terms, privacy, and security.

vibestartup operates as a thin layer over a founder's own notion workspace. the policies below reflect that posture: we hold as little data as possible and let notion remain the source of truth.

privacy

vibestartup stores only what is required to map a founder to their own notion installation: an encrypted notion access token, the workspace identifier, the chosen parent page, and timestamps. founder-generated company data (products, leads, events, tasks, decisions) lives entirely inside the founder's notion workspace. visitor leads captured by the public /p/ routes are written directly into the founder's notion customers data source.

for product analytics we log only the runtime events that already write back to notion (page views, form submissions, scope cuts), and only on the founder's own workspace.

terms of use

by using vibestartup you agree to operate the generated company backend in accordance with notion's terms and any applicable law. you are responsible for the content of the startups you generate, the product pages you publish at /p/your-startup, and the data you collect from visitors. vibestartup is provided as-is, without warranty, and the service may change as the product evolves.

security

notion access tokens are stored encrypted in cloudflare d1 and only decrypted at the moment a request is served. the public product routes write to notion via the founder's installation, not via a shared token. oauth state is single-use and signed; static tokens are not supported in production.

report security issues to security@vibestartup.pro. please do not file public issues for vulnerabilities.

data processing

when vibestartup acts as a processor of personal data on behalf of a founder, the founder is the controller and notion is the underlying processor. visitor data captured by /p/ routes is processed only to write the lead into the founder's notion customers data source and is not retained outside notion.