Privacy Policy

Effective date: June 9, 2026

VibeKit ("we", "us", "our") operates the VibeKit platform — the website at vibekit.bot, the Telegram bot, the iOS application, the web dashboard at app.vibekit.bot, and published npm packages (collectively, the "Service"). This policy explains what data we collect, how we use it, who we share it with, and your rights.

By using the Service you also agree to our Terms of Service.

1. Information We Collect

Account info: Telegram user ID, username, and display name if you interact via the bot. Email address if you sign up via the web dashboard or iOS app. Apple/Google account identifier if you use Sign in with Apple or Google.
BYOK credentials: If you provide your own provider credentials (Anthropic API keys sk-ant-api03-, Anthropic OAuth tokens sk-ant-oat01-, OpenAI API keys sk-proj-, or ChatGPT-subscription Codex OAuth tokens), they are stored encrypted at rest and used solely to call the relevant provider on your behalf. See Section 3 for details.
Usage data: Session counts, token usage reported by the upstream AI provider, and cost calculations for billing.
App data: Source code, files, environment variables, and configurations you create or upload — stored in an isolated AWS Fargate container per app, with an EFS workspace mount for agent state.
Agent transcripts: Messages exchanged with your agent (including file context the agent fetched) are stored so you can scroll history. You can delete them per-app from the dashboard.
Payment info: Stripe handles card data directly — we never see card numbers. We retain the Stripe customer ID, last 4 digits, and the credit-purchase ledger.
Device info: Push notification tokens (if you enable notifications), device type, and browser user-agent for delivering the service and debugging issues.
Security events: Each environment-variable change and other security-sensitive mutation is recorded to an audit log with source (user vs. infrastructure) and action, to support incident response.

2. How We Use Your Data

To operate the Service — provision Fargate tasks, route AI requests, sync agent state, serve your subdomain at <name>.vibekit.bot.
To process AI requests through whichever path applies to you (your BYOK credential, or OpenRouter against your credit balance).
To bill consumed credits to your balance and record the transaction.
To send push notifications about agent activity (if enabled).
To investigate abuse, debug issues, and improve the Service.
We do not train models on your data. We don't train models.
We do not sell your data, and we do not share it for advertising.

3. Data Storage & Security

Data is stored on AWS infrastructure in us-east-2 (Ohio). All connections to the Service use HTTPS/TLS.

BYOK credentials and environment variables are encrypted at rest with AES-256-GCM. Each user's data is encrypted with a per-user key derived from a master key via HKDF-SHA256 with the account UUID as salt — master-key compromise alone does not expose any single user's data. Plaintext credentials are only held in process memory at request time and are never written to logs, telemetry, analytics, or backups. We redact known secret formats (sk-, sk-ant-, sk-proj-, GitHub tokens, JWTs, and others) from any text that gets logged.

Each app runs in its own AWS Fargate task with an isolated workspace. Per-tenant shell access is sandboxed by a bwrap wrapper at the OS layer. Database access is gated by Postgres row-level security so users only read and write their own rows.

4. Third-Party AI Services

VibeKit routes your AI requests to third-party providers. The routing depends on whether you've configured BYOK:

4a. Two routing paths

BYOK (your own credentials): If you've added an Anthropic key/token or OpenAI key/Codex OAuth token under Profile → AI Provider, your requests are sent directly from VibeKit to that provider using your credential. OpenRouter is not involved.
No BYOK (platform credits): Requests are sent to OpenRouter, which then forwards them to the underlying provider you've selected as preferred (Anthropic, OpenAI, DeepSeek, or Qwen via OpenRouter's free pool). OpenRouter sees your prompts and the upstream provider sees them as well. Costs are billed against your credit balance with a platform markup (currently 20%); Qwen / free-tier traffic is $0. VibeKit has enabled OpenRouter's data-discount setting on the non-BYOK route, which allows OpenRouter to use prompts and responses sent through it to improve their product in exchange for a 1% discount on every call. This applies only to the non-BYOK path; BYOK traffic does not pass through OpenRouter at all.

4b. What data is sent to AI providers

Chat messages: Text you send to your agent is transmitted to the routing destination to generate the response.
File contents: When the agent reads, edits, or creates files, file contents may be sent as context.
App context: App structure, error logs, environment-variable names (not values), and configuration may be included.
Voice (optional): If you enable voice input/output, audio is sent to OpenAI's text-to-speech and Whisper APIs regardless of which provider handles your chat.

We do not send your email, payment information, password, BYOK credentials, or any other account secret to AI providers.

4c. Who data may be sent to

Anthropic (Claude): BYOK route or via OpenRouter. Privacy policy.
OpenAI (GPT, Codex, Whisper, TTS): BYOK route or via OpenRouter; voice always goes to OpenAI directly. Privacy policy.
OpenRouter: Aggregator we use for the non-BYOK path. Privacy policy.
DeepSeek: Via OpenRouter on the non-BYOK path if selected as preferred. Privacy policy.
Qwen (Alibaba): Via OpenRouter's free pool on the free tier. Privacy policy.

Anthropic and OpenAI do not train models on API data, on either the BYOK or platform-credit route. OpenRouter, the aggregator we use for the non-BYOK route, may use prompts and responses to improve their product under the data-discount setting we've enabled (see Section 4a above); they have stated this is not used for model training. Data sent to AI providers is never used for advertising.

4d. Your consent

Before first use of the AI agent, you're asked to acknowledge data sharing with third-party AI services. You can withdraw consent by removing your BYOK credentials and discontinuing use of the agent.

4e. Other third-party services

AWS: Hosting infrastructure (Fargate, EFS, S3, RDS-adjacent via Supabase). Privacy notice.
Stripe: Payment processing (web). Privacy policy.
Apple: In-app purchases (iOS), Sign in with Apple. Privacy policy.
Cloudflare: CDN, DNS, and edge security. Privacy policy.
Supabase: Managed Postgres for our application database. Privacy policy.
GitHub: Source-code hosting integration if you link a repo. Privacy statement.
Vercel: Legacy deployment integration used by a subset of apps. Privacy policy.
Namecheap: Custom-domain registration if you buy a domain through us. Privacy policy.
Telegram: Chat surface for the bot. Privacy policy.
Google: Sign in with Google, Google Analytics on marketing pages. Privacy policy.

5. Cookies and Analytics

The marketing pages on vibekit.bot use Google Analytics (GA4) to measure aggregate traffic. The dashboard and iOS app do not use third-party analytics. We use a small number of first-party cookies for session management and one (vk_referral) to attribute referral signups.

Google signals (Advertising Features). Our GA4 property has Google signals enabled on the marketing pages. For visitors who are signed in to a Google account and have consented to ads personalization, Google may associate their visit with Google's own account information — which can include location, search history, YouTube history, and data from sites that partner with Google — to give us cross-device and aggregate demographic/interest reporting. We only ever see this in aggregate (e.g. age brackets, gender, interest categories); we never receive data that identifies an individual, and we do not use it for ad targeting. We adhere to Google's Advertising Features policy. You can review or turn off this association at any time via Google Ads Settings and My Activity, or opt out of Google Analytics entirely with the Google Analytics opt-out browser add-on.

6. Data Retention

Agent transcripts and app data are retained while your account is active. You can delete an app (and its transcripts, files, env vars, and Fargate task) from the dashboard at any time. Account deletion removes all associated data within 30 days, except aggregated billing records we are required to retain for tax or accounting purposes. Audit-log entries (security events) are retained for 12 months.

7. Your Rights

Depending on where you live, you may have rights under the GDPR (EEA/UK), CCPA/CPRA (California), or similar laws. You can:

Access and export your data from the dashboard.
Correct inaccurate account information at any time.
Delete your apps, transcripts, and associated data.
Remove any BYOK credentials.
Request full account deletion by contacting [email protected].
Object to processing or request portability — email us and we'll comply within 30 days where applicable law requires.

8. International Transfers

VibeKit infrastructure is in the United States (AWS us-east-2). If you access the Service from outside the US, your data will be transferred to and processed in the US. We rely on AWS's GDPR-compliant data-processing terms and Standard Contractual Clauses where applicable.

9. Children's Privacy

The Service is not intended for users under 13. We do not knowingly collect data from children under 13. If you believe we have collected data from a child, contact [email protected] and we will delete it.

10. Changes

We may update this policy. Material changes will be communicated through the platform with at least 30 days' notice for paying users where reasonable.

11. Contact

Privacy questions: [email protected]. General support: [email protected].