This Privacy Policy explains what VibesFlyer ("we", "us") collects, why, and how we handle it when you use vibesflyer.com and the VibesFlyer dashboard, API, and MCP server. VibesFlyer is an analytics control plane: we help you connect your own analytics and ad accounts and collect first-party events from apps you operate.
1. Information you provide
When you create an account we collect your email address and a hashed password. Authentication is handled by Supabase on our behalf.
When you create a project or connect a provider, we store the configuration you enter (project name, platform, framework, and the provider you choose to link).
2. Connected provider data
If you connect a provider such as Google Analytics 4, Firebase, Meta Ads, or Google Search Console, you authorize us to read reporting data from that account using credentials you grant. We store access/refresh tokens encrypted at rest and use them only to fetch the metrics shown in your dashboard.
We request the minimum scopes needed to read reporting data. You can disconnect a provider at any time, which stops further reads.
3. First-party (owned) events
If you install our tracking snippet, your app sends us events about activity on the properties you operate. Before storage, incoming event properties are filtered server-side against a strict allowlist so that fields outside that allowlist are dropped and never persisted.
We additionally derive coarse signals from the network request: an approximate country (from Cloudflare's edge), a bot-likelihood score, and the referring site's hostname (without path or query). We do not store full IP addresses or request URLs.
You are the controller of the end-user data you send us; you are responsible for having a lawful basis and your own privacy notice covering it.
4. How we use information
We use the data we collect to:
- operate your account and dashboard;
- compute metrics, rollups, and automated insights;
- send you product and account notifications you opt into (e.g. Telegram digests or email alerts);
- secure the service and prevent abuse (rate limiting, bot scoring).
We do not sell your data or your end-users' data.
5. Sub-processors
We rely on a small set of infrastructure providers to run the service:
- Supabase — authentication and Postgres database;
- Cloudflare — hosting, edge delivery, and bot/geo signals;
- Resend — transactional email (account and alert emails);
- Telegram — only if you choose to link a chat for notifications.
Provider data is fetched directly from the analytics/ad platforms you connect (Google, Meta).
6. Data retention
Account and project configuration are retained for as long as your account is active. Metric snapshots and owned events are retained according to your plan's retention window. When you delete a project or close your account, we delete the associated data within a reasonable period, except where we must retain it to meet a legal obligation.
7. Security
Provider tokens are encrypted at rest. API keys are stored only as salted hashes and shown to you once at creation. Access to your data in the dashboard is enforced by row-level security scoped to your account.
8. Your rights
Depending on where you live, you may have rights to access, correct, export, or delete your personal data. To exercise them, contact us using the address below and we will respond within the time required by applicable law.
9. Changes
We may update this policy as the product evolves. Material changes will be reflected by updating the effective date at the top of this page.
10. Contact
Questions about this policy can be sent to privacy@vibesflyer.com.
This document is a plain-language template provided for transparency and is not legal advice.