Privacy Policy
Last updated: May 14, 2026
This policy applies to https://vibekit.doodle2dollars.com and all services operated under the VibeKit brand by Doodle2Dollars.
1. Who We Are
VibeKit is an AI-powered project scaffold generator operated by Doodle2Dollars. References to “we”, “us”, or “our” in this policy refer to Doodle2Dollars. We act as the data controller for personal data collected through this service.
For any privacy-related queries, requests, or complaints, contact us at support@doodle2dollars.com.
2. Data We Collect
We collect the following categories of personal data:
| Identity Data | Name, username, or display name provided during registration or profile update. |
| Contact Data | Email address used for account creation, authentication, and communications. |
| Authentication Data | Hashed passwords (never stored in plain text). For Google OAuth users: OAuth access token, Google account ID, and profile email returned by Google's identity service. |
| Technical Data | IP address, browser type and version, operating system, device type, time zone, referring URL, and session identifiers. |
| Usage Data | Pages visited, features used, generation requests made, files viewed, chat interactions, and timestamps of activity. |
| Generated Content | Project descriptions (ideas) you submit for scaffold generation, and the resulting generated files stored against your account. |
| Cookie Data | See Section 5 for a full breakdown of cookies set by this service. |
We do not collect payment information. We do not collect sensitive personal data such as racial or ethnic origin, health data, or financial data.
3. How and Why We Use Your Data
We process personal data only where a valid lawful basis exists under applicable data protection law. The table below sets out each processing activity, its purpose, and its lawful basis.
| Processing Activity | Purpose | Lawful Basis |
|---|---|---|
| Account creation and authentication | To create and manage your user account and verify your identity on login. | Performance of a contract (providing the service you signed up for). |
| Service delivery | To process your scaffold generation requests and return results. | Performance of a contract. |
| Session management | To maintain your logged-in state across page loads. | Performance of a contract. |
| Rate limiting | To enforce fair-use limits (5 scaffold generations per day for free accounts). | Legitimate interest in preventing abuse and maintaining service availability. |
| Service improvement | To analyse usage patterns and improve the product. | Legitimate interest. |
| Analytics | Google Analytics is used to measure aggregate traffic and usage. Only activated after you provide explicit cookie consent. | Consent. |
| Security and fraud prevention | To detect, investigate, and prevent unauthorised access or abuse. | Legitimate interest and legal obligation. |
| Legal compliance | To comply with applicable laws and respond to lawful requests from authorities. | Legal obligation. |
4. Third-Party Services and Data Processors
We use the following third-party services that may process your data on our behalf. All processors are contractually required to handle data only according to our instructions and to maintain appropriate security measures.
| Service | Purpose and Data Involved | Privacy Policy |
|---|---|---|
| Neon (neon.tech) | Serverless PostgreSQL database. Stores user accounts, project metadata, generated files, and chat history. | neon.tech/privacy |
| Vercel | Hosting and edge infrastructure. Processes request data including IP addresses and request headers for routing and performance. | vercel.com/legal/privacy-policy |
| OpenRouter / DeepSeek | AI model API used to process your project description and generate scaffold output. Your idea input and any context provided is transmitted to this service. | openrouter.ai/privacy |
| Google OAuth | If you sign in with Google, your Google account ID, email address, and display name are received from Google's identity service and stored in our database. | policies.google.com/privacy |
| Google Analytics | Optional analytics service activated only with your explicit consent. Collects anonymised usage data including pages visited and session duration. | policies.google.com/privacy |
Important note regarding AI generation: When you submit a project idea for scaffold generation, that text is transmitted to our AI model provider (OpenRouter / DeepSeek) to produce the output. Do not include personally identifiable information, confidential business data, trade secrets, or any sensitive information in your generation prompts. We do not control how third-party model providers handle inputs beyond our contractual agreements with them.
5. Cookies
We use the following cookies. You can manage your cookie preferences via the consent banner shown on your first visit.
| Cookie | Purpose | Duration | Basis |
|---|---|---|---|
| Session token | HTTP-only cookie. Maintains your authenticated session after login. Required for the service to function. | Session (expires on logout or browser close) | Strictly necessary — no consent required. |
| Device ID | Identifies guest (unauthenticated) users for rate limiting purposes. Does not contain personal data. | 30 days | Strictly necessary — no consent required. |
| Theme preference | Stores your light/dark mode preference in localStorage. Not a cookie; local to your browser only. | Persistent (localStorage) | Strictly necessary — no consent required. |
| Cookie consent | Records whether you have accepted or declined optional analytics cookies. | 1 year | Strictly necessary — no consent required. |
| _ga, _ga_* | Google Analytics cookies. Collect anonymised usage data for traffic analysis. | Up to 2 years | Analytics — requires your explicit consent. |
You may withdraw analytics cookie consent at any time by clearing your browser cookies and declining on your next visit. Withdrawing consent does not affect the legality of processing that occurred before withdrawal.
6. Data Retention
We retain personal data only for as long as necessary to fulfil the purpose for which it was collected, subject to the following specific periods:
| Data Category | Retention Period |
|---|---|
| Account data (name, email, hashed password) | Retained for the lifetime of your account. Deleted within 30 days of account deletion request. |
| Generated project files and chat history | Retained for the lifetime of your account. Deleted when you delete individual projects or your account. |
| Server access logs (IP, request metadata) | Retained for up to 90 days for security and debugging purposes. |
| Analytics data (Google Analytics) | Governed by Google's data retention settings. We configure a 14-month retention window. |
We may retain anonymised, aggregated data that cannot identify you for longer periods for the purpose of product analytics and improvement.
7. Data Security
We implement the following technical and organisational measures to protect your personal data:
- Passwords are hashed using bcrypt with a salt factor of 12 before storage. Plain-text passwords are never stored or logged.
- Authentication sessions are managed via HTTP-only, Secure, SameSite cookies, preventing access from JavaScript and cross-site request forgery.
- All data in transit is encrypted via TLS. All data at rest in Neon is encrypted using AES-256.
- Database access is restricted to application-level service accounts. No direct public database access is permitted.
- OAuth tokens are stored only in server-side session state and are never exposed to the client.
No method of transmission or storage is 100% secure. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and relevant supervisory authorities as required by applicable law.
8. Your Rights
Depending on your jurisdiction, you may have some or all of the following rights regarding your personal data:
| Right | Description |
|---|---|
| Access | Request a copy of the personal data we hold about you. |
| Rectification | Request correction of inaccurate or incomplete personal data. You can update your name and password directly in your account settings. |
| Erasure | Request deletion of your personal data. You can delete your account directly from your profile settings, which will trigger deletion of all associated data within 30 days. |
| Restriction | Request that we restrict processing of your personal data in certain circumstances. |
| Portability | Request a machine-readable copy of the personal data you provided to us. |
| Objection | Object to processing of your personal data where we rely on legitimate interest as the lawful basis. |
| Withdraw consent | Withdraw any previously given consent (e.g. analytics cookies) at any time without affecting the lawfulness of prior processing. |
To exercise any of these rights, email us at support@doodle2dollars.com. We will respond within 30 days. We may need to verify your identity before processing your request.
9. Children
VibeKit is not directed at children under the age of 13. We do not knowingly collect personal data from anyone under 13. If you are a parent or guardian and believe your child has provided us with personal data, contact us at support@doodle2dollars.com and we will delete it promptly.
Users in jurisdictions where the age of digital consent is higher (for example, 16 in some EU member states) must meet the applicable age requirement for their country.
10. AI-Generated Content — Disclaimer
VibeKituses large language models to generate project scaffolds, documentation, and code. All generated output is provided “as is” without warranty of any kind. We make no representations regarding the accuracy, completeness, security, fitness for purpose, or legality of any AI-generated content.
You are solely responsible for reviewing, validating, and testing all generated output before use in any production environment. Doodle2Dollars accepts no liability for any loss, damage, or harm arising from your use of AI-generated content produced by this service.
Generated content may inadvertently resemble existing code, documentation, or intellectual property. You are responsible for ensuring that your use of any generated output does not infringe third-party rights.
11. Limitation of Liability
To the maximum extent permitted by applicable law, Doodle2Dollars shall not be liable for any indirect, incidental, special, consequential, or punitive damages, including but not limited to loss of data, loss of profits, loss of business, or any other commercial loss, arising from or in connection with your use of VibeKit or any content generated by the service.
Our total aggregate liability to you for any claim arising out of or relating to this service shall not exceed the total fees paid by you to us in the twelve months preceding the claim, or £100, whichever is greater. Where you have not paid any fees, our liability is limited to £100.
12. International Data Transfers
Our infrastructure and third-party processors may be located in countries outside your jurisdiction, including the United States and European Union. Where personal data is transferred internationally, we rely on appropriate safeguards such as Standard Contractual Clauses or the equivalent mechanism applicable to the receiving country.
13. Governing Law
This Privacy Policy and any disputes arising from it are governed by the laws of the jurisdiction in which Doodle2Dollars is registered, without regard to conflict of law principles. If you are located in the European Union, you also have the right to lodge a complaint with your local supervisory authority.
14. Changes to This Policy
We review this Privacy Policy periodically and will update it when our practices change. When we make material changes, we will update the “Last updated” date at the top of this page. Continued use of VibeKit after changes are posted constitutes your acceptance of the updated policy.
For significant changes affecting how we use your personal data, we will provide a more prominent notice, which may include an email notification to registered users.
15. Contact
For any questions, requests, or concerns about this Privacy Policy or our data practices, contact us at:
Product: VibeKit
Email: support@doodle2dollars.com
Website: https://vibekit.doodle2dollars.com