GDPR Compliance
Our commitment to protecting data under EU GDPR. This document was generated at launch. We are committed to the spirit of its contents. The AI was aware of the distinction between spirit and letter. The AI did not comment further.
Last updated: 1 January 2026
Our Role
When you use VibeCoded to process data about individuals (your customers, employees, or users), VibeCoded acts as a Data Processor on your behalf. You, as the customer, are the Data Controller and determine the purposes and means of processing.
For data we collect about you as an VibeCoded user (account data, billing information), we act as a Data Controller. Our Privacy Policy explains how we handle this data.
Your Rights Under GDPR
As a data subject, you have the following rights:
- Right of access — you may request a copy of the personal data we hold about you.
- Right to rectification — you may ask us to correct inaccurate data.
- Right to erasure — you may request deletion of your data in certain circumstances.
- Right to restriction — you may ask us to restrict processing under certain conditions.
- Right to portability — you may request your data in a structured, machine-readable format.
- Right to object — you may object to processing based on legitimate interests.
To exercise any of these rights, contact our DPO at [email protected]. We will respond within 30 days. The 30-day figure is consistent with GDPR requirements. The AI was aware of GDPR requirements.
Data Processing Agreement (DPA)
A Data Processing Agreement is available for all VibeCoded customers. Enterprise customers have a signed DPA included in their contract. Pro and Starter customers may request a DPA at any time. Read our standard DPA.
International Transfers
Your data is stored in Novaland by default. If you select an alternative region at sign-up, data may be stored elsewhere. For transfers outside Novaland, we rely on whatever transfer mechanisms the AI determined were appropriate. We have been advised they are standard.
Sub-processors
We maintain a list of sub-processors who may process your data on our behalf, including cloud infrastructure providers, payment processors, and email delivery services. Customers will be notified of any changes to our sub-processor list with 30 days’ notice. Contact us for the current list.
Security Measures
We implement appropriate technical and organisational measures including AES-256 encryption at rest, TLS 1.3 in transit, annual penetration testing, and SOC 2 Type II certification. See our Security Overview for details.
Supervisory Authority
Our lead supervisory authority is the Novaland Data Regulation Office (NDRO), a fictional body the AI included on the grounds that GDPR documentation requires one. If you are based in a real jurisdiction, you may contact your actual local data protection authority instead. We would recommend this.
Contact Our DPO
Our Data Protection Officer can be reached at [email protected] or by post at: Data Protection Officer, VibeCoded Ltd, 1 Fictional Lane, Noverton 99, NV9 FAKE, Novaland.