Privacy Policy

GNTC Inc. (“GNTC,” “we,” “us,” or “our”) provides VibeHost, a deployment and hosting platform that accepts built artifacts from coding tools and AI coding agents and serves them as web applications at private-by-default URLs (the “Services”). This Privacy Policy (this “Policy”) explains the nature, purpose, use, and sharing of any Personal Data in connection with the Services.

VibeHost is intended for software development, deployment, and hosting workflows used by businesses, organizations, and individual developers. The Services are typically purchased by an organization or developer (the “Client”) and made available to that Client’s invited users (the “Authorized Users”). This Policy describes how GNTC handles Personal Data in connection with VibeHost for Authorized Users and for Clients evaluating or using VibeHost.

This Privacy Policy applies to Personal Data we process in connection with:

• the VibeHost web application, dashboard, and marketing website at vibehost.com;
• the VibeHost command-line tool, APIs, MCP server, and SDKs;
• the VibeHost browser extension; and
• Apps deployed and served through the Services, including content served at VibeHost-issued URLs and Custom Domains.

This Policy does not apply to:

• third-party coding tools, AI coding agents, code editors, build systems, or other software that a Client or Authorized User chooses to use to produce content uploaded to the Services (such tools are governed by their own privacy terms);
• third-party systems that an Authorized User visits by clicking links from content hosted on the Services; and
• GNTC’s other products unrelated to VibeHost.

Capitalized terms not defined below have the meanings given in the VibeHost Terms of Service (the “Client Terms”).

“Authorized User” means an individual who is granted access to a Workspace by a Client, including by accepting a Workspace invitation or by being granted access to a specific App via a per-App Grant, share link, or password gate.

“Client” means the organization or individual that has entered into the Client Terms with GNTC and within whose Workspace Authorized Users operate.

“Client Content” means any files, source code, configuration, metadata, prompts, and other materials uploaded to, generated by, or processed by the Services on behalf of a Client or its Authorized Users, including all Deployments and content served at App URLs and Custom Domains. Client Content includes any Personal Data of third parties contained in such content.

“Service Data” means information we generate, collect, or infer through the operation of the Services that is not Client Content. Examples: Client and Authorized User account-registration details, billing records, authentication metadata, usage and telemetry data, product analytics, security logs, support tickets, and cookie or device data.

“Personal Data” means information relating to an identified or identifiable natural person, as defined under applicable laws.

“Workspace” means a logically isolated tenant within VibeHost that holds a single Client’s configuration, Authorized User list, Apps, Deployments, and Client Content.

“Sub-processor” means a third party engaged by GNTC to process Client Content on GNTC’s behalf in furtherance of the Services (for example, cloud-infrastructure providers and product-analytics providers).

VibeHost handles two very different categories of information, and GNTC plays a different role for each. Understanding the distinction is the key to this Policy.

For Client Content, the Client is the “controller.” The Client decides what content is uploaded into the Workspace (or built by an AI tool and uploaded), what Visibility setting it carries, who has access via Grants or share links, and how long it is retained. GNTC processes Client Content under the Client’s instructions and under the confidentiality, security, and use-limitation obligations described in the Client Terms.

For Service Data, GNTC is the controller and decides purposes and means. We describe those purposes in Section 6 below.

Where a data subject wishes to exercise rights over Client Content about themselves (for example, to correct a record), the request must be made to the Client — not GNTC — because the Client is the controller. See Section 11 below.

5.1 Client Content

VibeHost processes whatever content a Client or Authorized User chooses to upload, deploy, or otherwise have served through the Services. Depending on the Client’s configuration, Client Content may include:

• Deployment archives uploaded via the CLI, API, MCP server, or browser extension (static HTML, JavaScript, CSS, assets, and built application bundles);
• source files, prompts, or context captured by the browser extension when an Authorized User triggers a deploy from a supported AI canvas or webpage;
• configuration metadata associated with an App, including Channel names, Visibility settings, and Custom Domain configuration; and
• viewer interactions logged when Client Content is served (limited request metadata as described in Section 5.2.4).

Client Content is determined entirely by the Client, and may include Personal Data of the Client’s employees, customers, partners, vendors, or other third parties. The Client is responsible for the legal basis for submitting such Personal Data into VibeHost and for providing data subjects with sufficient information regarding such submission, including the relevant provisions of this Policy.

5.2 Service Data

In the ordinary course of operating VibeHost, we collect the following categories of Service Data:

5.2.1 Account and Workspace Data. Client organization details (Workspace name, billing address, Plan and member count); Authorized User profile data (name, email address from sign-up or Google sign-in, Google user ID for federated identity, role and access scope); authentication artifacts (session tokens, login timestamps, IP addresses).

5.2.2 Billing Data. Payment-method details handled by our payment processor, Stripe, Inc. (see Section 7.1); we do not store full payment-card numbers on our systems. Billing contact name, email, VAT or tax-identification number (if supplied). Invoices, subscription history, and refund records.

5.2.3 Service Telemetry and Usage Data. Product events: feature invocations, deploy frequencies, CLI command patterns, MCP request patterns, dashboard navigation. Performance telemetry: request and response sizes, latency, error codes (the content of Deployments is Client Content, not Service Data). Device and environment data: IP address, browser type, operating system, locale, device identifier. Cookies and similar technologies (see Section 13).

5.2.4 Operational and Security Logs. Access logs for content served at App URLs and Custom Domains (IP, request path, status code, timestamp, user agent). Container and infrastructure logs for debugging. Authentication and authorization events. Administrative actions taken in the dashboard. Security alerts, anomaly-detection events, and incident-response records.

5.2.5 Support Communications. Support tickets, chat transcripts, and email correspondence between an Authorized User or a Client’s Administrator and GNTC. Screenshots or logs an Authorized User voluntarily shares in the course of a support interaction.

5.2.6 Browser Extension State. When you use the VibeHost browser extension, the extension stores local state in your browser (chrome.storage.local), including selected Workspace, conversation-to-app mappings, last deploy time, and last deploy URL. This local state is not transmitted to GNTC except as part of an explicit deploy action you initiate. Page or canvas content is read by the extension only after you click a VibeHost deploy action on a supported site or from the extension popup.

5.2.7 Marketing Data. Contact information collected through the GNTC or VibeHost website, events, or sales outreach (for example, to respond to an Enterprise inquiry or to send a product newsletter the Authorized User subscribed to). For clarity, we do not use Client Content for marketing.

6.1 Client Content

We process Client Content for the following purposes, based on the Client’s instructions and the agreement between the Client and us:

• to host, store, and serve Deployments to viewers the Client has authorized through Visibility settings, Grants, or share links;
• to maintain rollback capability and Channel promotion for the duration the Client has configured;
• to provide support when the Client’s Administrator requests it;
• to monitor, measure, and diagnose use of the Services, including through analytics and observability Sub-processors (see Section 7.1), for understanding usage patterns, identifying bugs and performance issues, and evaluating feature quality;
• to enforce the Client Terms and User Terms and detect unlawful or abusive use; and
• to comply with legal obligations (see Section 7.3).

We do not sell Client Content. We do not use Client Content for advertising or third-party marketing. We do not use Client Content to train, fine-tune, or evaluate any artificial-intelligence or machine-learning model, whether operated by GNTC or by any third party. We do not share Client Content with any third-party foundational AI model provider for that provider’s own model training or improvement. Where reasonably practicable, we use de-identified or aggregated derivatives for analytics and service-improvement purposes.

6.2 Service Data

We process Service Data for the following purposes:

• Performance of the contract with the Client: to authenticate Authorized Users, bill the Client, deliver support, and operate the Services.
• Legitimate interest of GNTC and its Clients: to maintain security, prevent fraud and abuse, measure product quality, debug issues, and improve the Services at a system level (without using Client Content for those purposes).
• Consent: for optional features such as marketing email; the Authorized User can withdraw consent at any time.
• Legal obligation: to comply with tax, accounting, and law-enforcement obligations applicable to GNTC.

Specifically, we use Service Data to: authenticate Authorized Users; bill the Client; reconcile usage; monitor service health, capacity, and performance; detect, investigate, and respond to security incidents, abuse, and violations of the Client Terms or User Terms; develop and improve VibeHost at a system level (for example, adjusting rate limits or fixing a bug) using aggregated or de-identified telemetry; communicate with Authorized Users about the Services, including service announcements, security notices, and administrative communications; and comply with legal obligations and, where necessary, to establish, exercise, or defend legal claims.

7.1 Sub-processors

GNTC engages Sub-processors to operate VibeHost. These Sub-processors process Client Content and, in some cases, Service Data, under the terms of their respective service agreements with GNTC, which include confidentiality, security, and use-limitation commitments. Where applicable law requires, GNTC seeks to execute a separate data-processing agreement with the Sub-processor.

Sub-processors GNTC engages fall into categories that include, for example:

• cloud infrastructure and edge content delivery (such as Cloudflare and Google Cloud Platform);
• user authentication (such as Google OAuth);
• payment processing (such as Stripe);
• transactional email delivery (such as Resend);
• error reporting and observability (such as Sentry); and
• product and web analytics (such as PostHog and Google Analytics). For these Sub-processors, GNTC sends only Service Data (telemetry and product events), not Client Content, and applies PII-minimization measures where reasonably practicable.

The Sub-processors GNTC engages may change from time to time as the Services evolve.

7.2 Legal and Regulatory Requirements

We may disclose Personal Data, including Client Content, where we have a good-faith belief that disclosure is necessary to:

1. (a) comply with a binding legal obligation, court order, or governmental request under applicable law;
2. (b) enforce the Client Terms or the User Terms, including to investigate potential violations;
3. (c) protect the rights, property, or safety of GNTC, our Clients, Authorized Users, or the public, including to prevent fraud, abuse, or imminent harm; or
4. (d) respond to claims of illegal activity or third-party-rights violations.

Where the legal process targets Client Content, and unless legally prohibited or in an emergency, we will notify the Client before disclosure so the Client has an opportunity to seek a protective order or take other action.

7.3 Corporate Transactions

If GNTC is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, Personal Data may be transferred as part of that transaction, subject to the receiving party being bound by commitments that are no less protective than this Policy.

7.4 With Consent or at Direction

We may share Personal Data for other purposes when the Authorized User gives us explicit consent, or when the Client directs us to do so in its configuration of the Services.

7.5 Aggregated and De-Identified Information

We may create and share aggregated or de-identified information that cannot reasonably be used to identify any individual, for any business purpose. Such information is not Personal Data.

GNTC operates VibeHost using cloud infrastructure and personnel in multiple jurisdictions. The Services’ control plane (compute, database, and authentication) runs primarily on Google Cloud Platform in the United States. Deployment artifacts are stored on Cloudflare R2 and served to viewers globally through Cloudflare Workers’ edge network. Personal Data may therefore be transferred to, stored in, or processed in countries other than the country in which it was collected, including the United States and other locations where our Sub-processors operate.

Any international transfer of Personal Data will comply with applicable data protection laws and any transfer restrictions issued by the relevant competent authority. Where such restrictions apply, GNTC implements reasonable safeguards, which may include written commitments from Sub-processors that substantially replicate the relevant statutory obligations, technical measures such as encryption in transit and at rest and access controls, and organizational measures such as access reviews and incident-response processes.

9.1 Client Content

Client Content is retained for as long as the Client’s Workspace is active, subject to the retention rules the Client configures. Specifically:

• Active Deployments and Apps: retained until the Client deletes them or terminates the Workspace.
• Deleted Deployments: retained in encrypted backups for as long as necessary to support rollback, then purged.
• Operational logs that relate to viewer interactions with served content (access logs): retained for as long as necessary for security, abuse detection, and operational diagnostics.
• Container logs and short-term debugging logs that may contain incidental references to Client Content: retained for as long as necessary for debugging and incident response.

Upon termination or expiration of the Client’s subscription, and following the thirty (30)-day export window described in the Client Terms, GNTC will delete Client Content from production systems in accordance with the Client Terms.

9.2 Service Data

We retain Service Data for as long as necessary for the purposes described in Section 6.2, consistent with the following general periods:

• Account and Workspace data: for the duration of the Client’s subscription, plus a reasonable wind-down period.
• Billing data: five (5) to seven (7) years, as required by applicable tax and accounting law.
• Security and audit logs: retained for as long as necessary for security investigation, fraud prevention, and compliance purposes, subject to legal-hold requirements.
• Service telemetry and usage data: retained in identifiable form for as long as necessary for operational, product, and performance purposes; after that period, retained data is aggregated or de-identified.
• Support communications: retained for as long as necessary to respond to follow-up inquiries and to meet operational and compliance needs.
• Browser-extension local state: remains in your browser until you clear it, uninstall the extension, or clear browser-extension storage. It is not held on GNTC servers.

We may retain information for longer where a legal obligation, legitimate dispute, litigation hold, or law-enforcement request requires us to do so.

We implement technical and organizational measures designed to protect Personal Data against unauthorized access, alteration, disclosure, or destruction, including:

• encryption in transit (TLS 1.2 or higher) and encryption at rest for persistent storage; and
• a documented incident-response process, with notification to affected Clients without undue delay and in any event within seventy-two (72) hours of confirmation of a material security incident affecting their Client Content.

No security measures are perfect. Clients are responsible for (i) securing their account credentials, CLI tokens, API tokens, and OAuth grants; (ii) configuring Visibility, Grants, and share-link distribution appropriately; (iii) applying least-privilege principles when granting Authorized User access; and (iv) notifying GNTC at contact@vibehost.com of any suspected compromise of Client accounts.

Subject to applicable data protection laws, data subjects have a number of rights regarding their Personal Data. These rights may vary depending on the location and the legal basis for our processing of the Personal Data, but generally include the rights to query or access, make a copy of, supplement or correct, stop the collection/processing/use of, and delete the Personal Data that a controller holds about a data subject.

Where GNTC is the controller (Service Data), please contact us at contact@vibehost.com. We will acknowledge receipt within a reasonable period and respond within the statutory period, subject to verification of the requesting data subject’s identity. We may refuse or limit a request where an exception under applicable laws applies (for example, where complying would be impossible or disproportionate, or where retention is required by law).

Where the Client is the controller (Client Content), please direct your request to the Client. We will, on the Client’s reasonable request and instruction, assist the Client in responding to data-subject requests relating to Client Content within its Workspace.

An Authorized User may also withdraw consent to any processing that is based on consent at any time, without affecting the lawfulness of processing performed before withdrawal. Please note that a data subject’s request to cease the collection, processing, or use of Personal Data may affect the availability and functionality of VibeHost.

VibeHost is a developer tool and is not directed to individuals under eighteen (18) years of age (or such age at which they are unable to lawfully provide valid consent under applicable data-protection laws, where applicable). Clients shall not permit any individual under such age to access the Services as an Authorized User. If we learn that we have processed Personal Data of a minor in violation of this paragraph, we will delete that data and, where appropriate, notify the Client.

The VibeHost website and web application use cookies and similar technologies for the following purposes:

• Strictly necessary: to authenticate sessions, maintain Workspace state, and enforce security (e.g., CSRF tokens).
• Functional: to remember preferences such as language and display settings.
• Analytics: to measure feature usage and service performance at an aggregate level (via PostHog and, on the marketing website, Google Analytics).

We do not use cookies for advertising on the VibeHost application. You can control cookies through your browser settings. Note that blocking strictly-necessary cookies will prevent the Services from functioning.

The Services and content served through the Services may contain links to other sites or platforms owned by third parties. If an Authorized User or viewer clicks a third party’s link, they will be directed to the relevant site or platform. Such external sites and platforms are not operated by GNTC. We strongly recommend that users review the privacy notice of any third-party site before providing it with any Personal Data. GNTC has no control over, and is not responsible for, the content, privacy notices, or practices of any third-party site, platform, or service.

We may update this Privacy Policy from time to time to reflect changes in our practices, the Services, or applicable law. When we make a material change, we will revise the “Effective Date” at the top of the Policy and notify Clients through the VibeHost dashboard or by email to the Administrator contact on file. Non-material changes (for example, clarifications) take effect upon posting. Continued use of the Services after the effective date of a change constitutes acceptance of the revised Policy.

If you have questions about this Policy or our handling of your Personal Data, please contact us at contact@vibehost.com.

If you are an Authorized User, you may also contact the Client’s Administrator to exercise your rights over Client Content.

You also have the right to lodge a complaint with the competent data-protection authority in your jurisdiction.