VibeLogin

Privacy Policy

Effective date: April 6, 2026 · Last updated: April 6, 2026

1. Who We Are

VibeLogin is an authentication-as-a-service platform operated by its sole founder. This Privacy Policy explains how we collect, use, store, and protect information when you use the VibeLogin service, website, APIs, and related infrastructure (collectively, the “Service”). By using the Service, you acknowledge that you have read and understood this policy.

2. Information We Collect

We collect only the information necessary to provide, secure, and improve the Service. This includes:

  • Account information: Your email address and display name, provided during registration.
  • Authentication data: Hashed passwords (never stored in plaintext), session tokens, and multi-factor authentication credentials.
  • Usage and security data: Login timestamps, IP addresses, and user-agent strings, collected solely for security monitoring and abuse prevention.
  • OAuth tokens: If you integrate third-party OAuth providers, the associated client secrets and tokens are stored in encrypted form.

3. How We Use Your Information

Your information is processed exclusively for the purpose of providing and operating the Service. Specifically, we use your data to:

  • Authenticate users and manage sessions across your applications.
  • Send transactional emails, including magic links, password reset requests, and email verification messages, via our email delivery provider, Resend.
  • Maintain security audit trails and detect unauthorized access attempts.
  • Respond to support requests and communicate important service updates.

We do not use your data for advertising, profiling, or any purpose unrelated to the operation of the Service. Our infrastructure is hosted on Fly.io, with servers located in the United States.

4. Data Security

We implement industry-standard security measures to protect your data at rest and in transit:

  • Passwords are hashed using Argon2, a memory-hard hashing algorithm resistant to brute-force and GPU-based attacks.
  • OAuth client secrets and sensitive credentials are encrypted using AES-256-GCM authenticated encryption.
  • All network communication is encrypted via HTTPS/TLS. We do not support unencrypted HTTP connections.
  • Session cookies are configured with HttpOnly, Secure, and SameSite attributes to prevent cross-site attacks and client-side tampering.

5. Third-Party Services

We rely on a limited number of third-party service providers to operate the Service. Each provider processes data only as necessary to fulfill its designated function:

  • Resend — Transactional email delivery (magic links, password resets, verification emails).
  • Fly.io — Application hosting and database infrastructure (United States).
  • Vercel — Website hosting and cookie-free web analytics.

We do not sell, rent, trade, or otherwise share your personal data with third parties for marketing or advertising purposes. Data is shared with the providers listed above solely to the extent required to operate the Service.

6. Data Retention

We retain account data for as long as your account remains active and the Service is in use. If you request deletion of your account, we will permanently remove all associated personal data from our systems within 30 days of your request. Anonymized, aggregated data that cannot be used to identify any individual may be retained indefinitely for operational and analytical purposes.

7. Your Rights

You have the following rights with respect to your personal data. To exercise any of these rights, please contact us at privacy@vibelogin.com:

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Request that we correct any inaccurate or incomplete personal data.
  • Deletion: Request that we permanently delete your account and all associated personal data.
  • Data export: Request a machine-readable export of your personal data.

We will respond to all rights requests within 30 days.

8. Cookies

VibeLogin uses strictly necessary session cookies to manage authentication state. These cookies are configured as HttpOnly and Secure, meaning they are inaccessible to client-side scripts and transmitted only over encrypted connections. We do not use tracking cookies, advertising cookies, or any third-party cookies. Our marketing website uses Vercel Analytics, which operates without cookies and does not track individual users across sites.

9. Children's Privacy

The Service is not directed to, and is not intended for use by, children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have inadvertently collected such information, we will take prompt steps to delete it. If you believe a child under 13 has provided us with personal data, please contact us at privacy@vibelogin.com.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, or legal requirements. For material changes that affect how we collect or use your personal data, we will notify you via the email address associated with your account at least 14 days before the changes take effect. Continued use of the Service after a revised policy becomes effective constitutes your acceptance of the updated terms.

11. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at privacy@vibelogin.com. We aim to respond to all inquiries within five business days.