Privacy Policy

1. Introduction

Vexp ("we", "us", "our") operates vexp, a local-first context engine for AI coding agents, distributed as a VS Code extension. This Privacy Policy explains what data we collect, how we use it, and your rights regarding that data.

The core principle is simple: your source code never leaves your machine. vexp is designed to run entirely offline for all core functionality.

2. Data We Do NOT Collect

This is the most important section. vexp's core functionality — indexing, querying, graph traversal, skeleton generation, and all 7 MCP tools — runs entirely on your local machine. We do not collect, transmit, or have access to:

• Your source code, in any form
• Abstract syntax trees (ASTs) or dependency graphs
• Code embeddings, vectors, or semantic representations
• The contents of your .vexp/index.db local index
• Context capsules, skeletons, or MCP tool outputs
• File names, directory structures, or repository metadata

The Rust daemon (vexp-core) makes zero network calls. It communicates only with the local MCP server via Unix socket or named pipe. There are no cloud dependencies, no external APIs, and no telemetry endpoints in the core indexing and query pipeline.

3. Data We Collect

We collect minimal data only when necessary for account management and optional telemetry:

Account Information

For paid plans (Pro, Team, Enterprise), we collect your email address and name to manage your license. Payment information is processed entirely by Stripe — we never see or store your card number, CVV, or banking details.

License Validation

For paid plans, the extension performs a license check at most once every 7 days. This transmits only your license key and a device fingerprint (a hash derived from hardware identifiers). No code content, file names, or repository information is included.

Optional Telemetry

Telemetry is disabled by default and requires explicit opt-in via vexp.telemetry.enabled = true in your VS Code settings. When enabled, we collect:

• Token savings percentage (aggregate, not per-file)
• Average query latency
• Language distribution (e.g. "60% TypeScript, 30% Go")
• Node and edge counts

Telemetry never includes code content, file names, symbol names, or any information that could identify your codebase.

4. Stripe Payments

All payment processing is handled by Stripe, Inc. We do not store credit card numbers, bank account details, or any sensitive financial data on our servers. Stripe's PCI DSS Level 1 certification ensures your payment data is handled securely.

5. Cookies & Local Storage

This marketing website may use analytics cookies to understand visitor behavior. These cookies do not track you across other websites and can be declined via your browser settings.

The vexp VS Code extension does not use browser cookies, local storage, or any browser-based tracking mechanism. It runs entirely within the VS Code extension host.

6. Data Retention

• Account data — retained while your account is active, plus 30 days after cancellation.
• Telemetry data — aggregated and anonymized. Retained for 90 days, then permanently deleted.
• Source code data — never collected. There is nothing to retain.

7. Third Parties

We share data only with the following third parties:

• Stripe — payment processing for paid plans.
• Analytics provider — anonymous website traffic data (marketing site only).

No third party has access to your source code, repository data, or the contents of your local vexp index. This is architecturally impossible — the data never leaves your machine.

8. Your Rights (GDPR)

If you are located in the European Economic Area, you have the right to:

• Access — request a copy of the personal data we hold about you.
• Rectification — correct inaccurate personal data.
• Erasure — request deletion of your personal data.
• Portability — receive your data in a structured, machine-readable format.
• Objection — object to processing of your personal data.

To exercise any of these rights, contact us at privacy@vexp.dev. We will respond within 30 days.

9. Children

vexp is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a minor, please contact us and we will promptly delete it.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated with at least 30 days' notice via the vexp website or extension notification. The "Last updated" date at the top of this page reflects the most recent revision.

11. Contact

For privacy-related questions or concerns, contact us at privacy@vexp.dev.

For general inquiries, see the documentation or visit our homepage.