GDPR Compliance
Our commitment to protecting data under EU GDPR.
Last updated: 1 January 2026
Our Role
When you use VibeCoded to process data about individuals (your customers, employees, or users), VibeCoded acts as a Data Processor on your behalf. You, as the customer, are the Data Controller and determine the purposes and means of processing.
For data we collect about you as an VibeCoded user (account data, billing information), we act as a Data Controller. Our Privacy Policy explains how we handle this data.
Your Rights Under GDPR
As a data subject, you have the following rights:
- Right of access — you may request a copy of the personal data we hold about you.
- Right to rectification — you may ask us to correct inaccurate data.
- Right to erasure — you may request deletion of your data in certain circumstances.
- Right to restriction — you may ask us to restrict processing under certain conditions.
- Right to portability — you may request your data in a structured, machine-readable format.
- Right to object — you may object to processing based on legitimate interests.
To exercise any of these rights, contact our DPO at [email protected]. We will respond within 30 days.
Data Processing Agreement (DPA)
A Data Processing Agreement is available for all VibeCoded customers. Enterprise customers have a signed DPA included in their contract. Pro and Starter customers may request a DPA at any time. Read our standard DPA.
International Transfers
Your data is stored in the EU (Ireland) by default. If you select the US region at sign-up, data will be stored in the United States. For cross-border transfers, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission.
Sub-processors
We maintain a list of sub-processors who may process your data on our behalf, including cloud infrastructure providers, payment processors, and email delivery services. Customers will be notified of any changes to our sub-processor list with 30 days’ notice. Contact us for the current list.
Security Measures
We implement appropriate technical and organisational measures including AES-256 encryption at rest, TLS 1.3 in transit, annual penetration testing, and SOC 2 Type II certification. See our Security Overview for details.
Supervisory Authority
Our lead supervisory authority is the Data Protection Commission (DPC) of Ireland: dataprotection.ie. If you are based in another EU member state, you may also contact your local data protection authority.
Contact Our DPO
Our Data Protection Officer can be reached at [email protected] or by post at: Data Protection Officer, VibeCoded Ltd, 12 Grand Canal Street, Dublin 2, D02 AB12, Ireland.