Privacy Policy

Version 1.1 · Last updated 21 May 2026

1. Who we are

This privacy policy is issued by Vibe3D ("Vibe3D", "we", "us", "our"), the operator of the Vibe3D platform — a commerce-operations application that helps merchants manage stock, listings, orders, and production across multiple sales channels.

Vibe3D acts as the data controller for the personal data that operators (the merchants who use our service) and their staff provide to us directly. When we process personal data on behalf of an operator — for example, their customers' order details synced from a connected channel — we act as a data processor under that operator's instructions.

Contact: hello@vibe3d.co.uk

2. The personal data we collect

We collect and process the following categories of personal data:

  • Account data — the name, email address, and password (stored as a salted hash, never plaintext) you supply when you register a Vibe3D account.
  • Workspace data — the workspace name, plan tier, and configuration choices you set up after signing in.
  • Team member data — when you invite colleagues, we store their name, email, role, and assignment history within your workspace.
  • Connected channel credentials — OAuth access tokens, refresh tokens, and shop identifiers for the third-party platforms you connect (Shopify, Etsy, TikTok Shop, Meta, etc.). These are encrypted at rest.
  • Channel-derived data — products, listings, orders, inventory, and customer details fetched from a channel under your instructions. This data is processed on your behalf and remains your responsibility under your own privacy notice to your end customers.
  • Operational data — print runs, production records, compliance dossiers, batch and recall data, and similar workflow information.
  • Technical data — IP address, user-agent, session identifier, and standard server-log information. Used for security monitoring and to operate the service.
  • Support and communication data — the content of any support emails, in-app messages, or feedback you send to us.

We do not knowingly collect special-category personal data (race, ethnicity, religion, health, biometrics, etc.). Please do not submit such data to the service.

3. Lawful bases for processing

We process personal data on the following lawful bases under UK GDPR:

  • Performance of a contract — to provide you with the service you have signed up for.
  • Legitimate interests — to secure the service, prevent fraud, monitor performance, and improve the product. We have considered your interests and fundamental rights and concluded they are not overridden.
  • Legal obligation — to comply with applicable law, including responding to lawful requests from public authorities.
  • Consent — for any non-essential communications you opt into. You can withdraw consent at any time.

4. How we use personal data

  • To create and operate your Vibe3D account and workspace.
  • To sync products, orders, inventory, and other commerce data between your connected channels under your instructions.
  • To send transactional emails and service notifications.
  • To provide customer support when you contact us.
  • To monitor for security threats, prevent abuse, and investigate incidents.
  • To improve the service — diagnose issues, measure feature usage in aggregate, and prioritise development.
  • To comply with our legal and regulatory obligations.

5. Who we share data with

We share personal data with the following categories of recipients, each of whom is contractually obliged to keep it confidential and use it only as needed to provide their service to us:

  • Cloud infrastructure — Fly.io (application hosting), Neon (managed Postgres database), Cloudflare R2 (object storage), Cloudflare (edge / CDN).
  • Source code and build — GitHub.
  • Email delivery — Resend, for transactional and notification email.
  • Channel APIs — Shopify, Etsy, TikTok Shop, Meta, and other channels you choose to connect. Data flows in both directions under your instructions.
  • AI providers — OpenAI and Anthropic, for the AI-assisted features in the product. Inputs may be sent to these providers; we use enterprise contracts that restrict their use of submitted data to the immediate request.
  • Payment processor — Stripe, for billing. Card data is collected by Stripe directly; Vibe3D does not store full card numbers.

We do not sell personal data and do not share it with advertising networks.

6. International transfers

Some of our sub-processors operate in countries outside the UK or European Economic Area, including the United States. Where personal data is transferred outside the UK / EEA, we rely on UK International Data Transfer Agreements, the EU Standard Contractual Clauses, or an adequacy decision recognised by the ICO.

7. Retention

We keep personal data only as long as we need to provide the service:

  • Account data: while your account is active, and for up to 12 months after closure to allow reactivation and to comply with legal obligations.
  • Channel-derived data (orders, customer details): under your control. You can delete it at any time. If you close your account, we delete it within 30 days unless we are required by law to retain it.
  • Billing records: 7 years, as required by UK tax law.
  • Server logs and security event data: 90 days.
  • Support emails: 24 months after last contact.

8. Your rights

Under UK GDPR you have the right to:

  • Access the personal data we hold about you.
  • Have inaccurate personal data corrected.
  • Have your personal data deleted (the "right to be forgotten").
  • Restrict the processing of your personal data.
  • Object to processing carried out on the basis of legitimate interests.
  • Receive your data in a portable, machine-readable format.
  • Withdraw consent where processing is based on consent.
  • Complain to the Information Commissioner's Office (ICO) at ico.org.uk if you are unhappy with how we have handled your data.

To exercise any of these rights, email hello@vibe3d.co.uk. We will respond within 30 days.

9. Security

We protect personal data with technical and organisational measures including TLS 1.2+ in transit, encryption at rest on our managed database and object storage, multi-factor authentication on administrative accounts, signed-webhook verification for inbound channel events, and a documented incident-response process. Full detail is available in our Information Security Policy on request.

10. Cookies

The Vibe3D web application uses a small number of strictly necessary cookies to keep you signed in and to maintain workspace context. We do not use advertising or tracking cookies. If we add analytics in future, we will update this policy and request consent where required.

11. Children

Vibe3D is a business tool and is not directed at children under 18. We do not knowingly collect personal data from children. If you believe a child has provided us personal data, contact hello@vibe3d.co.uk and we will delete it.

12. Changes to this policy

We review this policy annually and update it whenever there is a material change to how we process personal data. When we make material changes we will email registered users and update the "Last updated" date at the top of this page.

13. Contact

For any privacy question, request, or complaint, email hello@vibe3d.co.uk.