Scope
This page explains how Vibe.WithGov.io handles the confidentiality of your data, including prototype content, user information, and any data processed during the use of our service. For the formal data-protection assessment (lawful basis, risks, retention, sub-processors), see our DPIA.
Vibe.WithGov.io is designed for rapid prototyping and user research. The security posture described here is appropriate for prototyping workloads; prototypes themselves are clickable mock-ups and should never be used to process real personal data of citizens.
Your data ownership
You retain full ownership of all content you create using Vibe.WithGov.io, including prototypes, design specifications, and any exported code. We do not claim any intellectual property rights over your content.
Data protection measures
We implement the following measures to protect your data:
- All data is encrypted in transit using TLS 1.2+
- Data at rest is encrypted using AES-256
- Database access is controlled using Supabase Row Level Security (RLS), ensuring users can only access their own projects
- Authentication is handled by Supabase Auth with secure sessions
- API endpoints are protected with rate limiting and input validation
AI processing
When you use Vibe.WithGov.io's AI features, your prompts and prototype content are sent to AI model providers for processing. Important points:
- AI providers do not use your data to train their models (we use API access with data processing agreements)
- Prompts and responses are not stored by AI providers beyond the duration needed to process the request
- We do not include any personal data in AI requests beyond the prototype content you provide
Data isolation
Each user's data is logically isolated from other users. Supabase Row Level Security ensures that database queries are scoped to the authenticated user. There is no shared access to prototype data between accounts unless you explicitly share a deployed prototype via its URL.
Prototype submissions are not stored
Vibe.WithGov.io builds clickable prototypes, not live services. Anything a researcher, stakeholder or participant enters into a running prototype — form fields, file uploads, answers to test journeys — lives inside the disposable sandbox session that hosts that prototype and is wiped when the sandbox hibernates. Vibe.WithGov.io does not persist prototype submissions to its database and does not forward them to any third party.
Treat running prototypes as ephemeral. Use synthetic data in user-research sessions. If your testing requires real personal data, do not put it into a Vibe.WithGov.io prototype.
Third-party access
The following third-party services have access to data as part of operating the service:
- Supabase — database hosting, authentication, and storage. Data is hosted in the UK (London) by default. Some customer projects may run in an EU region if their procurement requirements specifically call for it; that is a per-deal choice, not the default.
- AI providers (Anthropic, Google) — process prompts and generate prototype code. No data retention beyond request processing; no use of customer data for model training
- E2B Sandbox — isolated cloud sandbox environments for prototype deployment. Sandboxes auto-hibernate when idle and are wiped on hibernation
Data retention
We retain your data for as long as your account is active. If you delete your account:
- All prototype data and project files are permanently deleted within 30 days
- Authentication data is removed immediately
- Aggregated, anonymised usage statistics may be retained
Reporting concerns
If you believe there has been a breach of confidentiality or have concerns about data handling, please contact us immediately at hello@vibe.withgov.io. We will investigate all reports promptly and take appropriate action.