Vapor ("we", "us", "our") is a desktop proxy application for security professionals. This policy explains what data we collect, how we use it, and your rights.
We built Vapor with privacy in mind. Your intercepted HTTP traffic stays on your machine. We collect only what's needed to run accounts and billing.
1. Information We Collect
Account Information
When you create an account, we collect:
- Email address — for authentication and account communications
- Display name and avatar — from your OAuth provider (GitHub or Google) or set manually
Authentication is handled through Supabase. You can sign in via magic link (email), GitHub, or Google OAuth.
Payment Information
Payments are processed by Paddle, our merchant of record. Paddle handles all payment card data, billing addresses, tax calculations, and invoicing. We do not store your credit card number or payment details on our servers. We receive:
- Paddle customer and subscription IDs
- Transaction amounts, status, and invoice URLs
- Subscription plan and billing period dates
Usage Data
We track credit consumption per feature (e.g., tab completion, chat, agent runs) for billing and to show you your usage history. This includes:
- Credit transaction type, amount, and feature category
- Timestamps of credit usage
Device Information
When you activate Vapor on a device, we record:
- Device name and a hardware fingerprint
- Last active timestamp
This is used for multi-device licensing and to show you your active sessions.
2. What We Don't Collect
- Intercepted HTTP traffic — requests and responses you capture in Vapor are stored locally in your application's memory. They are never sent to our servers.
- Telemetry — Vapor does not phone home with usage analytics, crash reports, or behavioral data.
- Browsing history — we don't track what sites you visit or test.
3. AI Data Handling
Vapor offers AI-powered features such as tab completion, chat, request analysis, and automated agents. How your data is handled depends on which AI provider you use:
Local AI (Ollama)
When you use a local model via Ollama, all processing happens entirely on your device. No data leaves your machine.
Cloud AI Providers
When you use cloud-based AI (Anthropic Claude, OpenAI, or Google Gemini), relevant portions of your data (such as HTTP request/response snippets) are sent to the selected provider for processing. This only happens when you explicitly trigger an AI action.
- You choose which provider to use
- Data is sent only for the specific request you initiate
- Each provider has their own data handling policies — we encourage you to review them
- With BYOK (Bring Your Own Key), requests go directly to the provider under your own API agreement
We do not use your data to train AI models. We do not store AI request or response content on our servers.
4. How We Use Your Information
- Authenticate your account and manage sessions
- Process payments and manage subscriptions
- Track credit usage for billing
- Enforce device limits for your subscription tier
- Send transactional emails (receipts, subscription changes)
- Respond to support requests
5. Third-Party Services
We use the following third-party services:
Each service has its own privacy policy governing how they handle data.
6. Cookies
We use only essential cookies for authentication session management. We do not use tracking cookies, advertising cookies, or third-party analytics cookies.
7. Data Retention
- Account data — retained while your account is active. You can request deletion at any time.
- Payment records — retained as required for tax and accounting purposes.
- Usage data — retained while your account is active for billing history.
- Device records — deactivated devices are marked inactive. You can remove devices from your dashboard.
8. Data Security
We protect your data with:
- Row-level security on all database tables (users can only access their own data)
- Encrypted connections (HTTPS/TLS) for all data in transit
- Webhook signature verification for payment events
- Rate limiting on sensitive API endpoints
9. Your Rights
You have the right to:
- Access your personal data through your dashboard
- Correct inaccurate information in your profile settings
- Delete your account and associated data by contacting us
- Export your data upon request
If you're in the EU/EEA, you have additional rights under GDPR including the right to data portability and the right to lodge a complaint with a supervisory authority.
10. Children
Vapor is not intended for use by anyone under 18 years of age. We do not knowingly collect personal information from children.
11. Changes to This Policy
We may update this privacy policy from time to time. We will notify you of significant changes via email or through the application. Continued use of Vapor after changes constitutes acceptance of the updated policy.
12. Contact
Questions about this policy? Contact us at privacy@vaporsec.io.