Privacy Policy
Last updated: 6 July 2026
1. Introduction
This Privacy Policy explains how Vibgrate ("we", "us", "our") collects, uses, discloses, and protects your personal data when you use our website, software, CLI tools, dashboard, and related services (the "Service").
We are committed to protecting your privacy and handling your data in an open and transparent manner. We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Data Controller:
- Vibgrate
- Registered Address: 66 Paul Street, London, EC2A 4NA
- ICO Registration Number: ZB593264
- Contact: Contact Us
2. Information We Collect
2.1 Information You Provide
We may collect personal data that you voluntarily provide when using our Service, including:
- Account Information: Email address, name, company name when you create an account or contact us
- Communications: Information you provide when you contact us for support or queries
- Feedback: Any feedback, comments, or suggestions you submit
2.2 Information Collected Automatically
When you access the Service, we may automatically collect certain information:
- Usage Data: Pages visited, features used, time spent on pages, click patterns
- Device Information: Browser type, operating system, device type
- Log Data: IP address, access times, referring URLs
- Analytics Data: Aggregated and anonymised usage statistics
2.3 Code Analysis Data
When you use our drift analysis features (CLI tool or dashboard), we may process:
- Dependency Information: Package names, versions, and dependency trees from your package managers (e.g., package.json, requirements.txt)
- Configuration Files: Build configurations, CI/CD configurations (without secrets or credentials)
- Metadata: Repository structure information, file patterns, architectural classification
Note: Our CLI tool is designed to analyze metadata and configuration files. We do not access, collect, or store your source code, proprietary business logic, credentials, API keys, or secrets.
3. How We Use Your Information
We use the information we collect for the following purposes:
- Provide the Service: To deliver drift analysis, security posture reports, and other features
- Improve the Service: To understand usage patterns and enhance functionality
- Communications: To respond to your inquiries and provide customer support
- Security: To detect, prevent, and address technical issues and security threats
- Legal Compliance: To comply with applicable laws and legal obligations
- Analytics: To generate aggregated, anonymised insights about service usage
4. Legal Basis for Processing
Under UK GDPR, we process your personal data on the following legal bases:
- Contract: Processing necessary to perform our contract with you (providing the Service)
- Legitimate Interests: Processing necessary for our legitimate interests (improving the Service, security) where not overridden by your rights
- Consent: Where you have given consent for specific processing activities
- Legal Obligation: Processing necessary to comply with legal obligations
5. Data Sharing and Disclosure
We do not sell your personal data. We may share your information in the following circumstances:
- Service Providers: With trusted third-party service providers who assist us in operating the Service (e.g., hosting providers, analytics services), subject to appropriate data protection agreements
- Legal Requirements: When required by law, regulation, or legal process
- Protection of Rights: To protect our rights, privacy, safety, or property, or that of our users or the public
- Business Transfers: In connection with a merger, acquisition, or sale of assets, with appropriate safeguards
Any third parties we engage are contractually obligated to protect your data and use it only for the purposes we specify.
6. International Data Transfers
Your information may be transferred to and processed in countries outside the United Kingdom. When we transfer data internationally, we ensure appropriate safeguards are in place, including:
- Transfers to countries with adequacy decisions from the UK
- Standard Contractual Clauses approved by the UK Information Commissioner's Office
- Other legally recognised transfer mechanisms
7. Data Retention
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, including:
- Account Data: For the duration of your account and a reasonable period thereafter
- Analysis Data: Temporarily processed and typically not retained beyond the analysis session unless you save reports
- Log Data: Typically retained for up to 12 months for security and troubleshooting purposes
- Legal Records: As required by applicable law
When data is no longer needed, we securely delete or anonymise it.
8. Your Rights
Under UK GDPR, you have the following rights regarding your personal data:
- Right of Access: Request a copy of the personal data we hold about you
- Right to Rectification: Request correction of inaccurate or incomplete data
- Right to Erasure: Request deletion of your personal data ("right to be forgotten")
- Right to Restrict Processing: Request restriction of processing in certain circumstances
- Right to Data Portability: Receive your data in a structured, commonly used format
- Right to Object: Object to processing based on legitimate interests or for direct marketing
- Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent
To exercise any of these rights, please contact us. We will respond to your request within one month.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe your data protection rights have been violated: ico.org.uk
9. Data Security
We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:
- Encryption of data in transit using TLS/SSL
- Secure data storage with access controls
- Regular security assessments and updates
- Employee training on data protection
- Incident response procedures
However, no method of transmission over the Internet or electronic storage is completely secure. While we strive to protect your personal data, we cannot guarantee absolute security.
10. Cookies and Tracking Technologies
We keep storage on your device to a minimum. We set no analytics, advertising, or cross-site tracking cookies at all. The only thing we store on your device is a single strictly-necessary preference, listed below.
10.1 Strictly Necessary Storage (no consent required)
Stored in your browser's local storage, never sent to us or to third parties:
- theme — remembers your light/dark mode preference. Kept until you clear browser data.
10.2 Analytics (no cookies, no consent required)
We use Cloudflare Web Analytics (provided by Cloudflare, Inc.) to understand, in aggregate, how visitors use the site. It is privacy-first by design: it sets no cookies, stores nothing on your device, and does not fingerprint or track you across sites or over time. It collects only aggregated, non-identifying page metrics — such as page views, referrers, and load performance — from ordinary request data. Because no information is read from or stored on your device, no consent is required, and there is nothing for you to opt out of. The legal basis is our legitimate interest (UK GDPR Article 6(1)(f)) in understanding and improving the site.
For details, see Cloudflare Web Analytics and Cloudflare's Privacy Policy.
10.3 Managing Your Choice
Because we set no analytics or tracking cookies, there is no analytics cookie to accept or decline — which is why the site shows no cookie-consent banner. You can still block or delete the strictly-necessary theme preference at any time through your browser settings.
11. Third-Party Links
The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to read the privacy policies of any third-party sites you visit.
12. Children's Privacy
The Service is not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us and we will take steps to delete such information.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last updated" date.
We encourage you to review this Privacy Policy periodically for any changes. Your continued use of the Service after any modifications constitutes your acceptance of the updated Privacy Policy.
14. Contact Us
If you have any questions about this Privacy Policy or our data practices, or if you wish to exercise your data protection rights, please contact us:
- Data Controller: Vibgrate
- Contact: Contact Us
- Address: 66 Paul Street, London, EC2A 4NA
- ICO Registration: ZB593264
15. Supervisory Authority
You have the right to lodge a complaint with the UK supervisory authority:
- Information Commissioner's Office (ICO)
- Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
- Website: ico.org.uk
- Helpline: 0303 123 1113