Privacy Policy

We collect the following information when you use VibeDay:

• Account information: email address, password (hashed), name, and brand identity you provide during signup.
• Connected social accounts: when you connect Instagram, Facebook, TikTok, or YouTube accounts, we receive an OAuth access token (and a refresh token for YouTube) along with basic profile information (account/channel name, account/channel ID, profile photo) from those platforms. For YouTube specifically, see Section 5 for the full data-handling disclosure required by the YouTube API Services Terms.
• Content you create: topics, captions, images, video, scheduling preferences, and any content you upload to VibeDay.
• Billing information: processed by Stripe; we do not store credit card numbers on our servers.
• Usage data: pages visited, features used, generation counts, and error logs.
• Device information: browser type, operating system, IP address.

• Provide and operate the Service, including AI generation and scheduled publishing
• Process subscriptions and payments
• Send transactional and account-related communications
• Improve the Service and develop new features
• Detect and prevent fraud, abuse, and policy violations
• Comply with legal obligations

We share information only as needed to operate the Service:

• AI providers: OpenAI, Anthropic, and Google process prompts and return generated content. They process inputs under their own terms.
• Social platforms: when you publish content, we send it to the connected platform via their API.
• Infrastructure providers: hosting (Vercel), database (Supabase), email (Resend), analytics (PostHog), payments (Stripe). These vendors are bound by confidentiality and data processing terms.
• Legal requirements: we may disclose information when required by law, subpoena, or to protect our rights and the safety of others.

We do not sell your personal information to third parties. We do not share your content with other VibeDay customers.

VibeDay uses third-party AI providers to power features like the Brand Designer, Campaign Designer, Topic Batch Generator, and (when available) content and video generation. This section describes what we send to those providers, what they commit to do (and not do) with it, and the choices you have.

Which providers we use

• Anthropic (Claude) — primary provider for text and structured content generation (brand voice writing, campaign briefs, topic ideas).
• OpenAI — fallback provider for text generation when Anthropic is unavailable or rate-limited, and primary provider for image generation.
• Google Vertex AI (Veo) — primary provider for video generation (available in later product releases).
• Hive AI — image and video content moderation (NSFW classification on generated assets).

What we send

Only the information needed to perform the requested AI task, scoped strictly to your workspace. For example:

• Brand designer: the survey answers you provide (business description, audience, vibes, optional colors).
• Campaign designer: campaign goal, cadence, angles, and — if you selected one — your brand's voice persona, tone, and primary color.
• Topic batch / content generation: subject and angle inputs plus the relevant brand voice and campaign brief context.

We do notsend: your password, billing information, social platform OAuth tokens, your connected accounts' data, other workspaces' data, or any information from other VibeDay customers.

What providers commit to

We use the providers' commercial / business tiers (not consumer products). Under those agreements:

• No training: inputs and outputs are not used to train the providers' AI models.
• Limited retention: inputs are typically retained for 30 days or less for abuse-monitoring purposes, then deleted, per each provider's published policy.
• Output ownership: AI-generated content (brand profiles, campaign briefs, topic lists, posts) is owned by you, not by the AI provider and not by VibeDay.

For the full text of each provider's data handling, see: Anthropic, OpenAI, Google Cloud.

Provider redundancy

If our primary AI provider for a feature is unavailable or rate-limited, we may transparently fall back to a secondary provider (e.g. Anthropic → OpenAI for text). The fallback provider receives the same scoped inputs and is bound by the same commitments above. We log which provider handled each generation so you can audit it on request.

Your control

• AI features are opt-in per action. We never send your data to an AI provider until you initiate a generation by clicking a button (e.g. “Design my brand”).
• You can use VibeDay's manual CRUD features without ever invoking an AI provider.
• If you want a comprehensive list of every AI generation made on your workspace, email legal@vibeday.com.

AI-generated content disclosure

Content generated with VibeDay's AI features is marked internally with provenance metadata (which generation produced it, which provider was used). When you publish AI-generated content to a third-party platform (Instagram, Facebook, TikTok), you remain responsible for compliance with that platform's AI-content disclosure rules.

VibeDay's YouTube integration uses YouTube API Services(the YouTube Data API v3) to publish video content to YouTube channels you connect. By using VibeDay's YouTube features, you agree to the YouTube Terms of Service and acknowledge Google's Privacy Policy.

What YouTube data we access

When you click Connect on the YouTube tile in your VibeDay Settings, you authorize VibeDay to access two minimum-scope YouTube permissions on your behalf:

• youtube.readonly — used once at connection time to call channels.list?mine=trueand retrieve your connected channel's ID, title, and avatar so we can display the connected channel in your Settings panel. We do not read your videos, comments, watch history, subscriptions, or any other channel data.
• youtube.upload — used at publish time to upload videos you author or AI-generate in VibeDay and explicitly schedule for your own YouTube channel. We do not modify, delete, or interact with your existing YouTube content.

We deliberately do not request the broader youtube or youtube.force-ssl scopes — minimum-permission posture is intentional and enforced at our OAuth start URL.

What we store and how

• OAuth refresh token: encrypted at rest using AES-256-GCM. Used only to obtain a short-lived access token at the moment of a scheduled upload.
• Channel ID, name, and avatar URL: stored in our database so we can display the connected channel in your Settings panel and route scheduled uploads to the correct channel.
• Access tokensare short-lived (Google's 1-hour default) and refreshed on demand at publish time. They are never persisted beyond a single publish action.

How we use YouTube data

YouTube data is used exclusively to operate the publishing features you have authorized. Specifically:

• Identifying the connected channel in your VibeDay Settings
• Uploading videos to your channel when a scheduled or immediate publish action you initiated fires

We do not share, sell, transfer, or otherwise disclose YouTube user data to any third party. We do not use YouTube data for advertising. We do not train AI models on YouTube user data. We do not aggregate YouTube data alongside data from other platforms.

Revoking access and deleting your YouTube data

You can revoke VibeDay's access to your YouTube channel at any time, in either of two ways:

• In VibeDay: open Settings → Platform Connections and click Disconnect on the YouTube tile. We will immediately delete the stored refresh token, channel metadata, and PlatformAccount row associated with your YouTube connection.
• At Google directly: visit your Google Account security settings and remove VibeDay's access. Tokens we previously received will stop working immediately on Google's side; our stored copy is invalidated on its next use.

Deleting your VibeDay account also cascade-deletes all stored YouTube data associated with the workspace. See Section 6 for our general data retention policy.

We retain account information and content for as long as your account is active. If you delete your account, we delete your personal information and content within 30 days, except where retention is required by law (e.g., billing records for tax purposes).

Depending on your location, you may have the right to access, correct, export, or delete your personal information. To exercise these rights:

• Account settings allow you to download your data and delete your account at any time
• For other requests, email legal@vibeday.com

To request deletion of data we received from connected social platforms, see our Data Deletion Instructions.

We use essential cookies for authentication and analytics cookies (with your consent) to understand product usage. You can opt out of analytics via your account settings.

8.1 What our product analytics provider receives

We use PostHog (PostHog Inc., US) for product analytics. Our integration is configured to send the minimum data needed to understand how the product is used. Specifically:

• Pseudonymous identifier:we send your account's internal UUID (an opaque, random identifier). We do not send your email address, name, or any other personally identifying field to PostHog.
• Page views: the path you visit (e.g. `/topics`, `/schedule`). URL query parameters are stripped at the SDK boundary before transmission.
• Specific product eventsdefined in our code (for example, "generation_created", "schedule_created", "post_published"). Each event carries only counts, timestamps, and opaque identifiers — never the content of your posts, captions, hashtags, image prompts, brand details, or any other free-form content.
• Standard browser and device info: browser type, OS, screen size. Used for cross-browser-compatibility analysis.

We explicitly do not send PostHog: your IP address (stripped at the SDK boundary), session replays / screen recordings, mouse movements, heatmaps, autocaptured click events (which can contain visible text), or any customer-typed content.

Internal admin users of VibeDay are opted out of analytics entirely, so our support and maintenance activity does not appear in the product analytics data.

PostHog stores this data in the United States (US Cloud). You can request deletion of your analytics records by emailing legal@vibeday.com.

VibeDay is not directed to children under 18. We do not knowingly collect personal information from anyone under 18. If you believe a child has provided us information, email legal@vibeday.com and we will delete it.

We use industry-standard security measures including encryption in transit (TLS) and at rest (AES-256), access controls, and audit logging. No method of transmission over the internet is 100% secure; we cannot guarantee absolute security.

We process data in the United States. If you are located outside the US, your data will be transferred to and processed in the US under standard contractual clauses.

We may update this Privacy Policy from time to time. Material changes will be announced via email or in-app notification at least 30 days before taking effect.

Questions or requests? Email legal@vibeday.com or write to: VibeDay, [LLC address pending] .