Privacy Policy

When you use PolyDefender, we collect the following types of information:

Account Information: When you register, we collect your email address, name, and password (hashed). If you sign in with Google, we receive your profile information from Google OAuth.

Scan Data: URLs, GitHub repository names, and ZIP file contents you submit for scanning. Scan findings, security scores, and module results.

Usage Data: How you interact with the Service, pages visited, features used, and scan history. This helps us improve the product.

Payment Data: Billing information is processed by Stripe (for card payments) or Privy (for crypto payments). We do not store full payment card numbers.

We use collected information to:

• Provide and improve the scanning service
• Process payments and manage subscriptions
• Send scan completion notifications and security alerts
• Respond to support requests
• Analyze aggregate usage patterns to improve the product
• Detect and prevent abuse or fraudulent use
• Comply with legal obligations

We do not sell your personal data to third parties. We do not use your scan targets or findings for purposes other than providing the Service to you.

Your data is stored on secure infrastructure with Supabase (PostgreSQL), protected by:

• Row Level Security (RLS) policies ensuring only you can access your data
• Encryption at rest (AES-256) and in transit (TLS 1.3)
• Access controls limiting which PolyDefender employees can access production data
• Regular security audits

Scan results are retained for the duration of your plan: 90 days (Pro/Team) or a custom period (Enterprise). After retention expires, scan data is permanently deleted.

We share data with third parties only as follows:

Service Providers: Supabase (database hosting), Stripe (payments), Resend (email delivery), Vercel (infrastructure). These providers are bound by data processing agreements.

Legal Requirements: We may disclose information if required by law, court order, or government authority. We will notify you of such requests where legally permitted.

Business Transfers: If PolyDefender is acquired or merges with another company, your data may be transferred as part of that transaction. You will be notified in advance.

PolyDefender uses the following cookies:

• Authentication cookies: Required for login sessions (Supabase auth cookies)
• Preference cookies: Remember your UI preferences (billing toggle, etc.)

We do not use third-party tracking cookies or advertising networks. We do not use Google Analytics or similar third-party analytics services.

Depending on your location, you may have the following rights:

• Access: Request a copy of all data we hold about you
• Correction: Update inaccurate or incomplete data
• Deletion: Request deletion of your account and associated data
• Portability: Receive your data in a machine-readable format
• Objection: Object to processing of your data in certain circumstances

To exercise any of these rights, contact us at privacy@vibescan.io. We will respond within 30 days.

PolyDefender is not directed to children under 16. We do not knowingly collect personal information from children under 16. If you believe a child has provided us with personal information, contact us immediately.

PolyDefender operates globally. If you access the Service from outside the United States, your data may be transferred to and processed in the United States, where data protection laws may differ from your jurisdiction. By using the Service, you consent to these transfers.

We may update this Privacy Policy from time to time. We will notify you of significant changes via email or prominent notice on the Service. Continued use after changes constitutes acceptance of the updated policy.

For privacy-related questions or to exercise your rights:

Email: privacy@vibescan.io