Privacy Policy — VibedGallery

This policy explains what information VibedGallery (“we,” “us”) collects when you use vibedgallery.com, how we use it, who we share it with, and the choices you have. It applies to the website and any related services we operate. It does not apply to third-party apps that you visit from the gallery — each of those has its own privacy practices.

1. Information we collect

a. Information you give us

Account data: when you sign up we collect your email address and a hashed password (or a token from your OAuth provider if you sign in with Google or GitHub). You can optionally provide a display name.
Profile data: any optional fields you fill in on your profile, such as display name, links, and an avatar URL provided by your OAuth provider.
App submissions: title, tagline, description, category, tools used, demo URL, screenshots, optional social links, and a verification token if you choose to verify ownership.
Communications: messages you send us by email or support channels.

b. Information collected automatically

Usage and device data: we collect basic telemetry (page paths, referrer, browser, device type, country-level IP geo) through Vercel Analytics and Vercel Speed Insights. This data is aggregated and used for product analytics and performance monitoring; it is not used for cross-site advertising.
Security and abuse signals: we run Cloudflare Turnstile to mitigate bots on signup and sensitive actions. Turnstile may receive your IP address, user-agent, and challenge interactions to score risk.
Logs: request logs (IP, timestamp, user-agent, URL, response codes) for diagnostics and security.
App view counters (creator analytics): when you visit an app’s detail page we increment that app’s view counter and store one row per app per UTC day in an aggregated table. We use your IP address solely to throttle repeat hits from the same source (one view per 30 minutes per app); the IP is held in a short-lived rate-limit table that is automatically cleared after at most 24 hours. We do not store the IP alongside the daily view rows, and the daily rows contain no personal data — only an app identifier, a date, and a count. Creators can see aggregate views and upvotes for their own approved apps in their profile (enforced by row-level security). Views by the app’s own owner and by known bots are excluded.

c. Information from third parties

OAuth providers (Google, GitHub): if you choose to sign in with them we receive your verified email address (or a no-reply alias from GitHub if your email is private), basic profile name, and avatar URL.
Google Safe Browsing: we may send a submitted app’s URL to Google Safe Browsing to check for known malware or phishing before showing it in the gallery.

2. How we use information

To operate the service — create your account, host your submissions, show the gallery, run search, and process upvotes.
To verify ownership of submitted apps and to moderate content for safety, accuracy, and compliance with our Terms of Service.
To send transactional emails (sign-up verification, password reset, submission status updates). We do not send marketing email today; if we ever do, you will be able to opt out.
To prevent fraud, abuse, and security incidents.
To measure and improve performance, fix bugs, and decide what to build next, using aggregate analytics.
To comply with applicable law and to enforce our rights.

3. Legal bases (EEA / UK users)

If you are in the European Economic Area or the United Kingdom, our legal bases under the GDPR / UK GDPR are:

Contract — to provide the account and service you signed up for.
Legitimate interests — to keep the service secure, prevent abuse, and run aggregate analytics. We balance these against your rights and freedoms.
Consent — for any processing that requires it (you can withdraw consent at any time).
Legal obligation — to comply with applicable law.

4. How we share information

We do not sell your personal data. We share information only with:

Service providers (sub-processors) who run the infrastructure on our behalf:
- Supabase — database, authentication, file storage, and edge functions.
- Vercel — website hosting, analytics, and performance monitoring.
- Cloudflare — bot protection (Turnstile) and edge security.
- Google — OAuth sign-in and Safe Browsing URL checks (when applicable).
- GitHub — OAuth sign-in (when you choose it).
- Email delivery provider — to send transactional emails.
Other users — your public profile (display name, avatar, and submitted apps) is visible to anyone who visits the site. Your email address is never shown publicly.
Legal and safety — to comply with valid legal process, enforce our terms, or protect the rights, property, or safety of users, the public, or VibedGallery.
Business transfers — if VibedGallery is involved in a merger, acquisition, or asset sale, your information may be transferred. We will notify users before personal data becomes subject to a different policy.

5. International transfers

VibedGallery’s primary infrastructure runs on servers in the European Union (Supabase, region eu-central-1). Some sub-processors (e.g., Vercel, Google, GitHub) operate globally and may process information in the United States or other countries. Where required, we rely on appropriate safeguards such as the EU Standard Contractual Clauses for transfers outside the EEA / UK.

6. Data retention

Account data is retained for as long as your account is active. When you delete your account, your personal data is deleted within 30 days, except where we are required to keep it longer (e.g., for security logs or legal records).
Submitted apps remain visible while your account is active and the submission is approved. You can delete a submission from your profile.
Logs and aggregate analytics are kept for a rolling window (typically up to 12 months) and then automatically deleted or de-identified.

7. Your rights

Depending on where you live, you may have the right to:

Access the personal data we hold about you.
Correct inaccurate or incomplete data.
Delete your data (“right to be forgotten”).
Restrict or object to certain processing.
Receive a copy of your data in a portable format.
Withdraw consent where processing is based on consent.
Lodge a complaint with your local data protection authority.

To exercise any of these rights, email support@vibedgallery.com. We may need to verify your identity before acting on a request.

California residents have additional rights under the CCPA / CPRA, including the right to know what categories of personal information we collect, to delete it, and to opt out of any “sale” or “sharing” — we do not sell or share personal information for cross-context behavioral advertising.

8. Cookies and similar technologies

We use a small number of strictly-necessary technologies:

Authentication tokens stored in your browser’s localStorage to keep you signed in.
Vercel Analytics uses a privacy-preserving first-party cookie / identifier to count unique visits. No cross-site tracking.
Cloudflare Turnstile may set cookies needed to deliver its bot challenge.

You can clear these at any time through your browser settings; doing so will sign you out of VibedGallery.

9. Security

We use industry-standard safeguards — TLS in transit, encryption at rest, access controls, row-level security on the database, and bot protection — to protect your information. No system is perfectly secure; if we ever experience a data incident affecting your data we will notify you and the relevant authorities as required by law.

10. Children's privacy

VibedGallery is not intended for children under 13 (or the minimum age in your country, if higher). We do not knowingly collect personal data from children. If you believe a child has provided us personal data, contact us and we will delete it.

11. Changes to this policy

We may update this policy from time to time. When we do, we will revise the “Effective” date above and, for material changes, post a notice on the site or notify you by email.

12. Contact

Privacy questions, requests, or complaints: support@vibedgallery.com.