Privacy Policy

Last updated: June 2026

1. Information We Collect

When you sign in with GitHub, we receive your public profile information (username, avatar URL) and an OAuth access token scoped to read your repositories. We store this token encrypted (AES-256-GCM) and use it solely to scan repositories you explicitly request.

2. How We Use Your Information

  • Authenticate your identity via GitHub OAuth
  • Scan repositories you select and generate analysis reports
  • Process payments through Stripe (we never store card details)
  • Store scan reports and artifacts in Vercel Blob storage

3. Data Storage & Security

User data is stored in Supabase (PostgreSQL) with row-level security policies. All API communication uses HTTPS. GitHub tokens are encrypted at rest using AES-256-GCM with environment-managed keys.

4. Data Retention

Scan sessions and reports are retained until you delete them or close your account. Shared report links expire per the duration you set (1, 7, or 30 days). You may request full data export or account deletion at any time from your settings.

5. Your Rights (GDPR & CCPA)

  • Access: Export all your data via Account Settings → Export Data
  • Deletion: Delete your account and all associated data via Account Settings
  • Portability: Data export is provided as JSON
  • Opt-out: Revoke GitHub access at any time from your GitHub settings

6. Third-Party Services

  • GitHub: OAuth authentication and repository access
  • Stripe: Payment processing
  • Supabase: Database and authentication storage
  • Vercel: Application hosting and blob storage

7. Data Processing & Handling

We act as a data processor when analyzing your repositories on your behalf. Repository code is processed in-memory during scans and is not persisted beyond the generated report artifacts. AI model providers (Anthropic, OpenAI) may process code snippets as part of analysis — these providers have their own data processing agreements and do not retain input data for training.

  • Processing scope: Only repositories you explicitly authorize are scanned
  • Data minimization: We process the minimum data necessary for analysis
  • Sub-processors: Supabase (storage), Vercel (hosting), Stripe (billing), Sentry (error tracking)
  • Data location: Primary data is stored in US-based infrastructure
  • Breach notification: We will notify affected users within 72 hours of discovering a data breach

8. Contact

For privacy inquiries, contact us via the GitHub issue tracker.

See also: Terms of Service