Privacy policy
Effective as of May 28, 2026
This is a translation of the French version, which prevails in case of discrepancy.
Data controller
The controller of the personal data collected via vibestarter.pro is Ethan Dorme--Talandier, acting as a sole proprietor (entrepreneur individuel) trading under the name « VibeStarter » (SIRET 104 303 797 00013), publisher of the website (see legal notice). For any question regarding your personal data: contact@vibestarter.pro.
Cookies
The website uses only first-party cookies (set by vibestarter.pro) and does not rely on any advertising tracking service (no Google Analytics, Meta Pixel, or equivalent).
Cookies strictly necessary for operation
- lang — stores the chosen language (fr / en). Duration: 1 year.
- vibestarter_session — encrypted session cookie set on sign-in. Keeps you authenticated. Duration: 7 days.
Audience measurement cookies
- vs_aid — randomly generated pseudonymous identifier, with no direct link to any identity. Used to count unique visitors. Duration: 30 days.
- vs_utm — stores the UTM parameters (source, campaign) of the last ad link that brought you to the website, to measure the effectiveness of each campaign. Duration: 30 days.
Preference cookies
- vs_marketing_consent — stores your choice regarding linking your events to your signed-in account (accepted/refused) so we don't ask again on every visit. Without this cookie or with value « refused », your browsing events stay anonymous (article 82 of the French Data Protection Act) and are not linked to your account identifier. Duration: 180 days.
Local storage (localStorage)
In addition to cookies, your browser stores the following items locally. This data stays in your browser and is never sent to our servers.
- vibestarter_formation_progress — stores the list of training videos you have marked as completed (video identifier → boolean pair). Persistent until you clear your browser's local storage. You can delete it at any time from your browser's privacy tools.
The data collected via these cookies is sent to our self-hosted application server api.vibestarter.pro — no transfer to a third-party service or advertising network. These cookies are exempt from consent under article 82 of the French Data Protection Act (strictly necessary cookies and audience measurement limited to the strict purpose of the website, without profiling).
Personal data processed
The processing operations described below are carried out when you interact with the features of the website.
User account
A VibeStarter account is created when you make a purchase on the third-party platform Bonzai. The data stored on our application server is: email address, name (when provided), an internal numeric identifier and, where applicable, a Discord identifier if you choose to link your Discord account (see below).
Legal basis: performance of the contract (article 6-1-b of the GDPR). Retention period: your account is kept as long as it remains active, and for at most 3 years from your last sign-in (CNIL recommendation), after which it is automatically deleted. You may also request its deletion at any time via the self-service tools (see the « Your rights » section below) or at the contact address above.
Magic link sign-in
Sign-in is performed via a one-time link sent to your email address (no password). No identifier or password is stored. The link automatically expires 10 minutes after being issued.
Discord linking (optional)
If you choose to link your Discord account from the « My account » page, we store the Discord identifier associated with your VibeStarter account, your Discord display name and the cumulative voice presence time on the community server, for the sole purpose of managing your access to community spaces. This linking is optional, relies on your consent (article 6-1-a of the GDPR) and may be withdrawn at any time.
Desktop application and third-party AI services (BYOK)
The VibeStarter desktop application runs official third-party AI coding agents (Claude Code, Codex, Antigravity), which you sign into with your own provider account or subscription, and calls asset-generation services (Gemini, Meshy, ElevenLabs) using your own API keys that you provide. In both cases the requests are sent directly from your machine to the relevant provider, without going through our infrastructure, and we neither store nor relay your provider credentials or access tokens; VibeStarter is not responsible for the processing carried out by those services. However, the resulting assets, and their upload to Roblox, do involve our application server, as described in the « Asset bank » and « Roblox connection » sections below. Each of these third-party services has its own terms of service and privacy policy, which you are responsible for consulting.
Asset bank
The assets you generate or import in the application are sent to our application server (api.vibestarter.pro) to be prepared and then uploaded to Roblox. If you enable sharing with the community (the « Share my generated / imported assets » settings, disabled by default), these assets are kept in the shared Bank and made available to other members (license detailed in article 4.3 of the Terms). If sharing is disabled, the assets are only kept for the time needed to finalize the upload (about 30 minutes), then permanently deleted from our servers. You can change this choice at any time in the application settings.
Roblox connection
To publish your creations on Roblox, the application connects to your Roblox account, either via a Roblox Open Cloud API key that you provide, or, in the future, via the « Sign in with Roblox » authorization (OAuth 2.0). The permissions requested are strictly limited to: reading and writing assets (asset:read, asset:write) to upload the generated content; reading and writing developer products (developer-product) and game passes (game-pass) to create and update the monetization items that you approve; and your creator identity (openid, profile) to identify the target account.
Your API key (or OAuth token) is stored locally in your operating system's secure keychain. When you trigger an upload, this key (or token) is transmitted to our application server api.vibestarter.pro, which performs the corresponding Roblox Open Cloud API call on your behalf, then returns the identifier of the created asset. These accesses are used solely to carry out the actions you explicitly trigger. Legal basis: performance of the contract (article 6-1-b of the GDPR).
This connection is used only to publish on Roblox: we do not read the content of your existing Roblox experiences, your players' data, or your revenue, and we do not store your Roblox password. The storage and possible sharing of the assets you generate are governed by the « Asset bank » section above and by article 4.3 of the Terms. You can revoke this access at any time from your Roblox account settings, or by deleting the key in the application. Processing carried out by Roblox is governed by Roblox Corporation's privacy policy.
Audience measurement and technical logging
In addition to the cookies described above, our application server retains technical logs (errors, requests) for a maximum of 18 days. IP addresses are masked therein (/24 in IPv4, /48 in IPv6) and email addresses are hashed, in order to limit exposure of personal data. Audience measurement events (page views, campaign clicks, conversions) are kept in pseudonymized form; if your account is deleted, the associated user identifier is set to NULL and the events become strictly anonymous.
Payments and billing
Transactions, invoices, VAT and payment data are handled by Inflow Pay (French SAS, 58 rue de Monceau, 75008 Paris, VAT No. FR54928877349), acting as the legal seller (Merchant of Record) and as an independent data controller for those operations. The checkout is operated by the Bonzai technical platform (Frog Tech OÜ, Estonia). No payment data (card number, etc.) transits through vibestarter.pro. See Inflow Pay's website for their privacy policy and terms of sale.
Video playback
Embedded videos from YouTube are served in « no-cookie » mode (youtube-nocookie.com), which limits the placement of third-party cookies until playback is started. If you start playback, YouTube (Google LLC) may set its own cookies, governed by its privacy policy.
Sign-up for the free video (marketing)
When you enter your email address in the « free video » form shown on the site, we use it to send you the private access link to the video, then a short sequence of emails introducing VibeStarter. Legal basis: your consent (article 6-1-a of the GDPR), collected when you submit the form. Data processed: your email address, the date and page of submission, and proof of consent. Retention: 3 years from your last contact. You can withdraw your consent at any time via the unsubscribe link in every email (immediate effect) or by contacting us.
Processors and transfers outside the EU
The following providers process personal data on our behalf:
- Vercel Inc. — hosting of the website pages (United States). Technical data: request logs, IP address, HTTP headers. Transfer framed by the EU-US Data Privacy Framework (DPF) (articles 44 et seq. of the GDPR).
- Hostinger — hosting of our application server api.vibestarter.pro (server physically located in France, no transfer outside the EU). Data stored: user accounts, audience measurement events.
- Resend, Inc. — delivery of transactional emails (sign-in links, account deletion notifications) and of the « free video » email sequence (United States). For that sequence, your email address is also stored as a contact at Resend to manage delivery and unsubscription. Data transmitted: recipient's email address and message content. Transfer framed by the Standard Contractual Clauses adopted by the European Commission (article 46 of the GDPR).
- Discord — provider of the community platform (Discord Inc., United States). If you choose to link your Discord account, your Discord identifier is exchanged via the OAuth protocol to manage your access to the community server. Discord adheres to the EU-US Data Privacy Framework (DPF). See the Discord privacy policy.
- Inflow Pay — legal seller (Merchant of Record) and independent data controller for transactions, invoices, VAT and payment data (French SAS, 58 rue de Monceau, 75008 Paris, VAT No. FR54928877349). See their website.
- Bonzai — technical checkout platform (Frog Tech OÜ, Estonia), independent data controller for data collected at checkout (email address, creator-account identifiers). See their privacy policy.
- Roblox Corporation — recipient and independent data controller for the content you publish on your own Roblox account (United States). When you trigger an upload, your creator identifier and the relevant content are transmitted to Roblox via the Open Cloud API, under your authorization. See the Roblox privacy policy.
Your rights
Pursuant to the General Data Protection Regulation (GDPR) and the French Data Protection Act, you have the following rights:
- Right of access and portability — you may at any time download all of your data in JSON format from your « My account » page (self-service export), or request it by email.
- Right of rectification — you may modify your name directly from your « My account » page. The email address is updated through the magic-link sign-in flow.
- Right to erasure — you may delete your account directly from your « My account » page. Deletion takes effect immediately (your account is deactivated and you are signed out); a grace period of 30 days applies before final deletion, during which you may cancel the request via the link received by email. After that, data is permanently erased or anonymized.
- Rights to restriction, objection and withdrawal of consent — you may exercise these at any time by contacting us. Withdrawal of Discord consent is also done from your « My account » page.
For any request that cannot be made via self-service, or for any question, contact: contact@vibestarter.pro. You will receive a response as soon as possible and at the latest within one month.
Any action taken in connection with the exercise of your rights (export, deletion, rectification) is recorded in an internal audit log, in which your email address is stored in hashed form. This log is kept for 3 years for evidence purposes, pursuant to article 30 of the GDPR.
If, after contacting us, you consider that your rights are not respected, you may lodge a complaint with the French data protection authority (CNIL), cnil.fr/en/plaintes.