Security & Data Protection

Last updated: 5 July 2026 · Draft

Our role

Vibel is a data processor. We read your store data (orders, customers, products, fulfillments) only to give you analytics and operational insights on your own store. We never sell personal data and never use it for our own purposes.

Data minimization

We request the minimum access needed: read-only order, product, inventory and fulfillment scopes, and only the customer fields required for per-country analytics. We store trimmed order economics, not full personal-data dumps.

Encryption

All data is encrypted in transit (TLS) and at rest. Provider access tokens are held in an encrypted secrets vault and are never stored in plain tables or exposed to the browser.

Access control

Every record is protected by row-level security and scoped to the owning brand. Application data is read server-side only. Staff access to personal data is restricted and logged.

Retention & deletion

Personal data is retained only while needed to provide the service. We honor Shopify's mandatory privacy webhooks: a customer erasure request deletes that customer's data, and on uninstall we delete the shop's data. You can also request deletion at any time.

Test and production data

Development and testing use synthetic demo data only. Real merchant and customer data is never used for testing and is isolated per tenant in production.

Sub-processors

Supabase (database, storage and encrypted secrets) and Vercel (application hosting). Both provide encryption at rest and in transit and maintain their own security programs.

Incident response

On discovery of a suspected personal-data breach we: (1) contain immediately by rotating affected credentials, revoking tokens and isolating the affected system; (2) assess the scope and the merchants and customers affected within 24 hours; (3) notify affected merchants without undue delay and, where GDPR applies, within 72 hours, describing the nature of the incident, the data involved and the remediation; (4) remediate the root cause and document the incident; and (5) review and harden to prevent recurrence.

Contact

Security questions or reports: post@stephancolen.nl.

Terms · Privacy