Skip to main content

Legal

Privacy Policy

Last updated: May 5, 2026

On May 5, 2026 we expanded our website analytics to include opt-in anonymized session recording for product improvement. See Section 8: Session recording for details. Existing analytics consents have been reset; you will be prompted to choose again.

1. Who we are

This Privacy Policy describes how Vipr Development, LLC, a Colorado limited liability company located at 1500 N Grant Street, Ste R, Denver, CO 80203 (“Vipr,” “we,” “us”), collects and uses personal information when you use vipr.dev, the Vipr CLI, the Vipr VSCode extension, the Vipr Desktop application, the Vipr MCP server, or any related services (the “Services”).

For privacy questions, data-subject requests, or to contact our privacy team: support@vipr.dev.

2. Source code stays on your machine

Vipr is a local-first developer tool. The CLI, VSCode extension, and Desktop application analyze your source code entirely on your device. We do not transmit, upload, or store the contents of your source files, analysis results, file paths, repository names, branch names, commit messages, or issues found in your code. Your code is not training data for any model operated by us.

3. What we collect

We collect only the categories of personal information needed to operate the Services:

  • Account and license data. Email address, license key identifier, entitlement metadata, device activation records, and order history. The license key itself is issued and held by our billing processor (Polar.sh); we store a hashed reference and entitlement state.
  • Waitlist and newsletter sign-ups. Email address and the product surfaces you indicated interest in.
  • Support tickets. Name, email, the contents of your message, any attachments you choose to send, and basic environment metadata (OS, product version) you provide.
  • Anonymous product telemetry (opt-in). Aggregated, non-source usage events such as which features are used, anonymized error reports, and performance metrics. Telemetry never includes source code, file contents, file paths, repository names, or analysis findings.
  • Website analytics and session recording. With your consent, page views, navigation, CTA clicks, install-command copies, download events, and anonymized session recordings of your interactions with vipr.dev, processed by PostHog (see Section 7). Session recordings are described in Section 8. We do not transmit your email address, license key, checkout token, or raw documentation search text to analytics, and form inputs and license details are masked client-side before any session data leaves your browser.
  • Server logs. Standard request logs (IP address, user-agent, timestamp, requested path) retained for security, abuse prevention, and debugging.

We do not knowingly collect Sensitive Personal Information (as defined under the California Privacy Rights Act). We do not sell or share personal information for cross-context behavioral advertising.

4. Why we collect it (lawful basis)

For users in the European Economic Area, the United Kingdom, and Switzerland, our lawful bases under Articles 6(1)(b), (c), and (f) of the GDPR are:

  • Performance of a contract — to deliver the Services you have purchased, manage your license, and provide support.
  • Legitimate interests — to secure the Services, prevent abuse, and improve the product through aggregated, non-source telemetry, balanced against your rights and interests.
  • Consent — for website analytics, marketing emails, and opt-in product telemetry. You can withdraw consent at any time.
  • Legal obligation — to comply with tax, billing, and other applicable legal requirements.

5. How long we keep it

  • Account, license, and order records: while your license is active, plus seven (7) years for tax and accounting.
  • Waitlist and newsletter contacts: until you unsubscribe, then up to thirty (30) days for unsubscribe enforcement.
  • Support tickets: up to twenty-four (24) months from last activity.
  • Server logs: up to ninety (90) days.
  • Anonymous product telemetry: up to twenty-four (24) months in aggregated form.
  • Website session recordings (Section 8): up to thirty (30) days.

6. Your rights

Depending on where you live, you may have the right to access, correct, delete, port, or restrict processing of your personal information; to object to certain processing; to withdraw consent; and to lodge a complaint with a supervisory authority.

European Economic Area, United Kingdom, Switzerland: rights under the GDPR / UK GDPR. California: rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act, including the right to know, correct, delete, limit use of Sensitive Personal Information, and opt out of sale or sharing. We do not sell or share personal information for cross-context behavioral advertising; we honor Global Privacy Control signals as an opt-out. Colorado, Connecticut, Virginia, Utah, and other U.S. states with comprehensive privacy laws: equivalent rights under those laws, including universal opt-out where applicable.

To exercise any of these rights, email support@vipr.dev with the subject line “Privacy Request.” We will respond within the timeframe required by the law that applies to you. We do not discriminate against you for exercising your rights.

7. Sub-processors and third-party services

We engage the following service providers to operate the Services. Each is bound by a written agreement that limits their processing to the purposes described below.

  • Vercel Inc. — website hosting, edge delivery, server logs (United States).
  • Supabase, Inc. — account, license, waitlist, and support-ticket database; authentication (United States).
  • Polar Software Inc. (Polar.sh) — checkout, billing, license-key issuance, and order records (United States).
  • Resend Co. — transactional and confirmation emails (United States).
  • PostHog Inc. — opt-in product and website analytics (United States and EU regions, depending on your selection).
  • Cloudflare, Inc. — Turnstile anti-bot verification on web forms (global).

8. Session recording

With your consent, we record anonymized sessions on vipr.dev to understand how visitors use the site and improve the product. Recording captures mouse movements, clicks, scroll position, page navigation, viewport size, and the rendered page structure (excluding masked elements). It does not capture network request or response bodies, request or response headers, or content from cross-origin frames.

What is masked or blocked. Form inputs are masked by default. We additionally block recording on the waitlist email field, all contact-form fields, the post-purchase receipt block on our success page (license key, order details), unsubscribe pages, and the Cloudflare Turnstile anti-bot widget. Masking happens in your browser before any session data is transmitted.

Sampling and minimum duration. We record approximately 25% of consenting sessions to manage volume and skip sessions shorter than five seconds.

Retention. Session recordings are retained for up to thirty (30) days and then deleted by our processor.

Lawful basis. Consent under Article 6(1)(a) GDPR / UK GDPR. You can withdraw consent at any time by clearing the consent cookie or using the “Cookie preferences” control in the site footer. We honor the browser Do Not Track header and the Global Privacy Control signal as opt-outs.

Processor and transfers. Session recordings are processed by PostHog Inc. (see Section 7) under the same international-transfer mechanisms described in Section 9.

9. International transfers

We are located in the United States and our service providers process data in the United States and other jurisdictions. Where personal information is transferred from the European Economic Area, the United Kingdom, or Switzerland, we rely on the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, or another lawful transfer mechanism. We have completed a Transfer Impact Assessment for our standard sub-processor stack and apply supplementary measures where appropriate.

10. Security

We use TLS 1.2 or higher in transit, encryption at rest for production databases, role-based access controls, and the principle of least privilege for personnel access. No system is perfectly secure; if you discover a vulnerability, please email support@vipr.dev with the subject “Security.”

11. Children

The Services are not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, contact us and we will delete it.

12. Changes

We may update this Privacy Policy from time to time. Material changes will be reflected in the “Last updated” date above and, where required by law, communicated to you by email or in-product notice before taking effect. Continued use of the Services after changes take effect constitutes acceptance of the updated policy.

13. Governing law

This Privacy Policy is governed by the laws of the State of Colorado, without regard to its conflict-of-laws principles, except where mandatory local privacy law provides otherwise.

14. Contact

Vipr Development, LLC
1500 N Grant Street, Ste R
Denver, CO 80203, United States
support@vipr.dev