← Back to home

Where your data lives

Vibalos runs locally. This page shows the complete picture: what stays on your Mac, what leaves it, when, why, and to whom.

Data-flow diagram: Vibalos runs entirely on your Mac. Outbound traffic only at purchase (Lemonsqueezy → Cloudflare Worker → Resend) and update checks (Sparkle Appcast).

Stays on your Mac

  • Selected text, polish output, polish templates
  • Pasteboard history (SwiftData DB)
  • Screenshots + OCR output
  • Active Claude Code session data (read-only from ~/.claude/projects/)
  • Settings, license JSON, hotkey configuration
  • AI inference (Ollama or Apple Foundation runs on the Mac)

Leaves the Mac — when

  • · At purchase: email + payment data to Lemonsqueezy (their privacy policy)
  • · Webhook (LS → Worker): confirmed order data to our Cloudflare Worker
  • · License email: signed license JSON via Resend to your inbox
  • · Update check (≤1×/day): HTTP GET to vibalos.moinsen.dev/appcast.xml with User-Agent (version, macOS version, CPU architecture)

Deliberately not built

  • No telemetry. Not even "anonymous usage stats". Not even crash reports (Sentry-style integration would be opt-in if it ever ships).
  • No accounts. No Vibalos login. Your license is a JSON file, not an account.
  • No analytics. No Google Analytics, no Plausible, nothing on the landing beyond Cloudflare's edge-level request logs.
  • No remote feature flags. What you installed is what's in the binary.

For compliance officers and DPOs

GDPR Art. 28 (data processor agreement)

Vibalos does not process personal data of your employees on behalf of a controller. The software runs exclusively on the user's device; data processing outside the device occurs only in the following cases:

  • At purchase (Lemonsqueezy as Merchant of Record collects email + payment data)
  • At license issuance (our Cloudflare Worker receives order confirmation from Lemonsqueezy and sends the signed license via Resend to the buyer's inbox)
  • At update checks (anonymous HTTP GET, transmits only version metadata via User-Agent)

A Data Processing Agreement (DPA) between you and us is therefore not required. If you wish to include Lemonsqueezy or Resend as sub-processors in your own DPA: their DPAs are publicly available.

EU AI Act Art. 50 (transparency obligations)

Vibalos itself is not a "provider" of an AI system under EU Regulation 2024/1689 (EU AI Act). The models used (Ollama models or Apple Foundation Models) run on the user's device and are provided by the respective model providers (Meta, Mistral, Apple Inc., et al.).

Vibalos is an interface to local AI, not a model provider. Transparency and labeling obligations under Art. 50 fall on the respective model providers. The software itself classifies under Art. 6(3) as a non-high-risk AI system (none of the areas listed in Annex III).

Note: The above statements reflect the provider's legal assessment based on current regulatory texts (as of May 2026). They do not replace your own legal review. For a written confirmation to your DPO: business@moinsen.dev

Verify it yourself

This page describes intent. To verify:

  • Open Activity Monitor → Network while using Vibalos. Outbound traffic should only be Ollama (local) and the Sparkle appcast URL.
  • Run Little Snitch with "ask for every connection". Vibalos should be asked exactly twice: Ollama (if used), appcast.
  • Inspect the local SwiftData DB with any sqlite browser — it's your data, you can read it.
→ Privacy policy → Terms & License → Wiki: Privacy & Security