VibeAssist
VibeAssist

Privacy Policy

Last updated: June 21, 2026

This Privacy Policy explains how XIG Australia Pty Ltd ABN 58 684 707 266 (“we”, “us”, “our”), collects, uses, shares, and protects personal data when you use VibeAssist (the “Service”). We are the data controller for the personal data described below.

1. Data we collect

Account & identity

  • email address, display name, avatar URL, and authentication identifiers (including Google OAuth subject IDs when you sign in with Google);
  • password hashes (we never see or store plaintext passwords).

Content you submit

  • projects, ideas, briefs, tasks, prompts, chat messages, attachments, and any other content you upload;
  • repository metadata you connect via GitHub (repo name, commits, file paths).

Usage & technical data

  • log data such as IP address, user agent, pages viewed, and timestamps;
  • AI usage data including token counts, model identifiers, and cost attribution;
  • error and performance telemetry needed to operate the Service.

Billing

  • billing identifiers, plan, status, and invoice metadata returned by our payment processor (Paddle). We do not store full card numbers.

2. How we use your data

We process personal data to:

  • provide and operate the Service, including authentication, projects, AI features, and integrations;
  • process payments and manage subscriptions through Paddle;
  • communicate with you about your account, security, and material changes;
  • maintain the security and integrity of the Service and prevent abuse;
  • analyse aggregated, de-identified usage to improve the Service;
  • comply with legal obligations.

3. Legal bases (EEA/UK users)

  • Contract — to provide the Service you have signed up for.
  • Legitimate interests — securing the Service, preventing fraud, and improving features.
  • Consent — for optional analytics or marketing communications, where required.
  • Legal obligation — to comply with tax, accounting, and law-enforcement obligations.

4. AI processing

When you use AI features, the content you submit (prompts, context, code snippets, repository excerpts) is transmitted to third-party AI providers through a model gateway to generate responses. These providers process your content as our sub-processor and are contractually prohibited from using it to train their foundation models. We do not sell your content and we do not use it to train models.

5. Sharing your data

We share personal data only with:

  • Hosting and database providers (Cloudflare, Supabase) — to run the Service;
  • AI providers via the Lovable AI gateway — to generate AI Outputs you request;
  • Payment processor (Paddle) — to process subscriptions and invoices;
  • GitHub — only when you connect a repository, and only to the scope you authorise;
  • Analytics and error monitoring providers — strictly to operate and secure the Service;
  • Authorities — when required by law, court order, or to protect rights, property, or safety.

We do not sell personal data.

6. International transfers

Personal data may be processed in countries other than your own, including the United States. Where required, we rely on Standard Contractual Clauses or equivalent safeguards.

7. Retention

  • account and content data — retained while your account is active and for a reasonable grace period after deletion;
  • billing records — retained for the period required by tax law (typically 7 years);
  • logs and security telemetry — retained for up to 12 months;
  • backups — purged on rolling schedules.

8. Your rights

Depending on your location, you may have rights to:

  • access the personal data we hold about you;
  • correct inaccurate data;
  • delete your account and associated data (subject to legal retention);
  • export your data in a portable format;
  • object to or restrict certain processing;
  • withdraw consent for processing based on consent;
  • lodge a complaint with your local supervisory authority.

To exercise these rights, email privacy@vibeassist.app. We will respond within the timeframe required by applicable law.

9. Security

We use industry-standard safeguards including encryption in transit (TLS), encryption at rest, role-based access control, row-level security on user-owned tables, and audit logging. No system is perfectly secure; you are responsible for keeping your credentials safe.

10. Children

The Service is not directed to children under 16 and we do not knowingly collect personal data from them. If you believe a child has provided us with personal data, contact us so we can delete it.

11. Cookies

We use a small number of strictly necessary cookies and local-storage items to keep you signed in and remember your preferences. For details, see our Cookie Policy.

12. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be notified through the Service or by email. The “Last updated” date above indicates the latest revision.

13. Contact

Privacy questions can be sent to privacy@vibeassist.app.