Privacy Policy

Last updated: June 11, 2026

VibeVal is operated by DST Digital LLC. This page covers what we collect, where it goes and how to get it removed. Short version: we collect what the product needs to work, send your diff to one LLM provider to write the rationale, and nothing is sold or used for training.

What we collect

Data	Why	Where it lives
Email address	Account sign-in (magic links) and service notices	Supabase (US)
API key hashes	Authentication. We store a SHA-256 hash, never the raw key	Supabase
Submitted diffs and context	Hashed into the attestation; sent to the LLM for rationale generation. The diff itself is not stored after the request completes — only its hash and the generated rationale are kept	Processed in memory on Vercel
Generated rationales	So the rationale endpoint can return them	Supabase
Usage logs	Endpoint, status code, risk class and timestamp per request — for billing and abuse prevention	Supabase
Payment records	Pack purchased, amount, Stripe payment ID	Supabase + Stripe

No analytics cookies, no trackers, no advertising pixels. Theme preference is stored in your browser's localStorage and never leaves it.

Who else sees your data

• Anthropic — receives the diff, context and findings to generate the rationale text. Anthropic's API terms prohibit training on this data.
• Supabase — hosts the database and authentication.
• Stripe — handles all payments. Card details go straight to Stripe and never touch our servers.
• Vercel — runs the application and keeps standard request logs.

That's the whole list. We don't sell data, share it with advertisers or use your code to train anything.

Retention

Account data, rationales, usage logs and payment records are kept while your account is active. Delete your account and we remove personal data within 30 days, except payment records we're legally required to keep for tax purposes.

Your rights

Email us to access, correct, export or delete your data. If you're in the EU/EEA, UK or California, you have statutory rights to the same — the mechanism is identical: email us and we'll do it.

Security

API keys are stored as SHA-256 hashes. Database access is restricted with row-level security. Transport is TLS everywhere. Attestation hashes are one-way: they prove what was validated without revealing the code.

Changes

If this policy changes materially, we'll note it here and update the date above. Continued use after a change means you accept it.

Contact

duncan@duncansmith.tech