Privacy Policy

Last updated: August 15, 2025

Overview

VibeMoney provides a payment-testing platform that helps teams validate payment flows and measure conversion. This Privacy Policy explains how we collect, use, disclose, and protect information.

Scope and Roles

This Policy applies to our websites, dashboards, APIs, and related services ("Services"). Roles:

Controller for account, billing, support, marketing, and platform analytics data.

Processor for end-customer data that business customers send via the testing checkout, webhooks, or APIs; in this context we process data on your instructions and our Data Processing Addendum (DPA) applies.

Information We Collect

Account and Workspace

Email, name, company name, password, workspace settings and branding, authentication logs, roles/permissions.

Payment Testing Data (Processor context)

Test transaction details (amount, currency, timestamps, outcome codes, 3DS/SCA, decline reasons), test metadata and identifiers (tokens), conversion/funnel analytics events (page views, step timings, field focus/blur as configured by you). We do not store full primary account numbers (PAN) or CVV; card data is handled by PCI DSS–compliant processors and tokenized.

Technical and Usage

IP address, user agent, device/OS, language, referrer, app/API usage logs, error logs, performance metrics.

Communications

Support requests, feedback, and preference settings.

Cookies and Similar Technologies

Used for authentication, security, preferences, and analytics. See our Cookie Notice.

Aggregated/De-identified Data

We may create statistics that no longer identify an individual and use or share them to improve and demonstrate the Services.

How We Use Information

  • Provide, secure, and maintain the Services (including executing test charges and sending webhooks).
  • Troubleshoot, support, and communicate service updates.
  • Measure and improve performance, user experience, and conversion.
  • Detect, prevent, and investigate fraud, abuse, or security incidents.
  • Comply with law and enforce agreements.
  • With consent: send product updates and marketing communications (where permitted; you can opt out at any time).

EEA/UK legal bases where applicable: contract performance; legitimate interests (security, product improvement); legal obligation; consent (for marketing/cookies where required).

Sharing and Disclosures

We do not sell personal information. We disclose information only to:

  • Service providers/sub-processors (cloud hosting, payments, email, analytics, support) under appropriate data-protection terms.
  • Your direction or consent, including integrations you enable.
  • Legal/safety and corporate transactions, as required by law or in connection with a merger, acquisition, or asset sale.

California (CPRA): we do not "sell" or "share" personal information as defined by CPRA, nor use sensitive personal information to infer characteristics.

International Transfers

We may process data outside your country. Where required, we use appropriate safeguards for international transfers (e.g., EU Standard Contractual Clauses).

Security

We implement technical and organizational measures, including encryption in transit, access controls, network isolation, logging/monitoring, and employee training. Card data is handled by PCI DSS–compliant processors and tokenized. No method of transmission or storage is fully secure; we continuously improve our controls.

Retention

We retain information only as long as necessary for the purposes above, to comply with legal obligations, resolve disputes, and enforce agreements.

Typical periods: account/workspace records for the life of the account and a limited period after closure; logs/analytics for limited periods for security and diagnostics; testing records in our Processor role as directed by our customer or for the contract term. You may request deletion as described below.

Your Rights

Depending on your location, you may have rights to access, correct, delete, object to or restrict processing, and request data portability. Where processing is based on consent, you may withdraw consent at any time.

EEA/UK: you may lodge a complaint with your supervisory authority.

California: you may exercise rights to know, delete, and correct, and to limit use of sensitive personal information (if collected).

To exercise rights, use our Contact page. We will verify your request and respond within applicable timelines.

Children's Privacy

The Services are not directed to children under 16, and we do not knowingly collect personal information from them.

Sub-processors

We use third-party service providers to operate the Services. Our current list is available here: [INSERT_SUBPROCESSORS_URL]. We provide notice of material changes where required.

Links and Integrations

The Services may link to or integrate with third-party services. Their privacy practices are governed by their policies.

Changes to This Policy

We may update this Policy. Updates will be posted here with an updated "Last updated" date; material changes may include additional notice.

Contact

Questions about this Policy or our data practices: please use our Contact page.

References

  • Data Processing Addendum (DPA): [INSERT_DPA_URL]
  • Cookie Notice: [INSERT_COOKIE_NOTICE_URL]
  • Security Overview: [INSERT_SECURITY_URL]