Privacy Policy
Effective: 22 May 2026 · Version 1.0
1. Who we are
VibeCMS (“we”, “us”) is a software-as-a-service product that lets you add an inline content editor to your existing website. The service is operated from the European Union; the data controller is the operator of this VibeCMS instance.
Contact: hello@vibe-cms.app.
2. What we collect
We collect only what we need to run the service.
Account data
- Email address — used to send magic-link login emails and service notifications. Stored once in the
userstable. - Plan + billing state — current plan tier, billing interval, current period end. No card data is stored by VibeCMS; if you ever buy a paid plan it will be processed by Stripe and only the Stripe customer ID is kept.
Site data
- Site metadata — the URL, display name and an internal API key for each site you connect.
- Content edits — the text, images, and link URLs you change through the editor (so we can re-apply them on every visitor's page load).
- Uploaded media — image files you upload through the editor. Stored on Supabase Storage in the EU region.
- Form submissions — if your site uses our form handler, we store each submission so you can read it in the dashboard.
Visitor data
The embed script (vibe-cms.js) on your customer-facing pages does not set cookies, does not track visitors, and does not send any data to third parties. It only fetches your saved content edits from our API.
3. Why we collect it
- To provide the service — applying your edits to your site requires storing them.
- To authenticate you — magic-link tokens are hashed and time-limited.
- To enforce plan limits — counts of sites and blocks per user.
- To send transactional email — magic-link sign-in, agency invitations.
We do not use your data for advertising, profiling, or any kind of analytics resale.
4. Where it lives
All data is stored in Supabase (Postgres + object storage) hosted in the EU. Magic-link email is delivered via Resend (US-based, GDPR data-processing agreement in place). The application runs on Render.
5. How long we keep it
We keep your data for as long as your account exists. When you delete your account (see §7) we hard-delete every row tied to your user — including sites, blocks, uploads, form submissions, and any client-logins you created. Magic-link tokens are auto-expired after 15 minutes (or 48 hours for client invitations); session tokens after 7 days of inactivity.
6. Cookies & local storage
The dashboard uses your browser's localStorage and sessionStorage to keep you logged in and remember preferences (panel position, dismissed welcome banner, current site list). Nothing in there is sent anywhere else. We don't set any cookies at all.
The embed script on your customer-facing site uses sessionStorage only when you open the editor (it holds the short-lived edit token across F5). Regular visitors don't trigger it.
7. Your rights
Under GDPR you have the right to:
- Access — download a full JSON dump of everything we store about you. Dashboard → Settings → Export my data, or hit
GET /api/user/export. - Portability — each site you connect gives you a ZIP backup of its edits and uploads on Personal+ tiers.
- Erasure — delete your account and every associated row from the database. Dashboard → Settings → Delete account, or hit
DELETE /api/user/deletewith body{"confirm":"DELETE MY ACCOUNT"}. - Rectification — change your email or site metadata at any time through the dashboard.
- Objection / complaint — contact us, or your local data-protection authority.
8. Children
VibeCMS is not intended for users under 16. If you believe a child has registered, contact us and we'll remove the account.
9. Changes to this policy
If we update this policy materially, we'll notify active accounts by email at least 14 days before the change takes effect.
If anything here is unclear or you want to invoke one of the rights in §7, just email hello@vibe-cms.app.