VibeFlow Marketing logoVibeFlow Marketing
Start free →Sign in
← Back to VibeFlow

Privacy Policy

Effective Date: May 18, 2026 · Version 1.3

VibeFlow Marketing is operated by TNTW LLC, a Wyoming limited liability company.

This Privacy Policy applies to users accessing the Service from the United States. The Service is currently available only to US-based users; visitors from other regions are redirected to a notice page and cannot create accounts.

TNTW LLC, a Wyoming limited liability company doing business as VibeFlow Marketing (“we,” “us,” or “our”) respects your privacy and is committed to protecting your data. This Privacy Policy explains what we collect, how we use it, who we share it with, and your rights.

1. Information We Collect

Account information: name, email, and (if you use OAuth sign-in) the OAuth provider you chose (Google or GitHub).

Your content: the prompts you submit to agents, your Brand Kit fields (name, tagline, colors, voice, target audience, optional logo), saved generated campaigns, and scheduled calendar events. Stored so you can access them across devices.

Usage data: which agents you use, when, and how often. Used to calculate searches remaining and improve the product.

Payment data: processed entirely by Stripe. We receive only a payment token and subscription status — we never see your full card number.

Integration data: if you connect Google Analytics 4, we store an encrypted (AES-256-GCM at rest) OAuth token so we can retrieve your dashboard metrics. We do not write to your GA4 property. You can disconnect from the Integrations tab at any time.

Product analytics: anonymous usage events via PostHog (page views, feature adoption, button clicks). No advertising IDs. No cross-site tracking.

Automatically collected: IP address (for security and rate-limiting), browser type, and limited technical information (inferred from request headers).

Sources

We collect the personal information described above (a) directly from you when you create an account, submit prompts, or interact with the Service; (b) automatically from your device through standard server logs and our product analytics; and (c) from third-party integrations that you authorize, such as Google Analytics.

CCPA categories

For California residents and to satisfy similar disclosure requirements under other US state privacy laws, the categories of personal information we collect map to the following CCPA categories: identifiers (name, email, account ID, IP address); commercial information (subscription status, transaction tokens from Stripe); internet or other electronic network activity (usage events, requests to the Service); and inferences drawn from the above (aggregated usage patterns). We do not collect categories outside this list.

Data retention

Information described in this Section 1 is retained while your account is active and for the periods specified in Section 5. We commit to notifying affected users of any unauthorized acquisition of unencrypted personal information in compliance with the Wyoming Security Breach Notification Act, Wyo. Stat. § 40-12-501 et seq.

We do NOT intentionally collect sensitive personal data. We do not collect biometric data (including facial images, voiceprints, fingerprints, or other biological identifiers), and the Service does not use automated image-gathering technologies.

Sensitive personal information under CPRA

Under the California Privacy Rights Act, “sensitive personal information” includes categories such as precise geolocation, financial account details, login credentials, contents of personal communications, racial or ethnic origin, religious beliefs, health information, and government identifiers. We do not intentionally collect any of these categories. If you voluntarily include such information in a prompt or Brand Kit field, we will treat it under our standard protections, but we encourage you to delete it via the dashboard. California residents have the right to limit our use of sensitive personal information to that which is reasonably necessary to provide the Service; given our limited collection, no further limitation is currently applicable.

If you include sensitive information in a prompt or Brand Kit field, please avoid doing so. The content will be stored with the same protections as other content but we discourage including health, financial, government ID, or other especially sensitive data. If such data is provided, you expressly consent to its processing while stored under our standard protections, but we ask that you delete it promptly via the dashboard.

2. How We Use Your Information

We use the information we collect to:

  • Provide the Service — run agents, save campaigns, schedule calendar events, display metrics.
  • Manage accounts and process payments (Stripe webhooks sync subscription state).
  • Communicate with you about your account, billing, security, and Service changes.
  • Improve the product — measure feature adoption (via PostHog), fix bugs, understand usage patterns.
  • Enforce our Terms and comply with legal obligations.

We do not use your information to:

  • Sell or rent your personal data to third parties.
  • Train the underlying AI models. Anthropic does not train Claude models on customer API data. Anthropic may retain API inputs and outputs for up to 30 days for trust and safety review, after which they are deleted.
  • Serve advertisements. VibeFlow products are ad-free.

3. Continuous Learning & Improvement Engine — opt-in only

VibeFlow operates an optional Learning & Improvement Engine that helps the AI agents get better over time. This feature is disabled until you explicitly opt in from Settings.

Opting into the Learning Engine controls only what VibeFlow itself retains in its own systems. It does not change Anthropic’s retention of API inputs and outputs, which is governed by §2 above regardless of your Learning Engine setting.

When you are opted in, we collect:

  • Which agent type you used (e.g., social_x_post, content_blog).
  • Approximate prompt length and output length.
  • A one-way hash of your Brand Kit (we never see the raw Brand Kit in the learning dataset).
  • Engagement signals from connected integrations you explicitly authorize (e.g., GA4 clicks on a campaign URL).
  • Thumbs-up / thumbs-down ratings you provide on generated content.

We do not collect:

  • The text of your prompts.
  • The text of your campaigns.
  • The fields of your Brand Kit (name, tagline, voice text, etc.).
  • Any other identifying information.
  • Any biometric data, facial images, voiceprints, or data gathered via automated image-collection technologies.

Signals are keyed on a rotating anonymous identifier, not your account. Data flows through our systems under the same encryption and access controls as the rest of the Service.

You can opt out at any time from Settings. Opt-out takes effect immediately; no future signals are collected from your account. Signals already contributed to aggregated models remain in aggregated form (they cannot be reverse-engineered to an individual user).

We maintain internal records of Learning Engine activity for operational and audit purposes.

4. Sharing and Third Parties

We share data only as necessary to operate the Service:

  • Supabase — hosts our database (account data, your content). US region. Data processed under Supabase’s standard DPA.
  • Stripe — payment processor. Receives the information needed to process your payment.
  • Anthropic (Claude API) — receives your prompts to generate AI responses. Anthropic does not train Claude models on customer API data. Anthropic may retain API inputs and outputs for up to 30 days for trust and safety review, after which they are deleted.
  • Google Analytics (if connected) — integration pulls YOUR GA4 data into our dashboard; we never write to your property.
  • PostHog — privacy-preserving product analytics.
  • Vercel — hosting provider for the website and API.
  • Resend — transactional email delivery for support tickets and account notifications. Receives only the recipient email and message content.

Categories of third parties

All third parties listed above are service providers or processors under California Civil Code § 1798.140 (and equivalent terms under other US state privacy laws). They process personal information on our behalf under written agreements that restrict use to the purposes described above. We do not share personal information with third parties for their own commercial use.

We do not sell, rent, or share your personal information with any other third party except when required by law (subpoena, court order, regulatory request) or with your explicit consent.

If we share personal data with any government entity in response to a legal request, we will, where required by Wyoming law, ensure that such data is returned to us or destroyed when no longer necessary for the requesting entity’s purpose.

5. Data Retention

We retain your data for as long as your account is active. On account deletion, the following retention periods apply by data category:

  • Account data, saved campaigns, Brand Kit, and scheduled calendar events — deleted from our primary database within 30 days.
  • Database backups — retained for up to 60 days, after which they are automatically purged. We periodically audit backup purges to confirm compliance.
  • Application logs — retained for up to 90 days for security and debugging purposes, then deleted.
  • Anonymized Learning Engine signals — retained in aggregated form indefinitely; cannot be tied back to you.
  • Anthropic API inputs and outputs — retained by Anthropic for up to 30 days per its standard API terms; we have no separate retention of API call content on our side beyond what is stored in saved campaigns.

For step-by-step instructions on how to request deletion of your account and data, see our Data Deletion page.

6. Your Rights

As of v1.3, Wyoming does not have an omnibus consumer privacy statute (analogous to California’s CCPA or Virginia’s VCDPA). The rights below are offered as a matter of company policy and to comply with the privacy laws of any US state in which our users reside.

You have the right to:

  • Access the data we hold about you.
  • Correct inaccurate data — via the dashboard for Brand Kit and campaign content, or by emailing us.
  • Delete your account and data — see our Data Deletion page for the process and §5 for the retention schedule that applies after deletion.
  • Export your campaigns (Markdown, CSV) and Calendar (CSV, ICS) directly from the dashboard.
  • Opt in/out of the Continuous Learning Engine.
  • Disconnect integrations at any time.

For California residents

Under the California Consumer Privacy Act (CCPA), as amended by the CPRA, you additionally have the right to:

  • Know the categories of personal information we collect, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share.
  • Request that we not sell or share your personal information. We do not sell personal information and we do not share personal information for cross-context behavioral advertising; nevertheless, you may submit a “Do Not Sell or Share My Personal Information” request via email.
  • Request correction of inaccurate personal information.
  • Request deletion of personal information.
  • Limit our use of sensitive personal information (see §1).
  • Be free from discrimination for exercising these rights — we will not deny service, charge a different price, or provide a different level of service in response to a CCPA request.
  • Receive a response within 45 days of a verifiable consumer request.

Residents of other US states with comprehensive privacy laws

If you reside in Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Indiana, Tennessee, Delaware, New Hampshire, New Jersey, Minnesota, Maryland, or another US state with a comprehensive consumer privacy statute, you have substantially similar rights to access, correct, delete, and obtain a portable copy of your personal information, and to opt out of targeted advertising, the sale of personal information, and certain forms of profiling. We honor these rights regardless of whether VibeFlow meets the consumer-volume or revenue thresholds for coverage under your state’s statute. To exercise these rights, follow the same process described below for CCPA requests.

Global Privacy Control

We honor the Global Privacy Control (GPC) browser signal as a valid opt-out request for the sale or sharing of personal information, to the extent applicable. Because we do not sell or share personal information for cross-context behavioral advertising, a GPC signal results in no change to our handling of your data; we acknowledge the signal for transparency.

Automated decision-making

The Service generates marketing content based on inputs you provide. It does not make automated decisions about you that produce legal or similarly significant effects (such as eligibility for credit, employment, housing, insurance, or healthcare). Accordingly, the opt-out rights for automated decision-making and profiling under certain state privacy laws (including California, Colorado, Connecticut, and Virginia) do not apply to our Service.

Authorized agents

You may designate an authorized agent to submit a privacy request on your behalf. We require (a) written authorization signed by you, (b) verification of the agent’s identity, and (c) verification of your identity. For requests submitted by an authorized agent, we may contact you directly to confirm the request.

How we verify your identity

We verify privacy requests through information you have already provided in your account — typically by sending a confirmation link to the email address on file and asking you to confirm specific details about your account (such as the date of your last login or recent activity). For requests involving sensitive information or deletion, we may require additional verification.

To exercise CCPA rights, email hello@vibeflow.marketingwith subject line “CCPA Request” and indicate which right you wish to exercise. We will verify your identity before processing the request.

To exercise rights not accessible from the dashboard, email hello@vibeflow.marketing. We will respond within 30 days (45 days for CCPA-specific requests, as required by California law).

California “Shine the Light”

California Civil Code § 1798.83 permits California residents to request information about disclosures of personal information to third parties for their direct marketing purposes. We do not disclose personal information to any third party for that party’s own direct marketing purposes, so we have no such disclosures to report.

Do Not Track

Some web browsers transmit a “Do Not Track” signal. There is no industry-standard interpretation of Do Not Track signals, and we do not respond to them at this time. We do honor Global Privacy Control as described above.

7. Security

We use:

  • TLS in transit for all connections.
  • AES-256-GCM encryption for sensitive OAuth tokens (Google Analytics) at rest.
  • Row-level security policies in our database (users can only access their own data).
  • Service-role access controls — privileged database writes (e.g., usage updates) are performed through a restricted server-side pathway only.
  • Regular dependency updates.

No system is 100% secure. If we become aware of a security incident affecting your data, we will notify you and applicable regulators as required by law.

Breach notification

If we discover that unencrypted personal information — for example, name in combination with Social Security number, driver’s license number, financial account number, or similar identifiers — has been acquired by an unauthorized person, we will, in compliance with the Wyoming Security Breach Notification Act (Wyo. Stat. § 40-12-501 et seq.), notify affected residents in the most expedient time possible and without unreasonable delay after discovery, consistent with the legitimate needs of law enforcement and any measures necessary to determine the scope of the breach and restore the integrity of the Service. The notice will include:

  • A description of the incident and the date or estimated date of occurrence.
  • The type of personal information affected.
  • The actions we have taken to investigate and mitigate the incident.
  • Advice on protecting against identity theft, including any toll-free number or website for credit-reporting agencies where relevant.

Where required by other US state laws, we will provide notice in the form and within the timeframes those laws require.

8. International Users

The Service is currently available only to users located in the United States. Visitors from other regions are detected at the network edge and redirected to a notice page; account creation and dashboard access are not available.

VPN / geo-block dependency

Our geo-block is a technical control and is not foolproof — users connecting via VPN or other circumvention may reach the Service. If we identify an account created from outside the United States (whether through VPN, technical bypass, or otherwise), we reserve the right to suspend or delete the account. This Privacy Policy applies only to users actually located in the United States; we do not commit to GDPR or UK GDPR compliance and the Service is not designed for use in those jurisdictions.

We will update this Section if and when the Service is made available in additional regions, at which point appropriate cross-border transfer safeguards (such as Standard Contractual Clauses for EEA/UK transfers) will be implemented.

9. Children’s Privacy

The Service is not intended for users under 18. We do not knowingly collect data from children under this age. If we discover we have, we will delete the account and all associated data promptly.

10. Cookies and Tracking

We use cookies and similar technologies for:

  • Essential — session cookies (Supabase Auth) to keep you logged in.
  • Analytics — PostHog cookies for product analytics (no advertising).

We do NOT use:

  • Advertising cookies.
  • Cross-site tracking cookies.
  • Third-party ad-tech.

Cookie consent banner: not required at v1.0 — the Service is US-only via geo-block, and CCPA does not require a banner for non-sale of data (which we do not do). A banner will be added if and when the Service expands to EEA/UK regions or if we begin sharing personal information for cross-context behavioral advertising.

11. Marketing Communications

Transactional communications

We send service-related emails (account activity, security notices, billing, Service changes) to all users. These are not marketing communications and you cannot opt out while you have an active account, except by deleting the account.

Marketing communications

We may send promotional emails about features, tips, or updates only if you have opted in or have not opted out at signup. Every marketing email includes a one-click unsubscribe link in compliance with the CAN-SPAM Act, 15 U.S.C. § 7701 et seq. Unsubscribe requests are honored within 10 business days.

12. Changes to This Policy

We may update this Privacy Policy. For material changes, we will notify you by email or in-app at least 30 days before the changes take effect. Continued use of the Service after 30 days constitutes acceptance of the updated Policy.

13. Business Customers and Data Processing

If you use the Service on behalf of a business and process personal information of your own end users through the Service (for example, contact lists for email marketing campaigns), you act as the “business” or “controller” for that data and we act as a “service provider” or “processor.” A standard Data Processing Addendum is available on request at hello@vibeflow.marketing.

14. Google API Services User Data Policy

VibeFlow Marketing’s use and transfer to any other app of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. This section consolidates the disclosures specifically governing Google user data so they are easy to verify in one place.

What Google user data we access

When a user explicitly connects their Google Analytics 4 account from Dashboard → Integrations → Connect Google Analytics, we request a single OAuth scope: https://www.googleapis.com/auth/analytics.readonly. We do not request any other scope, ever — no Gmail, no Drive, no Contacts, no Calendar, no broader Analytics scope.

Using that scope, we call exactly two Google APIs on the user’s behalf:

  • analyticsadmin.googleapis.com/v1beta/accountSummaries — called once during the connection flow so the user can see and select which of their GA4 properties to link.
  • analyticsdata.googleapis.com/v1beta/properties/{propertyId}:runReport — called whenever the user views the Analytics Hub or a Campaign Results page, to retrieve pageviews, sessions, top pages, traffic sources, and conversion events over rolling 7/30/90 day windows.

How we use Google user data

Google user data is used solely to display analytics metrics inside the user’s VibeFlow dashboard. Specifically:

  • Render pageview, session, conversion, top-pages, and traffic-source widgets at /dashboard/analytics
  • Render per-campaign performance correlation cards that overlay GA4 traffic against the user’s published VibeFlow campaigns

Google user data is NOT used to train AI models (ours or any third party’s), to serve advertisements, for cross-context behavioral advertising, for credit/employment/housing/insurance decisions, or for any purpose other than the user-facing analytics displays described above.

How we store Google user data

We do not persistently store the analytics metrics themselves. Every dashboard view triggers a fresh API call to Google; results are rendered in the browser and discarded. The only persistent artifact of the integration is the OAuth refresh token, which is:

  • Encrypted at rest with AES-256-GCM in our Supabase database
  • Scoped to the individual user’s account via Postgres row-level security — a user can only read their own token, and our application never reads tokens across users
  • Never logged, never copied to analytics tools, never exported in backups in plaintext

How we share Google user data

We do not share Google user data with any third party. Google user data is never sold, never used for advertising, never disclosed to any other party except as required by law (subpoena, court order) and in accordance with §4 of this Policy. Our subprocessors (listed in §4) do not have access to Google user data — the GA4 API calls are made directly from our application to Google’s endpoints.

How long we retain Google user data

  • Analytics metrics retrieved from Google’s APIs: not persisted (fetched live per request)
  • OAuth refresh token: retained while the integration is connected. Deleted within 24 hours when the user clicks Disconnect, and within 30 days when the user deletes their VibeFlow account (per §5)
  • Application logs that may transiently include Google API request metadata (status codes, latency): retained for up to 90 days for security and debugging, then deleted

User controls for Google user data

Users can:

  • Disconnect the GA4 integration at any time from Dashboard → Integrations → Disconnect. On disconnect, we delete the encrypted refresh token from our database and notify Google’s token-revocation endpoint.
  • Revoke access directly from their Google account at myaccount.google.com/permissions.
  • Delete their VibeFlow account entirely (see Data Deletion page), which removes the integration along with all other account data.

15. Contact Us

Privacy questions, access requests, deletion requests, or concerns:

Email: hello@vibeflow.marketing

CCPA-specific requests: hello@vibeflow.marketingwith subject “CCPA Request”

Response target: 30 days (45 days for CCPA-specific requests, or as legally required)

Company: TNTW LLC, a Wyoming limited liability company, doing business as VibeFlow Marketing. Mailing address: 30 N Gould St Ste R, Sheridan, WY, 82801, USA