Privacy
Last updated July 2026
Unvibe is a desktop app that helps you understand code. This page describes what it processes and why, in plain language. It reflects how the product actually behaves. It is a summary, not a substitute for the full policy.
What Unvibe processes
- Code you choose to review. When you activate Unvibe on a selection, that snippet and the limited surrounding context you approve is sent to generate an explanation. Before anything leaves your Mac it is scanned on-device for secrets, and detected credentials block or warn first.
- Repository metadata such as file paths, structure, and git diffs, only when you explicitly review those scopes. Unvibe does not read your repository in the background.
- Learning records — which snippets you reviewed, comprehension results, concepts, and streaks.
- Account data — your email for sign-in and an authentication token.
What Unvibe does not do
- It does not read your repository without an explicit action from you.
- It does not train AI models on your private code.
- It does not log the contents of your private code in analytics.
- It does not perform screen recording, OCR capture, or keylogging.
Secret filtering, before anything is sent
Every remote request is scanned on your Mac for known credential patterns — API keys, tokens, private keys — plus high-entropy strings and KEY= style assignments. A hit blocks the request and shows you the file and line so you can redact it or add it to a .unvibeignore file. Files like .env, keys, node_modules, and build output are excluded by default, and .gitignore is honored.
Consent and the cloud
Explanations are generated by a cloud AI provider (initially Anthropic), so the filtered snippet you approve is sent over an encrypted connection. Cloud analysis is off until you grant consent per repository, and you can preview exactly what would be transmitted before enabling it. A fully local, no-cloud mode is not available yet.
Storage, security, and your rights
Learning data lives on your Mac and, when you are signed in, syncs to our backend where row-level security keeps your data private to you. Your auth token is encrypted at rest using the operating system keychain, and data is encrypted in transit and at rest. You can access, export, and delete your data — see data controls and account deletion. We use no advertising trackers.
Platforms and scope
Unvibe is Mac first; Windows and Linux are not available yet. We claim no security certifications. Explanations are a learning aid, not a security audit — see the terms for the AI limitations disclaimer.