Privacy Policy

Qualified Vibes is operated from the United Kingdom by Colorfactory Studio Ltd. This policy explains what personal data we collect, why, how long we keep it, and the rights you have under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Who is the controller?

Colorfactory Studio Ltd, London, United Kingdom. Reach the data controller at privacy@colorfactory.studio or through the platform-specific address privacy@qualifiedvibes.com.

What we collect

• Account data: email address, sign-in timestamps, age attestation, terms acceptance.
• Profile data: everything you publish on your profile — name, handle, location, bio, projects, stack, qualifications, languages, awards, rates, availability, social links, LinkedIn URL.
• Identity check data: if you opt into the qv* qualified flow, Stripe Identity verifies a government-issued ID and a live selfie. We store only the “verified” flag and the timestamp; Stripe holds the underlying document. Stripe acts as a separate data controller for those checks under their own privacy policy.
• Recommendations: verifier name, role, company, email, written content, rating, and truthfulness attestation. The verifier email is stored but never publicly displayed.
• Contact-form messages: when someone contacts a builder through the platform, we store their name, email, optional company, message, and any budget/timeline they provide. We email the builder a notification with reply-to set to the sender so future messages go directly between them, but the original message stays on file in our database.
• Technical data: IP address, user agent, request timestamps for security, abuse prevention, and rate limiting.
• Reports and moderation: content reports submitted by visitors, including reporter email.

Lawful basis

We process the data above on the basis of (a) contract — you signed up to use the platform; (b) legitimate interest — running, securing, and moderating the platform; and (c) consent — for any optional surfaces such as identity verification.

Third parties (sub-processors)

• Vercel Inc. — hosting and edge delivery (data resides in the EU/UK region).
• Neon — Postgres database, eu-west-2 (London).
• Resend — transactional email (sign-in links, recommendation requests, contact-form notifications).
• Stripe Identity — government-ID verification for the qv* qualified flow.
• Vercel Blob — image storage for hero, avatar, and project covers.

Retention

Profile and content data are retained while your account exists. On account deletion, all your published content is removed. Recommendations you wrote about other builders are retained with your name removed, so the receiving builder’s profile remains intact. Contact-form messages are kept for 24 months unless you ask us to delete sooner. Audit-log entries about moderation actions are retained for 24 months for accountability. Identity-verification timestamps are retained while your account exists; Stripe’s retention of the underlying document follows their policy.

Your rights under UK GDPR

• Access and export: download a JSON copy of all your data from settings.
• Rectification: edit any field on your profile from the editor.
• Erasure: delete your account from settings.
• Restriction or objection: contact us at privacy@qualifiedvibes.com.
• Portability: the JSON export is machine-readable.
• Right to complain: you can lodge a complaint with the UK Information Commissioner’s Office (ICO) at ico.org.uk.

International transfers

Most data stays in the UK / EU. Some sub-processors (Stripe, Resend) operate in the US under Standard Contractual Clauses and the UK extension to the EU-US Data Privacy Framework.

Cookies

See the Cookie Policy for what we set, why, and how to opt out.

Changes to this policy

Material changes will require re-acceptance on next sign-in. Minor wording fixes are versioned at the top of this page.

Questions or to exercise your rights: privacy@qualifiedvibes.com or jim@colorfactory.studio.