Privacy Policy
Effective date: March 22, 2026 · Last updated: March 22, 2026
Vivid ("Vivid," "we," "us," or "our") operates the website located at govivid.app and related services (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the Service.
By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree, please discontinue use of the Service immediately.
1. Information We Collect
1.1 Information You Provide Through Authentication
When you sign in using a third-party authentication provider (Google or GitHub), we receive and store the following information from your provider profile:
- Email address (used as your unique account identifier)
- Display name (shown in the application interface)
- Profile picture URL (displayed as your avatar)
- Provider account identifier (an opaque ID from Google or GitHub, used to link your account)
We do not receive, store, or have access to your authentication provider password. We do not store OAuth access tokens or refresh tokens — they are used once during the sign-in callback and immediately discarded.
1.2 Content You and Your Agents Create
When you use the Service, you and the AI coding agents you authorize may create and push content, including:
- Project information — project names, screen routes, component metadata
- Component source code — React component code pushed by your agent for bundling and preview
- Design variant code — React component code representing design alternatives, created by your agent
- Annotations — text feedback you provide on design variants
- Design tokens — color palettes, typography settings, and other design system data
- Revision history — snapshots of variant code at each version, including which annotation triggered the revision
This content is stored in our database and used solely to provide the Service to you.
1.3 API Keys
When you generate an API key to connect your AI agent, we store a cryptographically hashed version of the key (bcrypt). The full key is displayed to you exactly once at creation and is never retrievable afterward. We store a short prefix of the key for display purposes and a lookup fragment for authentication.
1.4 Information Collected Automatically
We collect minimal technical information necessary to operate the Service:
- Session cookie — an HTTP-only JWT cookie (
vivid_session) containing your user ID and display name, used to authenticate your requests. This cookie expires after 7 days. - Server logs — standard HTTP request logs (IP address, user agent, request path, timestamps) generated by our application server for operational and security purposes. These logs are not used for tracking or analytics.
We do not use any analytics, tracking pixels, advertising networks, fingerprinting, or third-party tracking technologies. We do not use Google Analytics, Segment, Mixpanel, or similar services.
1.5 Information We Do Not Collect
- We do not access your source code repositories (GitHub, GitLab, etc.)
- We do not require or request access to your codebase — your AI agent pushes only the specific component context you authorize
- We do not collect payment information (no billing system is currently in place)
- We do not collect precise geolocation data
2. How We Use Your Information
We use the information we collect to:
- Provide the Service — authenticate you, render design previews, store your projects and variants, and facilitate the feedback loop between you and your AI agent
- Operate and maintain — ensure the Service functions correctly, debug issues, and monitor server health
- Communicate with you — respond to support requests or notify you of material changes to the Service or this policy (if we add email communications in the future)
- Protect security — detect and prevent fraud, abuse, or security incidents
- Comply with legal obligations — respond to lawful requests from public authorities
We do not sell, rent, or trade your personal information to third parties. We do not use your information for advertising. We do not use your content (code, annotations, design tokens) to train machine learning models.
3. How We Share Your Information
We may share your information only in the following limited circumstances:
- Infrastructure providers — we use third-party hosting services to operate the Service (see Section 4). These providers process your data on our behalf and are contractually obligated to protect it.
- Legal compliance — we may disclose information if required by law, regulation, legal process, or governmental request.
- Safety and enforcement — we may disclose information to protect the rights, property, or safety of Vivid, our users, or the public, and to enforce our Terms of Service.
- Business transfers — in the event of a merger, acquisition, or sale of assets, your information may be transferred as part of the transaction. We will notify you of any such change.
We do not share your information with advertisers, data brokers, or any third parties for their own marketing purposes.
4. Third-Party Services and Subprocessors
The Service relies on the following third-party services:
| Provider | Purpose | Data Processed |
|---|---|---|
| Google (OAuth 2.0) | User authentication | Email, name, profile picture (during sign-in only) |
| GitHub (OAuth 2.0) | User authentication | Email, username, avatar URL (during sign-in only) |
| Vercel | Web application hosting & CDN | HTTP requests, IP addresses (infrastructure logs) |
| Railway | Backend API & database hosting | All application data (stored in PostgreSQL) |
| esm.sh | JavaScript module CDN (React, Sucrase) | IP addresses via CDN requests (no user data sent) |
| Tailwind CSS CDN | CSS framework for design previews | IP addresses via CDN requests (no user data sent) |
CDN resources (esm.sh, Tailwind CSS) are loaded in sandboxed iframe environments used to render design previews. These requests transmit only standard HTTP headers (IP address, user agent) and no Vivid-specific user data.
5. Cookies and Local Storage
We use the following cookies and browser storage mechanisms:
| Name | Type | Purpose | Duration |
|---|---|---|---|
vivid_session | HTTP-only, Secure, SameSite=Lax cookie | Session authentication (contains user ID and name in a JWT) | 7 days |
| UI preferences | localStorage | Sidebar collapse state and view preferences | Persistent (until cleared by user) |
We use only essential cookies required for the Service to function. We do not use advertising cookies, tracking cookies, or any non-essential cookies. Because our cookie is strictly necessary for authentication, no cookie consent banner is required under most privacy regulations, though we disclose its use here for transparency.
6. Data Retention
- Account data — retained for as long as your account exists. You may request deletion at any time (see Section 9).
- Project data (projects, variants, annotations, revisions, components) — retained until you delete the project or your account. Deleting a project permanently removes all associated variants, revisions, annotations, and component bundles.
- API keys — retained until you revoke them. Revoked keys are permanently deleted.
- Server logs — retained according to our hosting providers' default retention policies (typically 30 days or less).
- Session cookies — expire automatically after 7 days.
7. Data Security
We implement reasonable security measures to protect your information:
- Encryption in transit — all communications use HTTPS/TLS encryption
- HTTP-only cookies — session tokens cannot be accessed by JavaScript, mitigating XSS attacks
- Hashed API keys — API keys are stored as bcrypt hashes; the raw key is never stored
- No stored OAuth tokens — provider tokens are used once and discarded
- Access control — all API endpoints verify ownership; users can only access their own projects and data
- CORS restrictions — API accepts requests only from authorized origins
No method of transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your API keys.
8. Design Preview Accessibility
Design variant previews are rendered in sandboxed iframes. While variant URLs are not publicly listed or indexed, anyone with a direct link to a variant renderer URL may be able to view the rendered preview. Do not include sensitive information (passwords, API keys, personal data) in your design variant code. We plan to add access controls to renderer URLs in a future update.
9. Your Rights and Choices
All Users
- Access — you can view all your data within the Service at any time (projects, variants, annotations)
- Deletion — you can delete individual projects (which cascades to all related data), revoke API keys, or request complete account deletion by contacting us at karim@govivid.app
- Portability — your variant code is displayed in full within the Service and can be copied at any time
- Correction — profile information (name, email, avatar) is sourced from your OAuth provider; to correct it, update your Google or GitHub profile
California Residents (CCPA/CPRA)
If you are a California resident, you have the right to:
- Know what personal information we collect and how it is used
- Request deletion of your personal information
- Opt out of the sale or sharing of personal information — we do not sell or share your personal information
- Non-discrimination for exercising your privacy rights
To exercise these rights, contact karim@govivid.app. We will respond within 45 days.
European Economic Area, UK, and Switzerland Residents (GDPR)
If you are located in the EEA, UK, or Switzerland:
- Legal basis — we process your personal data based on: (a) your consent (by signing in), (b) contractual necessity (to provide the Service), and (c) legitimate interests (security, fraud prevention)
- Additional rights — you have the right to access, rectify, erase, restrict processing, data portability, and object to processing
- Data transfers — your data may be transferred to and processed in the United States, where our hosting providers operate. We rely on standard contractual clauses and provider certifications for lawful transfer
- Supervisory authority — you have the right to lodge a complaint with your local data protection authority
To exercise these rights, contact karim@govivid.app.
10. Children's Privacy
The Service is not intended for children under 16 years of age. We do not knowingly collect personal information from children under 16. If you believe we have collected information from a child under 16, please contact us at karim@govivid.app and we will promptly delete such information.
11. International Data Transfers
Vivid is operated from the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States. By using the Service, you consent to this transfer. We take reasonable steps to ensure your data is treated securely and in accordance with this Privacy Policy.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a revised "Last updated" date. For significant changes, we may also notify you via email (if we have your email) or through a notice within the Service. Your continued use of the Service after changes constitutes acceptance of the updated policy.
13. Contact Us
If you have questions about this Privacy Policy or wish to exercise your privacy rights, contact us at:
- Email: karim@govivid.app