Last updated: April 2026
VibeDeploy (“VibeDeploy”, “we”, “us”, “our”) is a web hosting and deployment platform operated from Belgium. We are committed to protecting your personal data and respecting your privacy. This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you use our platform at vibedeploy.be and all associated subdomains.
VibeDeploy acts as the data controller within the meaning of the EU General Data Protection Regulation (GDPR) (EU) 2016/679 for the personal data described in this policy. Our contact details are set out in Section 14.
This policy applies to all users of VibeDeploy, including visitors to our website, registered account holders, team members, and paying subscribers. We do not knowingly collect personal data from individuals under the age of 16 (see Section 12).
We collect personal data in several categories depending on how you interact with our platform:
When you register for a VibeDeploy account, we collect:
You may optionally provide additional profile information, which we use for billing, invoicing, and personalisation:
Payments are processed by Mollie N.V., a PCI DSS-certified payment service provider. VibeDeploy does not store your full payment card details. We only retain:
For details on how Mollie processes your payment data, please refer to Mollie's Privacy Policy.
When you use the platform, we collect operational data necessary to provide and improve the Service:
For security and fraud prevention, we collect certain technical data when you access our platform:
Files, code, and assets that you deploy through VibeDeploy (“User Content”) are stored on our infrastructure. This content may incidentally contain personal data (for example, if you deploy a site that contains user-facing forms or data). We process User Content solely as a data processor on your behalf for the purpose of hosting and serving it. You remain the data controller for any personal data within your User Content and are responsible for ensuring its lawful processing.
We use your personal data for the following purposes:
We process account data, profile data, and usage data to create and manage your account, process deployments, serve your websites, manage custom domains, and provide the features of your subscription plan.
We process account data and technical data to authenticate you (including MFA verification), detect and prevent unauthorised access, identify and respond to security incidents, and enforce rate limits.
We pass relevant billing information to Mollie to process payments, create and manage subscriptions, generate invoices, and handle payment failures or disputes.
We send emails to your registered address for service-related purposes, including:
These communications are necessary for the performance of your contract with us and cannot be opted out of while you hold an active account. You may adjust notification preferences for non-critical deploy notifications in your account settings.
We use account data, technical data, and usage patterns to detect abusive behaviour, enforce our Acceptable Use Policy, and protect our platform and other users from harm.
We retain invoices and related financial records to comply with Belgian tax law (7-year retention obligation). We may also process and disclose data in response to lawful requests from Belgian or EU public authorities.
Where you have given your consent, we may use anonymised and aggregated usage statistics to understand how the platform is used and to guide product development. We do not use identifiable personal data for this purpose without your explicit consent.
We do not sell, rent, or trade your personal data. We do not use your data for targeted advertising.
Every instance of personal data processing by VibeDeploy has a legal basis under the GDPR:
Processing your account data, profile data, usage data, and payment data is necessary for the performance of the contract between you and VibeDeploy (i.e., providing the Service you signed up for). This covers account creation, deployment, billing, and transactional communications.
We process technical data and security-related information on the basis of our legitimate interests in maintaining the security, integrity, and reliability of the platform, and in preventing fraud and abuse. We have balanced these interests against your rights and freedoms and concluded that our security interests are not overridden by your privacy interests, given the minimal privacy impact and the clear benefit to all users.
We retain invoices, billing records, and VAT-related documents for 7 years to comply with Belgian tax and accounting law (Belgian Code of Income Taxes and the VAT Code).
We rely on your freely given, specific, and informed consent for:
You may withdraw consent at any time by adjusting your preferences in your account settings or by contacting us at privacy@vibedeploy.be. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.
We do not sell or rent your personal data to third parties. We share personal data only with the following categories of recipients, and only to the extent strictly necessary:
Mollie N.V. (Keizersgracht 126, 1015 CW Amsterdam, Netherlands) processes payment card data and manages subscription mandates. Mollie is an authorised payment institution under the supervision of De Nederlandsche Bank (DNB) and is PCI DSS Level 1 certified. We have a data processing agreement in place with Mollie.
Cloudflare, Inc. provides DDoS protection and traffic routing for our platform. Cloudflare may process IP addresses and request metadata as traffic passes through their network. Cloudflare's European data processing is subject to their Data Processing Addendum. We have configured Cloudflare to minimise data retention. Cloudflare does not use your data for advertising.
If you purchase a custom domain through VibeDeploy, the domain registration is fulfilled by Gandi SAS. Domain registration data (registrant name, email, address) is transmitted to Gandi and, where required by ICANN or relevant registry policy, may appear in the public WHOIS database unless you enable WHOIS privacy protection.
We use a transactional email provider to deliver system-generated emails (deploy notifications, security alerts, invoices). Your email address and the content of those emails is processed by this provider as a data processor under our instructions. We have a data processing agreement in place with our email provider.
We may disclose personal data to law enforcement agencies, courts, or regulatory authorities where required by Belgian or EU law, or where necessary to protect the rights, property, or safety of VibeDeploy, our users, or the public.
If VibeDeploy is involved in a merger, acquisition, reorganisation, or sale of assets, your personal data may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our platform before your data is transferred and becomes subject to a different privacy policy.
We retain personal data only for as long as necessary for the purpose for which it was collected, or as required by law. Our specific retention periods are:
| Data category | Retention period | Legal basis |
|---|---|---|
| Account data | Until account deletion + 30 days grace period | Contract |
| Profile data | Until account deletion + 30 days grace period | Contract |
| Deploy history | Configurable per team (default: 30 days after deploy) | Contract / Legitimate interest |
| Invoices and billing records | 7 years from invoice date | Legal obligation (Belgian tax law) |
| Security logs (IP, device) | 12 months | Legitimate interest |
| Audit logs | Configurable per team (default: 90 days) | Contract / Legitimate interest |
| Aggregated site analytics | 24 months (no personal data after IP hashing) | Legitimate interest / Consent |
| Content data (deployed files) | Until deleted by user or account termination + 7-day soft-delete window | Contract |
After the applicable retention period expires, data is securely and irreversibly deleted or anonymised.
VibeDeploy hosts all customer data exclusively within the European Union. Our primary infrastructure is located in Belgian data centers. We do not by default transfer personal data to countries outside the EU or the European Economic Area (EEA).
Where any third-party processor (see Section 5) involves processing outside the EU/EEA, we ensure that appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission, or transfers to countries with an adequacy decision under GDPR Article 45.
You may request information about the specific safeguards in place for any international transfers by contacting privacy@vibedeploy.be.
As a data subject under the GDPR, you have the following rights with respect to your personal data:
You have the right to request a copy of the personal data we hold about you, together with information about how we process it (including categories, purposes, retention periods, and recipients).
You have the right to request correction of inaccurate or incomplete personal data. You can update most profile information directly in your account settings.
You have the right to request deletion of your personal data (“right to be forgotten”) where: (a) the data is no longer necessary for the purpose it was collected; (b) you have withdrawn consent and there is no other legal basis; (c) you have objected and there are no overriding legitimate grounds; or (d) the data has been unlawfully processed. This right is subject to our legal obligations to retain certain records (e.g., invoices for 7 years).
Where processing is based on your consent or a contract, and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format (such as JSON or CSV), and to transmit that data to another controller.
You have the right to request that we restrict processing of your personal data in certain circumstances, for example while the accuracy of data is being contested or while an objection is pending.
You have the right to object to processing based on our legitimate interests (Art. 6(1)(f)). We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests, or the processing is necessary for legal claims.
Where processing is based on your consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
You have the right to lodge a complaint with the Belgian Data Protection Authority (Autoriteit Persoonsgegevens / Gegevensbeschermingsautoriteit — APD/GBA):
We would, however, appreciate the opportunity to address your concerns before you approach the supervisory authority. Please contact us first at privacy@vibedeploy.be.
To exercise any of your GDPR rights, please submit a request to:
We may ask you to verify your identity before processing your request (for example, by confirming your email address). We will respond within one calendar month of receiving a valid request. In complex cases or where we receive multiple requests, we may extend this period by up to two further months, in which case we will inform you of the extension within the initial month.
There is no charge for exercising your rights, unless requests are manifestly unfounded or excessive (for example, repetitive requests), in which case we may charge a reasonable administrative fee or refuse to act.
We implement technical and organisational measures appropriate to the risk to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. Our security measures include:
While we take security seriously, no system is completely secure. You are responsible for maintaining the security of your account credentials and for promptly reporting any suspected security incidents to us.
We use cookies and similar technologies on our platform. For a full description of the cookies we use, their purposes, and how to manage them, please see our Cookie Policy.
In summary, we use essential cookies that are strictly necessary for the platform to function (authentication, language, UI mode), and optional analytics cookies that are only activated with your explicit consent via our cookie consent banner.
The VibeDeploy Service is not directed at children. In accordance with GDPR Article 8 and Belgian implementing legislation, we do not knowingly collect personal data from individuals under the age of 16 years. If you are under 16, you must not create an account or submit personal data to us.
If we become aware that we have collected personal data from a child under 16 without verifiable parental or guardian consent, we will take steps to delete that data promptly. If you believe we may have inadvertently collected data from a minor, please contact us at privacy@vibedeploy.be.
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. For material changes (such as changes to the categories of data collected, new purposes, or new sharing arrangements), we will provide at least 30 days' notice by email to your registered address before the changes take effect.
Non-material changes (such as clarifications, corrections, or updated contact details) may be made without prior notice, with the updated date reflected at the top of this policy.
We encourage you to review this policy periodically. Your continued use of the Service after the effective date of any change constitutes your acceptance of the updated policy.
If you have any questions about this Privacy Policy, wish to exercise your rights, or have a concern about how we handle your personal data, please contact us:
We aim to respond to all privacy enquiries within 5 business days. For formal GDPR rights requests, we will respond within the statutory one-month period as described in Section 9.