Vibe Code Academy
Vibe Code Academy

Privacy Policy

Last updated: 4 April 2026

This Privacy Policy explains how Instabus Ltd trading as Vibe Code Academy collects, uses, stores and shares personal data when you use the Vibe Code Academy platform.

1. Introduction

Vibe Code Academy is an online learning platform that provides structured coding courses, learner dashboards, support tools, AI-assisted features, guides, glossary content and related services.

Vibe Code Academy is a trading name of Instabus Ltd, registered in England and Wales under company number 14618801, with its registered office at 21 Linden Way, Wetherby, LS22 7QU.

This Privacy Policy explains what personal data we collect, how we use it, the legal bases we rely on, who we share it with, how long we keep it, and the rights you have under UK data protection law.

2. Data Controller

Instabus Ltd trading as Vibe Code Academy is the data controller for the personal data described in this Privacy Policy.

If you have questions about this Privacy Policy or about how we handle your personal data, you can contact us at privacy@vibecodeacademy.co.uk.

3. What Data We Collect

We collect different categories of personal data depending on how you use the platform.

Account Data

  • Name, where provided.
  • Email address.
  • Account access level, such as free, paid or admin.
  • Account creation date and account-related status information.

Authentication and Security Data

  • Hashed password data.
  • Email verification status and verification email timestamps.
  • Password reset records and password change timestamps.
  • Session records, including session token, created date, expiry date and last activity date.
  • Security-related event data used to protect accounts and platform content.

Payment-Related Data

  • Stripe customer ID.
  • Stripe subscription ID and subscription status, where relevant.
  • Course purchase timestamp and access entitlement status.
  • Basic payment outcome data needed to confirm whether access should be granted.

We do not store your full payment card details on our own systems. Payment card processing is handled by Stripe.

Course Usage and Dashboard Data

  • Course progress information.
  • Lesson, section and step completion data.
  • Checklist state and related learning progress state.
  • Saved idea and project workspace data.
  • Access records used to determine whether you can view free or paid course content.

Support and Communication Data

  • Support thread details, including subject and category.
  • Support messages sent by you and responses sent by us.
  • Links between support activity and your account, and in some cases related lesson context.
  • Transactional email records, such as verification, password reset and purchase-related communications.

AI Interaction Data

  • Prompts and questions you submit to AI-assisted features.
  • AI-generated responses and outputs.
  • Context attached to AI interactions, such as course, week, lesson or support context.
  • Idea-generation inputs and generated concepts, build briefs and build plans.
  • Internal review status for certain AI interactions where they are escalated into support or reused to improve platform materials.

Analytics Data

  • Visit-level analytics data, including page visits, page exits and heartbeat events.
  • Referral information and UTM parameters such as source, medium, campaign, term and content.
  • Whether a visit is linked to a signed-in account.
  • High-level event data about how the platform is used.

Technical Data

  • IP address.
  • Browser, operating system and device family information.
  • User agent information.
  • Technical request metadata needed for platform delivery, security and fraud prevention.

Uploaded or Submitted Content

At present, the platform does not provide general-purpose user file uploads as a core feature. However, we do process content you submit through forms, support messages, idea tools and AI prompts, and we may process files or attachments if a specific workflow later makes that functionality available.

4. How We Use Your Data

We use personal data to operate, secure and improve Vibe Code Academy. This includes using your data to:

  • create and manage your account;
  • authenticate you and keep your account secure;
  • verify your email address and manage password resets;
  • provide access to the free and paid parts of the platform;
  • process purchases, confirm payment status and grant access entitlements;
  • deliver course content, progress tracking and dashboard functionality;
  • provide support, including threaded support conversations and AI-assisted help;
  • generate AI-assisted outputs such as explanations, project ideas, briefs and plans;
  • monitor and enforce content protection and paid-content access controls;
  • analyse how the platform is used and improve product quality, content and performance;
  • send transactional emails and service-related communications;
  • prevent misuse, fraud, security incidents and other harmful activity;
  • meet legal, regulatory and operational obligations.

5. Legal Basis for Processing

Under UK GDPR, we rely on the following legal bases depending on the type of processing involved.

Performance of a Contract

We process personal data where this is necessary to provide the service you have asked for, including account creation, login, email verification, password reset, course access, progress tracking, paid access management, support delivery and core AI-assisted features.

Legitimate Interests

We process certain personal data where it is necessary for our legitimate interests in running, securing and improving the platform. This includes fraud prevention, security monitoring, rate limiting, content protection, service analytics, debugging, support operations, product improvement and internal reporting. Where we rely on legitimate interests, we do so in a way that we consider proportionate and respectful of your rights.

Legal Obligation

We may process personal data where necessary to comply with applicable legal or regulatory obligations, including tax, accounting, consumer law, law enforcement requests and the handling of legal claims.

Consent

Where we rely on consent, such as for certain optional cookies or tracking technologies, you can withdraw that consent at any time through the relevant consent controls, subject to technical limitations and lawful processing already carried out before withdrawal.

6. AI Processing

Vibe Code Academy includes AI-assisted features. When you use these features, the text and other information you provide may be processed by AI systems to generate responses, learning guidance, project ideas, build briefs, build plans and related outputs.

We may store both your inputs and the AI-generated outputs in order to provide the feature, show past results, support your account experience, link AI interactions to lessons or support threads, investigate issues, improve quality and protect the platform against misuse.

Some AI interactions may be reviewed internally where needed for support, safety, escalation, content improvement or operational troubleshooting.

7. Sharing Your Data

We do not sell your personal data. We share personal data only where necessary to operate the platform, provide services to you, comply with the law, or protect our rights and users.

Categories of recipients include:

  • Stripe for payment processing, customer records, checkout handling and payment-status events.
  • Mailchimp Transactional (Mandrill) for transactional and operational email delivery.
  • OpenAI for processing user inputs and generating AI-assisted outputs. This may involve sending prompt data and relevant lesson, support or idea-generation context to OpenAI's systems.
  • Hosting and infrastructure providers that help us host, run and secure the application and its database.
  • Professional advisers and authorities where disclosure is necessary for legal compliance, legal claims, fraud prevention or the protection of rights and safety.

Where third-party providers process personal data on our behalf, we expect them to do so under appropriate contractual and security obligations.

8. International Transfers

Some of our service providers may process personal data outside the UK. Where that happens, we take steps intended to ensure that personal data remains protected to UK GDPR standards.

Those steps may include the use of adequacy regulations, standard contractual clauses, and other recognised safeguards appropriate to the relevant transfer.

9. Data Retention

We keep personal data only for as long as reasonably necessary for the purposes described in this Privacy Policy, including to provide the service, maintain account history, meet legal obligations, resolve disputes and protect the platform.

In practice, this means:

  • account data is generally kept while your account remains active and for a reasonable period afterwards where needed for legal, security or operational purposes;
  • session, verification and password-reset records may be retained only for as long as they remain valid, are needed to secure your account, or are relevant to fraud prevention and audit purposes;
  • payment-related records are retained as needed for financial reporting, support, audit and compliance purposes;
  • support threads, messages and AI interaction records may be retained to provide ongoing support, preserve account history and improve the platform;
  • analytics and event records may be retained for product, security and operational analysis for a limited period appropriate to those purposes.

Where data is no longer needed, we delete it or anonymise it where appropriate.

10. Your Rights

Subject to applicable law, you may have the right to:

  • request access to the personal data we hold about you;
  • request correction of inaccurate or incomplete personal data;
  • request deletion of your personal data in certain circumstances;
  • request restriction of processing in certain circumstances;
  • object to processing based on legitimate interests in certain circumstances;
  • request transfer of certain personal data to you or another provider where the right to data portability applies;
  • withdraw consent where we rely on consent.

You also have the right to complain to the Information Commissioner's Office in the UK if you believe your personal data has been handled unlawfully. You can find more information or make a complaint through the ICO website at https://ico.org.uk/make-a-complaint/.

11. Cookies and Tracking

We use cookies and similar technologies to operate the platform, maintain security and remember user preferences. These include technologies used for session management, CSRF protection and storing your cookie-consent choices.

We also use browser storage and first-party analytics-related identifiers to help understand how the platform is used, including page activity, referral information and UTM attribution data.

The platform includes cookie preference controls covering necessary, functional, analytics and marketing categories. Necessary technologies are required for the platform to function properly and remain active regardless of your preferences. Optional categories can be managed through the cookie settings controls made available on the site.

Because parts of our analytics and attribution measurement are implemented through first-party platform functionality, some usage and technical data may still be generated when you use the service, particularly where this supports platform security, performance, troubleshooting or core service delivery.

12. Security

We take security seriously and use a range of technical and organisational measures designed to protect personal data and the platform. These measures include access controls, session management, password hashing, email verification, CSRF protection, origin validation, rate limiting, duplicate-submission controls, payment webhook verification, security logging and monitoring of protected premium content.

No online service can be guaranteed to be completely secure, but we work to reduce risk and respond appropriately to security issues.

13. Children

Vibe Code Academy is not intended for children under the age of 18 unless they are using the service with the involvement and permission of a parent or legal guardian. If you believe that personal data has been provided to us inappropriately by a child, please contact us.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes to the platform, our processing practices, legal requirements or operational needs. Where appropriate, we may notify users of material changes through the platform or by email.

The latest version published on the platform will apply from its stated effective date.

15. Contact

If you have questions about this Privacy Policy or would like to exercise your data protection rights, please contact:

Instabus Ltd trading as Vibe Code Academy
21 Linden Way
Wetherby
LS22 7QU
Company number: 14618801

Email: privacy@vibecodeacademy.co.uk

Cookie choices

We use cookies to improve your experience

We use essential technologies to keep Vibe Code Academy secure and working properly. With your permission, we’d also like to use optional analytics and similar technologies to understand how the platform is used, reduce friction, and improve the experience over time.