Privacy
Last updated: 19 April 2026
vibestat is built to be the analytics tool you can run without lawyers, cookie banners or guilt. This page is plain English; it is not a substitute for legal advice.
What we collect
- The path of the page being viewed (e.g.
/pricing) — query strings can be stripped viadata-exclude-search. - The hostname of the referrer (e.g.
news.ycombinator.com) — never the full referrer URL. - Device class (mobile / tablet / desktop), browser family and OS family.
- Country, derived from the request edge headers if present.
- Web Vitals (LCP, FCP, CLS, INP, TTFB) reported by the visitor's browser.
- UTM tags found in the URL.
- A non-reversible visitor hash that resets daily (see below).
What we don't collect
- No cookies. No
localStorageidentifiers. No fingerprinting. - No IP address is ever stored in the database.
- No raw
User-Agentstring is stored. - No personal data, account data, or cross-site graph.
How visitor hashing works
On each request we compute SHA-256(daily-salt | site-id | ip | user-agent) and keep only the first 24 hex chars. The daily salt is rotated every UTC day from a private seed (VIBESTAT_SALT_SEED). Because the salt rotates, the same person browsing on two different days produces two unrelated hashes — so cross-day re-identification is mathematically infeasible.
Do Not Track
The tracker checks navigator.doNotTrack and exits without sending any beacon if it is enabled.
Your data, your dashboard
Your owner token lives only in your browser's localStorage. We have no account database, no recovery email and no way to access your dashboard if you lose the token. Treat it like a password. You can paste the token into another browser to sync access.
Deletion
Deleting a site from the dashboard removes the site row and every associated event in the same transaction. There is no soft-delete and no admin override.
Quick audits
The free /audit tool fetches the URL you submit and stores the resulting report so the link can be shared. The stored row contains: the URL, the score, the parsed report (HTML metadata, headers, links, vitals timing) and the AI-generated summary if you triggered one.
- Audit URLs and reports are accessible to anyone with the share ID (a 12-character random string).
- We do not store the IP of the person who ran the audit. We do store a salted, daily-rotating hash for the AI quota counter only.
- If you submit a URL, please make sure you have the right to audit it. Do not paste internal staging links or URLs containing secrets.
- Want a report removed? Email the address in our terms with the share link.
AI summary
When you click Generate summary, the audit findings (not your IP, not the page HTML) are sent to Groq for inference using the llama-3.3-70b model. The generated text is cached on our side with the audit so future viewers see it instantly. Limit: 3 generations per IP per 24 hours.