Security & Data Protection
Last updated: 5 July 2026 · Draft
Our role
Vibel is a data processor. We read your store data (orders, customers, products, fulfillments) only to give you analytics and operational insights on your own store. We never sell personal data and never use it for our own purposes.
Data minimization
We request the minimum access needed: read-only order, product, inventory and fulfillment scopes, and only the customer fields required for per-country analytics. We store trimmed order economics, not full personal-data dumps.
Encryption
All data is encrypted in transit (TLS) and at rest. Provider access tokens are held in an encrypted secrets vault and are never stored in plain tables or exposed to the browser.
Access control
Every record is protected by row-level security and scoped to the owning brand. Application data is read server-side only. Staff access to personal data is restricted and logged.
Retention & deletion
Personal data is retained only while needed to provide the service. We honor Shopify's mandatory privacy webhooks: a customer erasure request deletes that customer's data, and on uninstall we delete the shop's data. You can also request deletion at any time.
Test and production data
Development and testing use synthetic demo data only. Real merchant and customer data is never used for testing and is isolated per tenant in production.
Sub-processors
Supabase (database, storage and encrypted secrets) and Vercel (application hosting). Both provide encryption at rest and in transit and maintain their own security programs.
Incident response
On discovery of a suspected personal-data breach we: (1) contain immediately by rotating affected credentials, revoking tokens and isolating the affected system; (2) assess the scope and the merchants and customers affected within 24 hours; (3) notify affected merchants without undue delay and, where GDPR applies, within 72 hours, describing the nature of the incident, the data involved and the remediation; (4) remediate the root cause and document the incident; and (5) review and harden to prevent recurrence.
Contact
Security questions or reports: post@stephancolen.nl.