Privacy Policy

The open-source connector runs on your own machine or server. Your Overleaf git token, session cookie (if you opt into the experimental tier), and project content flow only between your device, Overleaf, and the AI client you choose. We have no access to any of it, and the connector phones home to nobody.

If you buy the hosted connector, we hold only what’s required to operate it:

• Your Overleaf git authentication token, used solely to access your projects on your behalf. It is transmitted over TLS and held only for the duration of your session — it is not stored beyond the session.
• Your license key and account email, to validate the 1-year hosted license and provide support (the purchase is managed via Polar — see Payments).
• Operational logs with secrets redacted, kept for reliability and abuse prevention and deleted within 30 days.

We act as a data processor for your project data — you remain in control of it. We do not read, mine, sell, or use your LaTeX, PDFs, or projects to train anything. Access stays scoped to your own Overleaf projects.

We process your account email and license status because they are necessary to provide the hosted license you bought (Article 6(1)(b) GDPR — performance of our contract with you). We keep short-term operational logs on the basis of our legitimate interest in keeping the service reliable and preventing abuse (Article 6(1)(f) GDPR).

The unofficial, experimental session-cookie tier is off by default and is something you enable on your own machine by pasting your own Overleaf overleaf_session2 cookie. We never ask for, receive, or store your Overleaf password. This tier is best-effort and grey-area under Overleaf’s terms — use it at your own discretion. The hosted tier does not use it.

Checkout and the license key are handled by Polar as the merchant of record. We never see your card details. Polar processes your payment data under its own privacy policy.

• Polar — checkout, payments, and license issuance.
• Vercel — hosts this website and the hosted-connector edge/serverless runtime.
• Your own Overleaf account — the source of the project data you ask us to access.

The website and hosted connector run on Vercel’s infrastructure, which may process data in the United States. Where personal data is transferred outside the EEA, we rely on Standard Contractual Clauses (and, where applicable, the EU–US Data Privacy Framework) as the safeguard under Articles 44–46 GDPR. If you self-host, no transfer takes place at all.

Your Overleaf token is held only for the duration of an active session and is not persisted. Revoke the token in Overleaf at any time to cut off access immediately. We keep your license email/status while your 1-year license is active; email us to delete your stored account data outright and we’ll do so within 30 days.

Where the GDPR applies, you can request access, correction, deletion, portability, or restriction of your data, and object to processing based on our legitimate interest. Contact privacy@vibetex.dev and we’ll respond promptly. You also have the right to lodge a complaint with your data protection authority — in Belgium, the Gegevensbeschermingsautoriteit / Autorité de protection des données.

Traffic is served over HTTPS, secrets are redacted from logs, and access is scoped to your own Overleaf projects. No system is perfectly secure, but we keep the held surface area deliberately small — your token is never stored beyond the session.

The data controller for the hosted tier is Oscar Devos, operating vibeTeX from Belgium. You can reach the controller at privacy@vibetex.dev for any privacy question or data request. vibeTeX is an independent open-source project and is not affiliated with, endorsed by, or sponsored by Overleaf or Digital Science.