Privacy Policy
This policy explains how personal data is processed when you use vibedeploy.dev and the VibeDeploy service (website, dashboard, MCP server/CLI) in accordance with the EU General Data Protection Regulation (GDPR).
VibeDeploy hosts exclusively in the EU (Hetzner, Germany). The website uses no tracking cookies, no analytics tools and no external fonts. We process personal data only as far as necessary to run the service: for your account, sending login links, deploying and running your apps, and protecting against abuse. Your app data does not leave the EU.
1. Controller
The controller within the meaning of the GDPR is:
DP – Media Consulting Cologne UG (haftungsbeschränkt)
Brand “VibeDeploy” (a product of Denkprozesse)
Santo-Tirso-Ring 69
64823 Groß-Umstadt
Germany
Phone: +49 6078 3920950
Email: privacy@vibedeploy.dev
The full legal notice is available at vibedeploy.dev/en/imprint.
2. Hosting and server log files
We host our website and the entire VibeDeploy service with Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany (“Hetzner”). Processing takes place exclusively in data centers in Germany (Falkenstein). A data processing agreement (DPA) pursuant to Art. 28 GDPR is in place with Hetzner.
When you access our pages and our API, technically necessary information is automatically recorded and stored in so-called server log files, in particular:
- the IP address of the requesting device,
- date and time of access,
- the requested resource (e.g. page or API endpoint) and the HTTP status code,
- the browser and operating system used (user agent) and the referrer URL.
This processing is necessary to technically deliver the service and to ensure the stability and security of our systems. The legal basis is our legitimate interest pursuant to Art. 6 (1) (f) GDPR.
3. Cookies, tracking and fonts
Our website works without consent-requiring cookies. We use no analytics or tracking services (no Google Analytics, no Meta pixel, etc.), embed no external fonts (such as Google Fonts) and no other third-party server content that would transmit your data to third parties.
In the dashboard (login area at /app.html) we use only technically necessary storage in your
browser (local storage) to keep your signed-in session (session token). This is required for operation and is
permitted without consent under § 25 (2) TDDDG; the legal basis is Art. 6 (1) (f) GDPR.
4. Account and passwordless login (magic link)
To manage your apps you can claim or create an account. Sign-in is passwordless via a single-use login link we send to your email address. For this we process your email address as well as technical sign-in and session data (time of the request, validity token).
The login code is valid only for a short time (around 15 minutes) and can be used once. For security reasons, the number of login-link requests per email address is limited. After a successful sign-in you receive a session token with a limited lifetime (around 30 days).
The legal basis is Art. 6 (1) (b) GDPR (performance of the usage relationship) and our legitimate interest in secure authentication (Art. 6 (1) (f) GDPR). Email delivery is handled by a processor (see section 8, “Resend”).
5. Providing the deploy service (publishing your apps)
The core function of VibeDeploy is publishing (deploying) apps you have built with AI tools. When you deploy an app — directly in the dashboard or via our MCP server or CLI — we process:
- the files and source code of your app that you transfer to us in order to build and serve it,
- configuration and environment variables you provide, and the chosen name/subdomain (scheme
<name>.by.vibedeploy.dev), - technical deployment metadata (timestamp, status, build logs).
Your app is built, stored and operated on our infrastructure in Germany. Your app data does not leave the EU. The legal basis is Art. 6 (1) (b) GDPR (provision of the service you requested).
Device identifier and abuse protection
VibeDeploy can also be used without an account (anonymous one-shot deploy). So that we can protect the service against abuse and overload (e.g. limiting the number of deployments per period), we process a pseudonymous device identifier (device ID). It is generated and stored locally on your device by the MCP server/CLI and sent with requests; alternatively the IP address is used. The legal basis is our legitimate interest in a stable, abuse-resistant service (Art. 6 (1) (f) GDPR).
Automatic security scan before go-live
Before each publication we automatically check the files to be deployed for typical security issues (e.g. access keys accidentally left in the code, or open database rules). This check runs entirely on our own infrastructure in Germany; no transfer of your code to third parties takes place. The legal basis is our legitimate interest in the security of the published apps and our platform (Art. 6 (1) (f) GDPR).
6. Content and user data of your published apps
Insofar as the app you publish via VibeDeploy itself processes personal data of third parties (your end users), you are the controller within the meaning of the GDPR; VibeDeploy acts as a processor (Art. 28 GDPR) and processes such data solely to technically provide the hosting. For paid plans we provide a data processing agreement (DPA). You are responsible for your app’s own privacy policy and legal obligations.
7. Newsletter / product updates
If you sign up via a form for product updates or our newsletter, we process the email address you provide in order to send you information about VibeDeploy. The legal basis is your consent pursuant to Art. 6 (1) (a) GDPR. You can withdraw this consent at any time with effect for the future — e.g. via the unsubscribe link in every email or by message to privacy@vibedeploy.dev. Your address is not passed on to third parties for advertising purposes.
8. Processors we use
To provide the service we use carefully selected processors with whom data processing agreements pursuant to Art. 28 GDPR are in place:
| Processor | Purpose | Data location |
|---|---|---|
| Hetzner Online GmbH (Germany) | Hosting, servers, database, building & running apps | Germany (EU) |
| Resend (Resend, Inc.) | Sending transactional emails (e.g. login links) | EU region; where a transfer to the USA occurs, based on Standard Contractual Clauses / EU-US Data Privacy Framework |
| Stripe (Stripe Payments Europe, Ltd.) | Payment processing — only for paid plans (see section 9) | EU/USA with appropriate safeguards (Standard Contractual Clauses / EU-US Data Privacy Framework) |
Beyond these processors, we only disclose personal data where we are legally obliged to do so or where you have consented.
9. Payment processing (paid plans)
If you purchase a paid plan, payment is handled by our payment service provider Stripe. You enter the required payment data (e.g. name, email address, payment method) directly with Stripe, where it is processed; full card details are not disclosed to us. From Stripe we only receive the information necessary for contract and invoice handling (e.g. payment status). The legal basis is Art. 6 (1) (b) GDPR (performance of a contract) and our legitimate interest in secure payment processing (Art. 6 (1) (f) GDPR). Stripe’s privacy notices apply in addition.
10. Retention and deletion
We store personal data only for as long as is necessary for the respective purposes:
- Unclaimed apps: are automatically removed after around 24 hours unless they are assigned to an account (claimed) via the login link.
- Claimed apps on the free plan: are kept for around 30 days; on paid plans without this time limit, for as long as the account exists.
- After an app is deleted: we retain the data for a short internal recovery window (around 7 days) and then delete it permanently.
- Account and master data: are stored for the duration of the usage relationship and deleted afterwards, unless statutory retention obligations apply (e.g. commercial and tax law, regularly up to 10 years for invoice data).
- Server log files: are stored only for a short period for security and stability purposes and then deleted or anonymized.
11. Your rights as a data subject
Under the GDPR you have, in particular, the following rights:
- right of access (Art. 15 GDPR),
- right to rectification (Art. 16 GDPR),
- right to erasure (Art. 17 GDPR),
- right to restriction of processing (Art. 18 GDPR),
- right to data portability (Art. 20 GDPR),
- right to object to processing (Art. 21 GDPR),
- right to withdraw consent given, with effect for the future (Art. 7 (3) GDPR).
Irrespective of this, you have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR). The authority responsible for us is the Hessian Commissioner for Data Protection and Freedom of Information (Der Hessische Beauftragte für Datenschutz und Informationsfreiheit).
12. Contact for data protection requests
For questions about data protection and to exercise your rights, you can reach us at: privacy@vibedeploy.dev
Note: The German version of this document is legally authoritative.