent | Global (EU SCCs in place) |
| Amazon Web Services | Cloud infrastructure (operational metadata only) | Operational metadata only — no direct customer content | United States |
International transfers
VibeVersity is operated from the United States. If you access the Services from outside the United States, your information will be transferred to, stored, and processed in the United States. Personal data of EU/UK users is transferred under the EU Standard Contractual Clauses (and the UK Addendum) built into our vendor agreements. To request a copy of the clauses, contact our privacy team.
Your rights
Everyone can:
- Access a copy of the data we hold about you.
- Correct inaccurate data.
- Delete your data (subject to narrow exceptions for legal, accounting, and fraud-prevention records we must retain).
- Export your data in a portable format.
- Object to, or restrict, specific processing activities.
- Withdraw consent (where we rely on consent).
California residents have additional rights under the CCPA as amended by the CPRA: to know the categories we collect, to delete, to correct, and (in principle) to opt out of sale or sharing. VibeVersity does not sell personal information and does not share it for cross-context behavioral advertising as those terms are defined under the CCPA/CPRA, so there is nothing to opt out of — but you may still submit a request and we will record your preference. We honor GPC signals as an opt-out. We will not discriminate against you for exercising any of these rights.
EU/UK residents have the rights listed above under the GDPR and UK GDPR, plus the right to lodge a complaint with your local supervisory authority.
To exercise any right, contact our privacy team. We may need to verify your identity before processing access, correction, deletion, or portability requests. Opt-out requests do not require identity verification beyond a working email address. We respond within 45 calendar days (CCPA/CPRA: extendable once by 45 days with notice; opt-out: within 15 business days) and never charge a fee unless a request is manifestly unfounded or excessive. You may designate an authorized agent to make a request on your behalf, subject to verification.
Cookies and tracking
We use a small set of first-party cookies required to keep you signed in, persist your theme, and remember your consent preferences. Optional product analytics (PostHog) and session replay are off by default and only enabled if you opt in via the cookie banner. We honor the Sec-GPC Global Privacy Control header as an opt-out of analytics and any future sale or sharing.
Retention
- Account + course data — while your account is active, and for 12 months after deletion for fraud and chargeback resolution, unless legal hold requires longer.
- Billing records — 7 years (US tax retention).
- Security logs (truncated IPs, auth events) — at least 12 months, then aggregated.
- Support emails — 2 years.
Security
We follow industry-standard practices for an early-stage SaaS: encryption in transit (TLS 1.2+) and at rest, principle-of- least-privilege access for personnel, mandatory multi-factor authentication for production access, tamper-evident audit logging of administrative actions, and centralized encrypted secrets management. Payment card data is handled exclusively by our PCI DSS Level 1 certified payment processor; we never see or store raw card numbers. We do not publish vendor-specific control names or infrastructure regions on this page; security researchers and enterprise procurement teams can request a security overview by contacting us.
Children & minors
The Service is intended for adults aged 18 and older. We do not knowingly collect personal information from anyone under 18, and the Service is not directed to children or teenagers. If you believe a person under 18 has created an account or provided us data, contact our privacy team and we will terminate the account and delete associated data. If we discover an account belongs to a user under 18, we will terminate and delete it without notice. This restriction applies to free accounts and paid subscriptions alike.
Region-restricted launch waitlists
We are not yet open in the European Union/EEA, United Kingdom, or mainland China. Visitors from those regions may opt in to a launch-notification waitlist by entering their email and checking a consent box on our onboarding page.
Lawful basis. We process your email under your explicit consent (GDPR Article 6(1)(a) for EU/EEA visitors; UK GDPR Article 6(1)(a) for UK visitors; PIPL Article 13(1) for mainland China visitors).
Purpose and limit. We use your email to send you up to three emails related to the opening of your region: one notification when your region opens for customers, and up to two follow-up messages about joining VibeVersity at that point. We will not send general marketing emails, share your email with third parties, or use it beyond this scope. Every email includes a one-click unsubscribe link.
Withdrawal of consent. You may withdraw consent and request deletion at any time by contacting us. Withdrawal is processed within 30 days of receipt.
Retention. We retain your email until you withdraw consent OR until 30 days after the final email in the launch sequence (whichever comes first), at which point we delete it from the waitlist.
Changes to this policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date above and, where appropriate, notify active customers by email at least 14 days before the change takes effect. Continued use of the Services after changes take effect constitutes acceptance of the updated policy.
Contact us
For privacy questions or to exercise your privacy rights, contact our privacy team. For DMCA notices, see our DMCA page.