Privacy Policy

We process personal information for the following purposes. Personal information collected will not be used for purposes other than those stated below, and we will seek your prior consent if the purpose of use changes.

• Account Management: User registration, identity verification, account maintenance, and withdrawal processing.
• Service Provision: AI-powered tech stack analysis of user projects, personalized learning roadmap generation, AI tutor conversations, MCP (Model Context Protocol) server integration, and project management dashboard.
• Payment Processing: Processing subscription payments, managing billing history, handling refunds and cancellations for paid plans (Pro and Team).
• Customer Support: Responding to inquiries, resolving technical issues, and processing service-related requests.
• Service Improvement: Analyzing usage patterns to improve service quality, developing new features, and ensuring platform stability. This includes aggregated analytics that do not identify individual users.

We collect the following categories of personal information:

We do not collect sensitive personal information such as race, political opinions, health data, or biometric data.

We retain personal information for the periods specified below. When the retention period expires, the information is promptly destroyed.

We do not sell your personal information. We may provide personal information to third parties only in the following limited cases:

• Stripe: Payment processing information (transaction details) is shared with Stripe for processing subscription payments. Stripe operates under its own privacy policy.
• LLM (AI) Providers: Portions of project source code and related technical information are transmitted to LLM providers solely for the purpose of AI-powered tech stack analysis, learning roadmap generation, and AI tutor conversations. For BYOK users, data is sent only to the provider whose API key the user has registered. The LLM providers we may use include: Anthropic, OpenAI, Google, Groq, Mistral, DeepSeek, Cohere, Together AI, Fireworks AI, XAI, and OpenRouter.
• Legal Requirements: When required by law, regulation, legal process, or governmental request.

In all cases, we provide only the minimum information necessary and require recipients to maintain appropriate security measures.

We outsource the processing of personal information to the following service providers to ensure smooth service operation:

When outsourcing, we execute data processing agreements that include restrictions on processing purposes, technical and organizational security measures, limitations on sub-processing, and obligations for data deletion.

When personal information becomes unnecessary due to the expiration of the retention period or fulfillment of the processing purpose, we destroy it without delay.

Destruction Procedures:

• Information that has fulfilled its purpose is transferred to a separate database (or locked storage) and destroyed after the legally required retention period.
• Information that must be retained by law is stored separately from other personal information and destroyed upon expiration of the retention period.

Destruction Methods:

• Electronic files: Deleted using technical methods that render the records irrecoverable (secure deletion, cryptographic erasure).
• Paper documents: Shredded or incinerated (not applicable to our current operations as we operate entirely digitally).

You have the following rights regarding your personal information, which you may exercise at any time:

• Right of Access: You may request access to the personal information we hold about you.
• Right to Correction: You may request correction of inaccurate or incomplete personal information.
• Right to Deletion: You may request deletion of your personal information, subject to legal retention requirements.
• Right to Suspend Processing: You may request that we suspend processing of your personal information.
• Right to Withdraw Consent: You may withdraw your consent at any time for processing based on consent.

How to Exercise Your Rights:

• Self-Service: You can manage most of your data directly through the Settings page on VibeUniv, including updating your profile, deleting projects, managing API keys, and withdrawing your account.
• Email Request: For requests that cannot be handled through the Settings page, please contact us at privacy@vibeuniv.com. We will process your request within 10 business days.

We will not treat you disadvantageously for exercising any of these rights. If we deny a request, we will provide the reasons in writing.

We use cookies for the following purposes:

• Authentication Session Cookie: Maintains your login session so you can use the service without repeated authentication. This is an essential cookie required for service operation.
• Locale Preference Cookie: Stores your preferred language setting (Korean or English) to provide content in your chosen language.

We do not use advertising or tracking cookies. We do not use third-party analytics cookies.

How to Manage Cookies:

You can manage cookies through your browser settings. Most browsers allow you to:

• View and delete existing cookies
• Block all or specific cookies
• Set preferences for certain websites

Please note that disabling essential cookies (authentication session) will prevent you from using the service, as login functionality requires cookies.

Browser-specific instructions:

• Chrome: Settings → Privacy and Security → Cookies and Other Site Data
• Firefox: Settings → Privacy & Security → Cookies and Site Data
• Safari: Preferences → Privacy → Manage Website Data
• Edge: Settings → Cookies and Site Permissions → Cookies and Site Data

We implement the following technical, administrative, and physical measures to protect your personal information:

Technical Measures:

• Encryption: All user API keys (BYOK) are encrypted using AES-256-GCM before storage. Passwords are hashed using industry-standard algorithms. All data in transit is encrypted via HTTPS/TLS.
• Row Level Security (RLS): Database-level access control is enforced on all tables, ensuring users can only access their own data.
• Security Headers: Content Security Policy (CSP), HTTP Strict Transport Security (HSTS), X-Frame-Options, X-Content-Type-Options, and other security headers are applied to prevent common web attacks.
• HTTPS: All communications between clients and servers are encrypted using HTTPS.
• Input Validation: All user inputs are validated and sanitized to prevent injection attacks.

Administrative Measures:

• Access to personal information is limited to the minimum number of authorized personnel.
• Regular security reviews are conducted to identify and address vulnerabilities.
• Data processing agreements are in place with all third-party service providers.

VibeUniv uses artificial intelligence (AI) and automated processing in the following ways:

• Automated Tech Stack Analysis: When you upload project files, AI automatically analyzes the source code to identify technologies, frameworks, and libraries used. This analysis is performed solely to provide you with the service and does not involve profiling or automated decision-making that produces legal effects.
• AI-Generated Learning Roadmaps: Based on the analyzed tech stack, AI generates personalized learning roadmaps and educational content tailored to your project. This is informational content to assist your learning.
• AI Tutor Conversations: The AI tutor provides responses based on your project context and learning progress. All responses are informational and do not constitute professional advice.

Your Rights Regarding Automated Processing:

• You have the right to request information about the logic involved in automated processing.
• You have the right to object to automated processing and request human review.
• No significant decisions affecting your legal rights are made solely through automated processing.

To exercise these rights, please contact us at privacy@vibeuniv.com.

To provide our services, personal information may be transferred to and processed in countries outside of United States and worldwide. We ensure that appropriate safeguards are in place for all international transfers.

For transfers to countries that do not provide an adequate level of data protection, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) or the data recipient's certification under recognized frameworks.

We have designated the following Privacy Officer to oversee the protection of personal information and handle related inquiries and complaints:

• Name: Jaehyung Choi
• Title: CEO / Privacy Officer
• Email: privacy@vibeuniv.com

You may direct any privacy-related inquiries, complaints, or requests to the Privacy Officer. We will respond to your inquiries within 10 business days.

If you believe your privacy rights have been infringed, you may seek resolution through the following organizations:

• Korea Internet & Security Agency (KISA) Privacy Complaint Center: Phone 118 (no area code) | privacy.kisa.or.kr
• Personal Information Dispute Mediation Committee: Phone 1833-6972 | kopico.go.kr
• Supreme Prosecutors' Office Cybercrime Investigation Division: Phone 1301 | spo.go.kr
• Korean National Police Agency Cyber Bureau: Phone 182 | ecrm.cyber.go.kr

If you are located in the European Union (EU) or European Economic Area (EEA), the following additional provisions apply to you under the General Data Protection Regulation (GDPR):

Legal Bases for Processing:

• Contract Performance (Article 6(1)(b)): Processing necessary to provide you with the VibeUniv service, including account management, project analysis, learning roadmap generation, and AI tutor functionality.
• Consent (Article 6(1)(a)): Processing based on your explicit consent, such as optional data collection or marketing communications. You may withdraw consent at any time.
• Legitimate Interest (Article 6(1)(f)): Processing necessary for our legitimate interests, such as service improvement, security monitoring, and fraud prevention, where such interests are not overridden by your rights.
• Legal Obligation (Article 6(1)(c)): Processing necessary to comply with applicable laws, such as tax and accounting obligations.

Your Additional Rights Under GDPR:

• Right to Data Portability: You may request a copy of your personal data in a structured, commonly used, machine-readable format.
• Right to Erasure (Right to Be Forgotten): You may request deletion of your personal data, subject to legal retention obligations.
• Right to Restriction of Processing: You may request that we restrict the processing of your personal data in certain circumstances.
• Right to Object: You may object to processing based on legitimate interests at any time.

Data Protection Officer:

For GDPR-related inquiries, please contact our Data Protection Officer at privacy@vibeuniv.com.

Right to Lodge a Complaint:

You have the right to lodge a complaint with a supervisory authority in the EU/EEA Member State of your habitual residence, place of work, or place of the alleged infringement.

International Transfers:

Transfers of personal data from the EU/EEA to countries outside the EU/EEA (including the United States) are conducted pursuant to Standard Contractual Clauses (SCCs) approved by the European Commission or other appropriate safeguards under Chapter V of the GDPR.

If you are a California resident, the following additional provisions apply to you under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

Categories of Personal Information Collected:

• Identifiers: Email address, nickname, IP address, account name.
• Internet or Other Electronic Network Activity: Browsing history within the service, access logs, device information, interactions with the platform.
• Professional or Employment-Related Information: Project source code and technical data uploaded for analysis (to the extent it reflects professional activities).
• Inferences: Tech stack analysis results and learning recommendations derived from uploaded project data.

We Do Not Sell or Share Your Personal Information:

VibeUniv does not sell personal information to third parties. We do not share personal information for cross-context behavioral advertising. We have not sold or shared personal information in the preceding 12 months.

Your Rights Under CCPA/CPRA:

• Right to Know: You may request details about the categories and specific pieces of personal information we have collected about you.
• Right to Delete: You may request that we delete your personal information, subject to certain exceptions.
• Right to Correct: You may request correction of inaccurate personal information.
• Right to Opt-Out of Sale/Sharing: Not applicable, as we do not sell or share personal information.
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights. You will not receive different pricing, a different quality of service, or be denied service for exercising your rights.

To exercise your rights, please contact us at privacy@vibeuniv.com or use the self-service options available in the Settings page. We will verify your identity before processing your request and respond within 45 days.

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or applicable laws.

• General Changes: We will post the updated Privacy Policy on our website at least 7 days before the changes take effect, with the effective date clearly indicated.
• Material Changes: For significant changes that may affect your rights (such as changes to the categories of information collected, purposes of processing, or third-party sharing), we will provide at least 30 days prior notice via email to the address associated with your account.

Your continued use of the service after the effective date of the updated Privacy Policy constitutes your acceptance of the changes. If you do not agree with the updated policy, you may withdraw your account before the effective date.