Vibecode Survivors
Privacy Policy
Last updated: 2026-06-08
This is a translation of our Datenschutzerklärung. In case of any discrepancy, the German version is legally binding.
1. Controller
finaldream — Inh. Oliver Erdmann, Georg-Münch-Str. 14, 85604 Zorneding, Germany Email: hi@vibecodesurvivors.com
2. Overview
Vibecode Survivors is built to be data-minimal. There are no user accounts, no logins, no cookie banner. We process:
- Technical server logs on page requests
- Pseudonymous analytics via PostHog (cookieless)
- Voluntary intro-call bookings (Cal.com, EU instance)
- Emails you send us
Each processing activity is described below with purpose, legal basis, retention and recipients. Transfers to third countries (notably the US) rely on the EU Standard Contractual Clauses, in some cases reinforced by certification under the EU-US Data Privacy Framework.
3. Website hosting
- Purpose: technical operation and security of the website
- Data: IP address, timestamp, requested URL, HTTP status, user agent, referrer
- Legal basis: Art. 6(1)(f) GDPR (legitimate interest in stable, secure operation)
- Retention: approx. 30 days, then deletion or anonymisation unless needed to investigate an attack
- Recipient / processor: Vercel Inc., 340 S Lemon Ave #4133, Walnut, CA 91789, USA. Contractually secured via Vercel’s DPA with EU SCCs; Vercel is additionally certified under the EU-US Data Privacy Framework.
4. Analytics with PostHog (cookieless)
We use PostHog for pseudonymous usage analytics — no cookies, no local storage, no durable re-identification.
- Purpose: understand which pages and sections get used; follow the conversion funnel; detect errors; attribute language switches and booking-button clicks
- Data: page views, coarse origin, browser type, language selection (
de/en), the anonymous ad variant from theutm_contentparameter (a–e, otherwise “none”), and anonymous usage events:cta_book_click,language_switch,left_page(with scroll depth as percentage/pixels, without page or input content) andjs_error(technical error message without user input); IP addresses are pseudonymised on PostHog’s side and not persistently stored - Configuration:
persistence: 'memory',person_profiles: 'identified_only',autocapture: false,capture_pageview: false(pageviews fired manually),capture_pageleave: false,disable_session_recording: true; no cookies, no local storage, no fingerprinting - Transport & data minimisation: PostHog’s scripts and events are served through a same-origin reverse proxy at
/vcs-relaythat forwards requests to the PostHog EU instance — purely first-party technical delivery via our own domain, with no additional recipients. URL properties of events ($current_url,$referrer,$pathname, etc.) are stripped of query strings and fragments client-side before sending (before_send), so no content encoded in URLs is transmitted. - Legal basis: Art. 6(1)(f) GDPR. Because no information is stored on or read from your device, § 25 TDDDG does not apply in our assessment and no consent is required.
- Retention: raw events approx. 30 days, aggregated statistics longer
- Recipient / processor: Hiberly Ltd. (PostHog), 268 Bath Road, Slough SL1 4DX, United Kingdom; EU instance, servers in Frankfurt. GDPR DPA and SCCs in place.
5. Intro-call booking (Cal.com)
To let you book a free 15-minute intro call, we embed the Cal.com scheduler. The booking calendar is loaded only when you scroll to the booking section — not automatically on page load.
- Purpose: scheduling and managing an intro-call appointment
- Data: name, email address, the selected time slot, and your answers to the booking questions (live/preview URL, “What did you build?”); during booking, additional technical data (IP address, device and usage data)
- Legal basis: Art. 6(1)(b) GDPR (pre-contractual measures taken at your request) and Art. 6(1)(f) GDPR (legitimate interest in efficient scheduling)
- Place of processing / data residency: booking runs through the EU instance
app.cal.euand is processed and stored in the EU (Frankfurt region). Cal.com contractually undertakes (Data Processing Agreement/DPA, § 11.3) not to store, host or transfer the data outside the EEA — apart from narrowly limited access for support, security and incident response under appropriate safeguards. - Recipient / processor: Cal.com, Inc. (Delaware, USA). A GDPR data processing agreement under Art. 28 GDPR is in place (signed 8 June 2026). Where a transfer mechanism is required for the limited access noted above, the EU Standard Contractual Clauses (Module Two, controller-to-processor) apply, incorporated by reference into the DPA (Schedule 4).
- Sub-processors: the current list is available at cal.com/privacy (DPA § 5 / Schedule 3).
- Retention: for the duration of handling the appointment and the subsequent contact; deleted once the matter is closed and no retention obligations apply (DPA § 9).
6. Email contact
If you email us we store your message and contact details until the matter is closed and no retention obligations apply.
- Legal basis: Art. 6(1)(b) and (f) GDPR
- Reception / processing: The address
hi@vibecodesurvivors.comis configured as an alias of our personal Proton mailbox. Inbound mail is therefore processed and stored by Proton AG, Route de la Galaise 32, 1228 Plan-les-Ouates, Switzerland. Switzerland is recognised as a safe third country under an adequacy decision of the European Commission, so no additional safeguards such as Standard Contractual Clauses are required for the transfer.
7. Retention overview
| Category | Retention |
|---|---|
| Server logs | approx. 30 days |
| PostHog raw events | approx. 30 days |
| PostHog aggregates | longer, pseudonymous |
| Cal booking data (Cal.com, EU/Frankfurt) | until matter closed + any statutory retention |
| Email correspondence (Proton mailbox) | until matter closed + statutory retention |
8. Your rights
You have the following rights:
- Access (Art. 15 GDPR)
- Rectification (Art. 16 GDPR)
- Erasure (Art. 17 GDPR)
- Restriction of processing (Art. 18 GDPR)
- Data portability (Art. 20 GDPR)
- Objection to processing based on legitimate interest (Art. 21 GDPR)
- Withdrawal of consent with effect for the future (Art. 7(3) GDPR)
- Complaint to a supervisory authority (Art. 77 GDPR)
To exercise any right, an informal message to hi@vibecodesurvivors.com is enough.
9. No automated decision-making
We do not use automated decision-making within the meaning of Art. 22 GDPR.
10. Supervisory authority
Bayerisches Landesamt für Datenschutzaufsicht (BayLDA) Postfach 1349, 91504 Ansbach, Germany Phone: +49 981 180093-0 · Email: poststelle@lda.bayern.de Web: lda.bayern.de
11. Security
The website is served exclusively over TLS 1.2+. Data at rest at Vercel is encrypted with AES-256. Absolute security does not exist online; we keep the attack surface small by refusing user accounts and cookies.
12. Changes
We update this policy when our processing changes. The current version is on this page; the date above shows the latest revision.