Privacy Policy

Who we are

VibeTag is an AI measurement assistant for Google Tag Manager, operated by Peter Šutarík (“VibeTag”, “we”). You connect your own AI agent to VibeTag, and VibeTag works on your Google Tag Manager and Google Analytics accounts at your direction.

Questions about this policy or your data: privacy@TODO-replace-with-real-domain.example TODO: placeholder address

What data we collect and why

• Google account email and basic profile — collected when you sign in with Google, used to create and identify your VibeTag account.
• Google Tag Manager container configuration (tags, triggers, variables, versions) — read to produce container audits, documentation pages, and drift detection. Edited only at your direction, only inside isolated GTM workspaces, and never published without your explicit in-app approval click.
• Google Analytics (GA4) report data (event counts and realtime event data) — read-only, used to verify that tracking you configured actually works and to monitor for event-volume anomalies. We never modify your Analytics configuration.
• Google OAuth refresh tokens — stored encrypted at rest with AES-256-GCM so VibeTag can act on your accounts between sessions. Tokens and all Google data are scoped to the individual user account that granted them — no cross-user access and no aggregation across customers.
• Audit logs of agent actions — every tool call your agent makes through VibeTag is recorded in an activity log visible to you, so you can always see what was done on your accounts.

We do not serve ads, we do not sell your data, and we do not share your data with third parties — except the infrastructure subprocessors that run the service: Vercel (web application hosting), Railway (MCP server hosting), Supabase (database hosting), Resend (transactional email delivery).

Google API Services User Data Policy — Limited Use

VibeTag's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically: data obtained via Google APIs is used only to provide and improve the user-facing features described above (audit, documentation, implementation in workspaces, verification, monitoring); it is not transferred to third parties except as necessary to provide those features, to comply with applicable law, or as part of a merger or acquisition with notice; it is not used for serving advertisements; it is not used to train generalized machine-learning or AI models; and humans do not read this data except with your explicit permission, for security purposes, to comply with applicable law, or in aggregated and anonymized form for internal operations.

Data retention and deletion

• Encrypted Google refresh tokens are kept until you revoke access. You can revoke at any time in the app (disconnect Google on the dashboard, which deletes the stored refresh token) or from your Google account at myaccount.google.com/permissions. If you revoke from Google directly, VibeTag marks the connection as failed and stops using it.
• On an account deletion request, we delete your stored tokens and Google-derived data (container snapshots, documentation, audit data). Send deletion requests to the contact address above.

Cookies

VibeTag uses a session cookie to keep you signed in. We do not use tracking or advertising cookies.

Changes to this policy

If this policy changes, we will post the new version on this page and update the effective date above. Material changes will be announced to signed-in users.