Vibetight
Open app
Security

Data handling

What Vibetight sees, what stays on your device, and what we never touch.

Updated 2026-05-19

The single most important security property of Vibetight is this: we don’t see your source code.

The architecture at a glance

flowchart LR
    repo[(Your repository)]
    device[Your device<br/>coding agent runs here]
    vt[Vibetight]

    repo <-->|git, your credentials| device
    device -->|events only<br/>no source code| vt
    vt -.->|task instructions| device

The arrows are intentional:

  • Code travels between your repo and your device, over your network, with your credentials. Vibetight isn’t in this path.
  • Events travel between your device and Vibetight: task lifecycle, chat messages, tool-call metadata, permission decisions, status changes. The bytes of your source code are not in those events.

This isn’t a privacy framing for marketing; it’s the architecture. Other SaaS coding-agent tools extend their security perimeter to cover every file in every customer repo. Ours doesn’t.

What we see (and store)

  • Account data: your email, name, and authentication identifier from your Google account.
  • Workspace data: the tenants, projects, agents, and tasks you create. Comments you post. Permission decisions you make.
  • Device metadata: at pairing time, an installation ID, OS, and architecture. The device token is hashed at rest; we cannot recover the original.
  • Agent event metadata: which agent ran what task, on which device, when it started, when it finished, the chat messages produced, the tool calls requested, the permission decisions made.

What we don’t see

  • Source code in your repositories. The agent operates on your device; we receive event streams, not file contents.
  • Your coding agent’s authentication credentials. Those sit in your OS keyring (desktop) or your device’s sealed config (headless). We receive only an opaque device identifier.
  • Anything in repositories you haven’t pointed Vibetight at. Per-project scope: a project Vibetight knows about only points at the one repo you wired up.

Where it lives

Vibetight’s primary data store is in the European Union. Service providers we use (hosting, email, accounting) may operate elsewhere; we pick providers with appropriate data-protection commitments (Standard Contractual Clauses or equivalent adequacy decisions). The Privacy Policy has the full list.

Encryption

  • All client ↔ API traffic is TLS 1.2+ only.
  • Realtime task updates use the same TLS termination.
  • Backups are encrypted with keys we control.
  • Disk-level encryption is provided by the underlying cloud host.

Retention

  • Workspace + audit data: 12 months by default while your account is active. Purged within 30 days of account deletion; encrypted backups may retain a copy for up to 90 days.
  • Billing records: retained per applicable tax law, typically 7 years.

See also

  • Audit trail: what gets recorded and how you read it back
  • Privacy Policy: the legal framing of data we collect
  • GDPR statement: your rights and the mechanisms to exercise them
  • Security: high-level security posture for compliance buyers