VibeReview VibeReview
Sign in Get started

we45, Inc. · VibeReview

Privacy Policy

How VibeReview (we45, Inc.) collects, uses, and protects your data.

Effective May 22, 2026

Effective Date: May 22, 2026

Last Updated: May 22, 2026

This Privacy Policy describes how we45, Inc., doing business as VibeReview ("Company," "we," "us," or "our"), collects, uses, discloses, and protects information when you use our website at https://vibereview.app, our web application at app.vibereview.app, our MCP server, our CLI tools, our IDE integrations, and any related services (collectively, the "Service"). By accessing or using the Service, you agree to the terms of this Privacy Policy.

1. Information We Collect

1.1 Account Information

When you create an account or subscribe to the Service, we collect:

  • Name and email address
  • Organization name (for Team and Enterprise plans)
  • Billing and payment information (processed by our third-party payment processor; we do not store full payment card numbers)
  • Authentication credentials managed through our identity provider, Zitadel Cloud (we never store plaintext passwords)

1.2 Repository and Code Metadata

Important: VibeReview analyzes your connected repositories to build threat models and generate security guardrails. During this process, we collect and process:

  • Repository metadata (languages, frameworks, dependencies, file structure, CI/CD configuration)
  • Code profile data (entry points, trust boundaries, data flow patterns, authentication patterns)
  • Threat model outputs (identified threats, generated guardrails, OWASP/CWE mappings)

We do not persistently store your source code. Source code is read transiently during the profiling process and is not retained after the analysis is complete. Only derived metadata and profile information are stored.

1.3 Usage Data

We automatically collect information about how you interact with the Service:

  • Guardrail activation and match events
  • PR review events (which rules fired, severity levels)
  • MCP server interaction logs
  • CLI usage telemetry (commands run, scan results summary)
  • Dashboard access and navigation patterns
  • IDE integration events (guardrail delivery, scan submissions)

1.4 Device and Technical Information

  • IP address, browser type, operating system
  • Device identifiers and session information
  • Referring URLs and pages visited
  • Cookies and similar tracking technologies (see Section 6)

1.5 Third-Party Platform Data

When you connect GitHub, GitLab, or other source code management platforms, we receive:

  • Repository names, visibility settings, and branch information
  • Pull request and merge request metadata
  • Webhook event data for PR review triggers
  • OAuth tokens (encrypted at rest) for authorized API access

2. How We Use Your Information

We use collected information for the following purposes:

  • Service Delivery: To profile repositories, generate threat models, create and deliver security guardrails, review pull requests, and provide dashboard analytics.
  • AI-Powered Analysis: To power our AI-driven threat modeling, guardrail generation, and code review features. See Section 3 for details on AI data processing.
  • Service Improvement: To improve our guardrail library, threat detection accuracy, and overall product quality.
  • Communication: To send account notifications, security alerts, product updates, and respond to support requests.
  • Billing: To process payments, manage subscriptions, and send invoices.
  • Security and Compliance: To detect fraud, prevent abuse, and comply with legal obligations.
  • Aggregate Analytics: To generate anonymized, aggregated statistics about security trends, vulnerability patterns, and industry benchmarks.

3. AI and Automated Processing

VibeReview uses artificial intelligence and machine learning to analyze repository metadata, generate threat models, create security guardrails, and review pull requests. Specifically:

  • Threat Modeling: AI systems analyze your repository structure, code patterns, and dependency graph to identify potential security threats. These models are probabilistic and may not capture all vulnerabilities.
  • Guardrail Generation: AI generates security rules tailored to your codebase. These rules are suggestions and should be reviewed by qualified security professionals.
  • PR Review: AI compares pull request diffs against your guardrail set and generates comments. AI-generated review comments are advisory and do not constitute a comprehensive security audit.

AI Limitations Disclosure: AI-generated outputs, including threat models, guardrails, and review comments, are provided on an "as-is" basis and may contain errors, omissions, or inaccuracies. They are not a substitute for professional security review. See our AI Disclaimer Agreement for full details.

4. How We Share Your Information

We do not sell your personal information. We may share information in the following circumstances:

  • Service Providers: With third-party vendors who assist in operating the Service, including: DigitalOcean (cloud hosting), Stripe (payment processing), Cloudflare (CDN, edge compute, transactional email), Google Workspace (corporate email), Google Analytics and Matomo (analytics), and Zitadel Cloud (identity and authentication). All service providers are subject to confidentiality and data processing obligations.
  • Source Code Platforms: With GitHub, GitLab, or other connected platforms as necessary to provide PR review and repository integration features.
  • AI Model Providers: We transmit repository metadata (not source code) to Requesty for AI inference used in threat modeling, guardrail generation, and code review. All transmissions are encrypted and subject to data processing agreements.
  • Legal Requirements: When required by law, regulation, legal process, or governmental request.
  • Business Transfers: In connection with a merger, acquisition, reorganization, or sale of assets, with notice to affected users.
  • With Your Consent: When you direct us to share information with third parties.

5. Data Retention

We retain your information as follows:

  • Account Data: For the duration of your account plus 30 days after deletion, unless a longer retention period is required by law.
  • Repository Metadata and Profiles: For the duration of the connected project, deleted within 30 days of project removal.
  • Source Code: Transiently processed and not retained after profiling is complete. Source code is never stored at rest.
  • Usage and Analytics Data: Retained in identifiable form for up to 24 months, then anonymized.
  • Billing Records: Retained as required by applicable tax and financial regulations (typically 7 years).

6. Cookies and Tracking Technologies

We use the following types of cookies and similar technologies:

  • Essential Cookies: Required for authentication, session management, and core functionality. Cannot be disabled.
  • Analytics Cookies: Used to understand how visitors interact with our website and application. You may opt out via your browser settings or our cookie preference center.
  • Functional Cookies: Used to remember your preferences and settings.

We do not use advertising or third-party tracking cookies. We do not engage in cross-site tracking.

7. Data Security

We implement industry-standard security measures to protect your information, including:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256)
  • SOC 2 Type II and ISO 27001 certified controls
  • Regular penetration testing and vulnerability assessments
  • Role-based access controls and principle of least privilege
  • Incident response procedures with breach notification

While we strive to protect your information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

8. Your Rights and Choices

8.1 All Users

  • Access, correct, or delete your account information via account settings or by contacting us
  • Disconnect repositories and request deletion of associated metadata
  • Opt out of non-essential communications
  • Export your guardrail configurations and threat model data

8.2 California Residents (CCPA/CPRA)

California residents have additional rights under the California Consumer Privacy Act, including the right to know, delete, correct, and opt out of the sale or sharing of personal information. We do not sell personal information. To exercise your rights, contact us at privacy@we45.com.

8.3 European Economic Area, UK, and Swiss Residents (GDPR)

If you are in the EEA, UK, or Switzerland, you have rights under the General Data Protection Regulation, including the right to access, rectification, erasure, data portability, restriction of processing, and objection. Our legal bases for processing include contract performance, legitimate interests, and consent. To exercise your rights, contact us at privacy@we45.com.

9. International Data Transfers

we45, Inc. is based in the United States. If you access the Service from outside the United States, your information may be transferred to, stored, and processed in the United States. We implement appropriate safeguards for international transfers, including Standard Contractual Clauses where required.

10. Children's Privacy

The Service is not intended for use by individuals under the age of 16. We do not knowingly collect personal information from children. If we learn that we have collected information from a child under 16, we will delete it promptly.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website and, for registered users, by email or in-app notification. Your continued use of the Service after changes take effect constitutes acceptance of the revised policy.

12. Contact Us

If you have questions about this Privacy Policy or wish to exercise your privacy rights, contact us at:

we45, Inc.

30 N Gould St, Sheridan, WY 82801

Privacy inquiries: privacy@we45.com

General legal: legal@we45.com

Website: https://vibereview.app