Privacy Policy
Vinculum is operated by Whalefall Media LLC ("we," "us"), based in the State of Idaho, USA. This policy describes what we collect, what we don't, what we do with it, and what rights you have. Plain English, no dark patterns.
If you self-host Vinculum from our open-source repository, this policy does not apply — you are the operator. Your data lives on your own infrastructure.
This policy applies to vinculum.run and the hosted Pro/Team tier.
What we collect
Account information
When you sign in with GitHub OAuth, we receive and store:
- Your GitHub user ID and login name
- Your primary email address (from GitHub)
- An OAuth access token, used only to verify the sign-in and immediately discarded after we mint our own session token
We do not request or store your GitHub password. We do not request scopes beyond read:user and user:email.
Content you create
Vinculum is, fundamentally, a database of typed entries you choose to write. We store, exactly as you wrote it:
- Entries — decisions, specs, notes, questions, implementations, and other typed content
- Threads, branches, projects — the organizational structure around your entries
- Links between entries
- Media — images and screenshots you upload
- Ingested conversations — Claude.ai conversation exports you choose to import
- Sessions — metadata about Claude clients connected to your projects, including focus declarations, peer activity, and timing
Derived data
To make the product work, we generate:
- Vector embeddings of entry content (via Voyage AI; see Third parties below) for semantic search and clustering
- Delta classifications and thread title summaries (via Anthropic's Haiku model on the Pro/Team tier) so the dashboard can label and prioritize work
- Audit log entries for tool invocations, useful for debugging and security incident response
Operational data
The standard set, kept for as short a window as is useful:
- IP address and user-agent of HTTP requests, retained in server access logs for 30 days
- Stripe customer ID and subscription status (we do not see your card; see Third parties)
- Crash reports and structured server logs
What we don't collect
- We do not run third-party analytics, ad pixels, session recorders, or fingerprinting on the product surface
- We do not collect or attempt to derive precise location data
- We do not read or scan the code in repositories you have authorized GitHub access to — Vinculum does not request
reposcope - We do not require or use cookies for tracking; our cookies are limited to authentication session state
How we use it
We use the data above to:
- Run the product. Storing, indexing, and serving back the entries you write.
- Generate intelligence features you turned on — embeddings, semantic-related lookups, auto-titled threads, delta classifications.
- Bill you if you are on a paid tier (via Stripe).
- Keep the lights on — debug crashes, investigate security incidents, prevent abuse.
- Reach out about your account — service notices, security alerts, billing receipts. We do not run a marketing list. If you opt into any future product-update email, you can unsubscribe at any time.
We do not use your content to train any model, ours or anyone else's. We do not sell or rent your data. We do not share your content with other Vinculum customers. Cross-tenant access is enforced at the database layer (Postgres row-level security per project, plus application-layer ownership checks).
Third parties
We use the following third-party processors. Each handles a specific slice of the workflow; none receive more than what's needed for that slice.
| Processor | What they get | Why |
|---|---|---|
| GitHub | OAuth handshake; your GitHub ID, login, email | Sign-in |
| Stripe | Your Stripe customer record, subscription status, payment events. Card details are entered into Stripe-hosted forms — we never see them. | Billing |
| Anthropic (API) | The text content of entries we are summarizing or classifying for you, on the Pro/Team tier. Subject to Anthropic's commercial terms; not used for model training under those terms. | Background intelligence (thread titles, delta classification, summaries) |
| Voyage AI (API) | Entry text passed for embedding into vectors | Semantic search & clustering |
| Cloudflare R2 | Encrypted, scheduled database backups (encrypted with age; we hold the key, R2 sees ciphertext only) | Off-box backup |
| Cloudflare | TLS termination and edge routing for vinculum.run | Traffic |
| OVH | Bare-metal hosting of the application server and database | Hosting |
If you self-host, none of these necessarily apply — you choose which integrations to enable via environment variables. Voyage AI and Anthropic features no-op cleanly if their API keys are not configured.
We do not engage data brokers. We do not engage advertising networks.
How we protect it
- All traffic to vinculum.run is TLS-terminated at the edge (Cloudflare) and re-encrypted to the origin
- Database access is scoped per role:
vinculum_appfor the application,vinculum_observerfor read-only infrastructure tools - Multi-tenant isolation is enforced via Postgres row-level security and application-layer ownership checks
- Backups are encrypted at rest with
agebefore being uploaded to R2; the recipient key lives separately from the backup pipeline - We rotate authentication secrets on a defined schedule and on demand if a leak is suspected
- Pre-disclosed access to your data is limited to the operator (Steve Duskett) and is logged
No system is invulnerable. If we discover a security incident affecting your data, we will notify affected accounts within 72 hours of confirming the impact, with what we know and what we're doing about it. See SECURITY.md in the repository for the vulnerability disclosure process.
Your rights
Regardless of where you live, you can:
- Access what we have on you. Use the dashboard's data export (Settings → Account → Export my data) for a JSON dump of every entry you've authored, plus your account record and subscription history.
- Delete your account and the data tied to it. Settings → Account → Delete my account. Cascading deletion runs on entries you authored in solo projects; entries you authored in shared projects are anonymized (the entry stays, your name is replaced with
deleted-user) so peer references in the graph remain intact. Billing transactions are retained for tax purposes for the period required by US law. - Correct information by editing your entries directly, or by contacting us for account-level corrections.
- Object to processing by deleting your account.
- Lodge a complaint with your local data protection authority if you are in a jurisdiction that has one.
For users in the EU/UK: we are a US-based controller, and your data is stored on EU infrastructure (OVH, France region) for the application database. Embeddings are generated via Voyage AI and Anthropic, both US-based. Sub-processors are listed above. We rely on Standard Contractual Clauses where appropriate.
For users in California: you have the rights described above plus the right to know what we collect (this document) and the right to non-discrimination if you exercise any of these rights.
Data retention
| Data | Retention |
|---|---|
| Account and entries (active account) | For as long as your account exists |
| Account and entries (after deletion) | Hard-deleted within 30 days; backups containing pre-deletion data age out per backup retention below |
| Backups | Daily for 30 days, weekly for 90 days, monthly for 1 year |
| Server access logs | 30 days |
| Audit log entries | 1 year |
| Billing records | 7 years (US tax compliance) |
| Free-tier entry archive | Free-tier projects archive entries older than 14 days; archived entries are deleted after 90 days unless you upgrade |
Children
Vinculum is not designed for or directed at anyone under 13. We do not knowingly collect data from anyone under 13. If you believe a child has signed up, contact us and we will delete the account.
Changes to this policy
We will update this policy as the product evolves. The last-updated date below is pulled from the document's git history — every change is auditable. Material changes (a new third-party processor, a new category of data collected, a change in how we use your data) will be announced via in-product notice and email at least 14 days before they take effect, and you will have the option to delete your account before they apply.
Old versions of this policy live in the public git history at content/legal/privacy.md.
Contact
Questions, requests, complaints:
- Email: privacy@vinculum.run
- Mail: Whalefall Media LLC, [postal address — pending_legal_review]
- Security disclosures: see SECURITY.md
We respond to privacy requests within 30 days.