Privacy Policy

Name: Vibing with Grok
Author: Quantum Encoding Ltd

Last updated: 4 March 2026

1. Who We Are

Quantum Encoding Ltd (Company Number: 16575953, registered office: 33 Oxford Street, Coalville, LE67 3GS) is the data controller for information collected through the Vibing with Grok application and the website at vibingwithgrok.com. Our main website is quantumencoding.io.

2. Local-First Architecture

Vibing with Grok is designed with a local-first architecture. Your conversations, API keys, agent profiles, knowledge graph data, vector embeddings, agent memory, and usage records are stored locally on your device. We do not have access to this locally-stored data.

Exceptions to the local-first model are described in sections 4, 5, and 6 below.

3. What We Collect

3.1 Website

When you visit vibingwithgrok.com, we may collect:

Standard web analytics data (page views, referrer, device type, country) via cookies, subject to your consent
Information you provide when contacting support

3.2 Application

The application itself collects:

No conversation data — all conversations are stored locally on your device
No API keys — your own API keys are stored on your device only and never transmitted to us
Anonymous crash reports (if you opt in)
Purchase and license verification data for unlock packs and subscriptions
Local usage records (token counts, model, cost estimates) stored as files on your device

3.3 Voice & Audio

When you use the voice assistant, audio is captured by your device microphone and sent directly to the speech-to-text provider you have configured (e.g., xAI, OpenAI). We do not receive or store your audio data. The relevant provider’s privacy policy applies to audio data sent to them.

4. Third-Party AI Providers

When you use the app with your own API keys, your prompts are sent directly from your device to the AI provider (e.g., xAI, Anthropic, Google, OpenAI, DeepSeek) using your own API key. We do not proxy, log, or store these communications. Each provider’s own privacy policy applies to data sent to them:

5. Managed Subscription Proxy

If you use our Managed Subscription, your AI requests are routed through a proxy server operated by Quantum Encoding Ltd at api.vibingwithgrok.com. In this case:

Request metadata (timestamp, model name, token counts, your account identifier) is logged for billing and quota enforcement. This metadata is retained for up to 12 months.
Prompt and response content passes through our infrastructure but is not stored beyond the duration of the HTTP request. We do not train on your data.
Your requests are then forwarded to the underlying AI provider; their privacy policy also applies.
You can stop using the Managed Subscription at any time by switching to your own API keys in the application settings.

6. Web Content Fetching

The application includes a feature that may automatically fetch the content of URLs you include in chat messages (“auto-fetch”), or you may instruct the agent to browse web pages on your behalf. On desktop, this uses a headless browser (Chrome/Chromium/Brave via Chrome DevTools Protocol).

When the Service fetches a URL, it makes an HTTP request from your device. Your IP address is visible to the website being fetched.
We do not log or store the URLs fetched or the content retrieved.
The fetched content is processed locally and sent to your configured AI provider as part of your conversation context.
Auto-fetch can be disabled in the application settings.

7. Cloud File Sync

The application includes an optional cross-device file sync feature powered by SurrealDB Cloud. If you connect a SurrealDB Cloud account and use this feature:

Files you explicitly choose to sync are uploaded to your SurrealDB Cloud database. We do not have access to your SurrealDB Cloud data.
Your SurrealDB Cloud credentials (connection token) are stored locally on your device.
SurrealDB’s own privacy policy applies to data stored in their cloud service.

8. Google reCAPTCHA

We use Google reCAPTCHA v3 on the account signup page to detect automated bot activity and protect our service from abuse. reCAPTCHA v3 works invisibly in the background — no puzzle is shown to the user.

When you visit the signup page, reCAPTCHA collects hardware and software information, browser details, mouse movements, and interaction patterns and sends them to Google. Google returns a risk score; scores below our threshold result in the signup being rejected.

reCAPTCHA is only active on the /signup page — it is not loaded site-wide.
Our legal basis for this processing is legitimate interest (protecting the service from fraud and abuse).
Data collected by reCAPTCHA is governed by the Google Privacy Policy.

9. Cookies

Our website uses cookies for analytics, functionality, and security. See our Cookie Policy for details, including the reCAPTCHA _GRECAPTCHA cookie. We use Google Consent Mode V2 and will not set analytics or marketing cookies without your consent.

10. Legal Basis for Processing (GDPR)

Where we process personal data, our legal bases are:

Consent — for analytics and marketing cookies
Legitimate interest — for website security, fraud prevention, and bot detection (reCAPTCHA)
Contract — for processing purchases, subscriptions, and providing the Managed Subscription service

11. Your Rights

Under the UK GDPR and EU GDPR, you have the right to:

Access, correct, or delete your personal data
Restrict or object to processing
Data portability
Withdraw consent at any time
Lodge a complaint with the ICO (UK) or your local supervisory authority

12. Data Retention

Website analytics data is retained for 26 months. Purchase and subscription billing records are retained for as long as required by UK tax law (typically 6 years). Managed Subscription request metadata is retained for up to 12 months. You can request deletion of personal data at any time by contacting us.

13. International Transfers

Our website is hosted on Cloudflare (global CDN). Analytics data may be processed in the US by Google under Standard Contractual Clauses. The Managed Subscription proxy is hosted on Cloudflare infrastructure. SurrealDB Cloud may process data in locations outside the UK/EEA; refer to SurrealDB’s privacy policy for details. No locally-stored application data leaves your device except as described in sections 4–7 above.

14. Children

The Service is not intended for children under 16. We do not knowingly collect personal data from children.

15. Changes

We may update this policy from time to time. Changes will be posted on this page with an updated date.

16. Contact

For privacy enquiries, contact us at vibingwithgrok.com/contact.