Privacy Policy
Last updated: March 17, 2026
1. Information We Collect
We collect information you provide directly: name, email, profile picture, and onboarding answers. When you sign in with a third-party provider (Google or GitHub), we receive your name, email address, and profile picture from that provider (see Section 2 below for details). Payment information is processed by Polar and is never stored on our servers. We also collect usage data: lesson progress, course activity, and analytics events (with your consent).
2. Google User Data
When you choose to sign in with Google, we access the following data from your Google account through Google OAuth:
Data Accessed
- Email address — used to create and identify your account.
- Display name — used as your default profile name.
- Profile picture — used as your default avatar on the platform.
We request only the minimum scopes necessary for authentication (email and basic profile information). We do not request access to your Google Drive, Gmail, Calendar, Contacts, or any other Google services.
How We Use Google Data
Google user data is used solely to authenticate your identity and populate your account profile. Specifically: your email address identifies your account and is used for transactional communications (e.g. password resets, certificate delivery); your display name and profile picture are shown on your profile page and can be changed at any time in Settings.
Data Sharing
We do not sell, rent, or trade your Google user data to any third party. Google data is shared only with the infrastructure services required to operate the platform: Supabase (authentication and database) and Vercel (hosting). These services process data under Data Processing Agreements and solely to provide the platform to you. We do not share Google user data with advertisers, data brokers, or any other third parties.
Data Storage and Protection
Google user data is stored securely in our Supabase database (hosted on AWS eu-west-1) with encryption at rest (AES-256) and in transit (TLS 1.2+). Access to user data is protected by Row-Level Security policies that ensure users can only access their own data. Authentication tokens are managed by Supabase Auth using secure, HttpOnly cookies.
Data Retention and Deletion
Google user data is retained for as long as your account is active. You can delete your account at any time via Settings → Delete Account, which permanently removes all personal data (including data received from Google) from our primary database. Residual copies in encrypted backups are automatically purged within 30 days. You can also request deletion by emailing hello@modernvibecoding.com.
Our use of Google user data complies with the Google API Services User Data Policy, including the Limited Use requirements.
3. How We Use Your Information
We use your data to provide the learning platform, track your progress, process payments, send account-related communications (transactional email only), and improve the platform. We do not sell your personal data.
Lawful basis (GDPR): Contract performance (delivering the service you subscribed to) for account and progress data; Legitimate interest for security and fraud prevention; Consent for analytics tracking.
4. Data Retention
We retain your data for as long as your account is active. When you delete your account, personal data is erased immediately from our primary database. Residual copies in encrypted backups may persist for up to 30 days before automatic expiry.
| Data Category | Retention | Deleted on Account Deletion |
|---|---|---|
| Account & profile | Until account deleted | Yes |
| Lesson progress & notes | Until account deleted | Yes |
| Certificates | Until account deleted | Yes |
| Payment records | 7 years (tax obligation) | No — held by Polar |
| Analytics (PostHog) | Until account deleted | Yes — person record deleted via API |
| Transactional emails (Resend) | 90 days | Not applicable |
| Server logs | 30 days | Not applicable |
5. Data Storage & Security
Your data is stored securely using Supabase (hosted on AWS eu-west-1). We use industry-standard encryption for data in transit (TLS 1.2+) and at rest (AES-256). Authentication is handled via Supabase Auth with secure token management and Row-Level Security enforced on sensitive tables (subscriptions, certificates, user progress).
6. Third-Party Services
We use the following third-party services:
- Supabase — database & authentication (AWS eu-west-1)
- Polar — subscription payments (your card data goes directly to Polar)
- Vercel — hosting (AWS / Edge Network)
- PostHog — analytics (EU region, eu.posthog.com) — consent required
- Resend — transactional email
- Cloudflare — CDN and DDoS protection
- OpenAI — text-to-speech for Voice Mode (lesson text only, no personal data sent)
- Sentry — error tracking and performance monitoring (EU region)
- Upstash — rate limiting via Redis (no personal data stored)
Each service operates under its own privacy policy and, where applicable, a Data Processing Agreement with us.
7. Cookies, Local Storage & Tracking
We classify all browser-side storage into two categories under the ePrivacy Directive (Art. 5(3)):
Strictly Necessary (no consent required)
These are required to deliver functionality you explicitly requested and cannot be disabled without breaking the service:
| Identifier | Type | Purpose |
|---|---|---|
| sb-*-auth-token | Cookie (HttpOnly) | Authentication session (Supabase) |
| theme | localStorage | Dark / light mode preference |
| currentPath | localStorage | Selected learning path (Vibe / Agentic) |
| lessonMode | localStorage | Step mode vs Read mode preference |
| lessonTextSize | localStorage | Font size preference |
| lastVisitedCourseId | localStorage | Resume indicator on home page |
| lastAuthMethod | localStorage | Last-used sign-in method badge |
| guestStepCount | localStorage | Guest step counter for signup prompt |
| library-saved | localStorage | Locally saved library items |
| guestBannerDismissed | sessionStorage | Suppress signup banner for session |
None of these identifiers contain personally identifiable information. localStorage and sessionStorage data never leaves your browser and is not transmitted to our servers.
Optional Analytics (consent required)
We use PostHog (EU-hosted, eu.posthog.com) for anonymous usage analytics. PostHog is disabled by default and only activates after you click “Accept” on the analytics consent banner. When active, PostHog may store identifiers in cookies and localStorage to measure page views, feature usage, and drop-off rates. We identify users by an anonymous UUID only — no email, name, or other personal data is sent to PostHog. You can withdraw consent at any time via Settings → Privacy & Cookies → Withdraw Consent, or by contacting us.
8. Your GDPR Rights
If you are based in the EU/EEA or UK, you have the following rights under the GDPR:
- Access — request a copy of the personal data we hold about you.
- Rectification — correct inaccurate or incomplete data (via account settings).
- Erasure — delete your account and all associated data (via Settings → Delete Account, or by email).
- Portability — receive your data in a structured, machine-readable format.
- Restriction — restrict processing of your data while a dispute is resolved.
- Objection — object to processing based on legitimate interest.
- Withdraw consent — opt out of analytics at any time via Settings → Privacy & Cookies, or by contacting us.
To exercise any of these rights, email hello@modernvibecoding.com. We will respond within 30 days. You also have the right to lodge a complaint with your national data protection authority.
9. Contact & Data Controller
Modern Vibe Coding is the data controller for all personal data processed through this platform. For privacy-related questions, data requests, or complaints, contact us at hello@modernvibecoding.com.