Last updated June 1, 2026
1.Roles
You are the controller of personal data inside your workspace; Vibely is the processor.
For account and billing data, Vibely acts as an independent controller as described in the Privacy Policy.
2.Processing terms
We process personal data only on your documented instructions, including with regard to international transfers.
Personnel with access are bound by confidentiality. Sub-processors are listed publicly and bound by equivalent terms; we give 30 days' notice before adding one.
3.Transfers
Transfers outside the EEA/UK rely on the EU Standard Contractual Clauses (2021/914) and the UK Addendum, plus supplementary technical measures.
4.Assistance & audits
We assist with data subject requests, DPIAs, and breach notifications — confirmed breaches are notified without undue delay and within 72 hours.
Once per year, you may audit our compliance via our SOC 2 report and security packet, or an on-site review for enterprise agreements.
5.Deletion
On termination, workspace personal data is deleted or returned within 35 days, subject to legal retention duties.
Questions about this document? Write to legal@vibely.ai — we answer legal mail like support mail: quickly and in plain language.