1. Data Controller
The data controller for personal data processing is VibeCanyon, a marketplace platform for digital products created with the aid of artificial intelligence, with operational headquarters in Italy.
For any privacy-related inquiries: privacy@vibecanyon.com
2. Data Collected
We collect the following categories of personal data:
2.1 Registration Data
- First and last name
- Email address
- Profile picture (optional)
- Authentication data (managed through OAuth providers)
2.2 Purchase and Sales Data
- Order and transaction history
- Payment data (processed by Stripe — we do not store credit card numbers)
- Sellers' tax data (where required)
- Billing addresses
2.3 Usage and Analytics Data
- IP address and approximate geolocation data
- Browser type and operating system
- Pages visited, time spent, actions performed
- Performance and diagnostic data
3. Legal Basis for Processing (Art. 6 GDPR)
Personal data is processed on the following legal bases:
- Contractual performance (Art. 6.1.b) — for account management, purchase processing, and delivery of Platform services.
- Consent (Art. 6.1.a) — for sending marketing communications and newsletters, and for the use of non-essential cookies.
- Legal obligation (Art. 6.1.c) — for tax, accounting, and regulatory compliance.
- Legitimate interest (Art. 6.1.f) — for fraud prevention, Platform security, and service improvement through aggregate analytics.
4. Purposes of Processing
- User account creation and management
- Processing and managing transactions (purchases and sales)
- Service-related communications (order confirmations, product updates, security notifications)
- Customer support and dispute resolution
- Platform improvement and user experience personalization
- Compliance with legal and tax obligations
- Fraud prevention and cybersecurity
5. Third-Party Services
To deliver our services, we rely on the following third-party providers, who act as Data Processors:
| Service | Provider | Purpose |
|---|---|---|
| Payments | Stripe | Payment processing and seller payout management |
| File storage | Cloudflare R2 | Storage of digital product files |
| Transactional email | Resend | Sending confirmation emails, notifications, and service communications |
| Authentication | GitHub (OAuth) | Login via GitHub account and developer identity verification |
| Database | Neon (PostgreSQL) | Structured data storage for the Platform |
Each provider is bound by a Data Processing Agreement (DPA) compliant with the GDPR.
6. Data Retention
- Account data: retained for the duration of the account and for 30 days following deletion (to allow recovery in case of accidental deletion).
- Transaction data: retained for 10 years as required by Italian tax regulations.
- Security logs: retained for 12 months.
- Analytics data: aggregated and anonymized after 26 months.
7. User Rights (GDPR)
As a data subject, you have the right to:
- Access (Art. 15) — obtain confirmation of whether your personal data is being processed and access it.
- Rectification (Art. 16) — obtain the correction of inaccurate data or the completion of incomplete data.
- Erasure ("right to be forgotten") (Art. 17) — request the deletion of your personal data, within the limits provided by law.
- Restriction of processing (Art. 18) — obtain the restriction of processing in certain cases.
- Data portability (Art. 20) — receive your data in a structured, commonly used, and machine-readable format.
- Objection (Art. 21) — object to the processing of your data on legitimate grounds.
- Withdrawal of consent — withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
To exercise your rights, contact: privacy@vibecanyon.com. We will respond within 30 days of receiving the request.
You also have the right to lodge a complaint with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali) (garanteprivacy.it).
8. Cookies
The Platform uses the following categories of cookies:
- Technical cookies (essential) — necessary for the Platform to function (session, authentication, preferences). No consent required.
- Analytical cookies — used to analyze Platform usage in aggregate and anonymous form. Consent required.
We do not use third-party advertising profiling cookies. You can manage your cookie preferences through the dedicated banner or your browser settings.
9. Data Transfers Outside the EU
Some of our service providers (Stripe, Cloudflare, Resend) may process data outside the European Economic Area (EEA). In such cases, transfers are carried out on the basis of:
- Adequacy decisions by the European Commission (e.g., the EU-US Data Privacy Framework).
- Standard contractual clauses (SCCs) approved by the European Commission.
- Supplementary safeguards where necessary, including encryption of data in transit and at rest.
10. Data Security
We implement appropriate technical and organizational measures to protect personal data from unauthorized access, loss, destruction, or alteration, including:
- TLS/HTTPS encryption for all communications
- Encryption at rest for sensitive data
- Data access based on the principle of least privilege
- Access monitoring and logging
- Regular backups and disaster recovery procedures
11. Changes to This Policy
This Privacy Policy may be updated periodically. In the event of material changes, we will notify you via email or Platform notification. The date of the last update is always indicated at the top of this page.
12. Contact
For any questions or requests regarding this Privacy Policy or the processing of personal data:
- Email: privacy@vibecanyon.com
- Terms of Service: vibecanyon.com/terms