Back to Home

Privacy Policy

Last updated: March 9, 2026

1. Information We Collect

When you sign in with GitHub, we receive your GitHub username, email address, and a list of repositories you grant access to. When you purchase a scan, Stripe collects your payment information directly — we never see or store your card number, CVC, or billing address.

2. How We Use Your Data

We use your GitHub identity to authenticate you, display your repositories, and associate scan reports with your account. Your email address may be used to send transactional messages such as scan completion notifications and payment receipts.

3. Source Code Handling

Your code is never stored permanently. When you initiate a scan, we clone your repository into an isolated environment, run the security analysis, and delete all cloned files within 10 minutes of scan completion. Raw source code is never sent to third-party AI models — only structured vulnerability metadata is used for report generation.

4. Data Retention

Scan reports (PDF files) are retained for 90 days so you can re-download them. After 90 days, reports are permanently deleted. Account information is retained for as long as your account is active. You may request deletion of your account and all associated data at any time by contacting us.

5. Third-Party Services

We rely on the following third-party services to operate ShipShield:

  • GitHub — authentication and repository access
  • Stripe — payment processing
  • Neon (PostgreSQL) — account and scan metadata storage
  • OpenAI — AI-powered report synthesis (receives only structured vulnerability metadata, never raw source code)
  • Google Analytics — anonymized website usage analytics, loaded only with your consent (see Cookies below)

Each service is subject to its own privacy policy. We share only the minimum data required for each service to function.

6. Cookies

We use the following categories of cookies:

  • Essential — authentication session cookies required for the service to function. These cannot be disabled.
  • Analytics (optional) — Google Analytics cookies (_ga, _gid) that help us understand how visitors use the site. These are only set if you click "Accept" on the cookie consent banner. You can change your preference at any time via the "Cookie Settings" link in the footer.

We do not use advertising cookies.

7. Security

All data is transmitted over HTTPS. Repository clones are processed in isolated environments and deleted promptly. Database access is restricted and encrypted at rest. We follow industry-standard practices to protect your information.

8. Your Rights

You may request access to, correction of, or deletion of your personal data at any time. You can also:

  • Delete your account from the Settings page in your dashboard, which permanently removes all associated data.
  • Export your data from the Settings page to download a copy of all personal data we hold about you (Article 20, data portability).
  • Revoke access to your GitHub repositories through your GitHub settings.

You may also contact us at hello@shipshield.dev to exercise any of these rights.

9. Changes to This Policy

We may update this privacy policy from time to time. If we make material changes, we will notify you by email or by posting a notice on our website. Continued use of the service after changes constitutes acceptance of the updated policy.

10. Contact

For questions about this privacy policy or how we handle your data, contact us at hello@shipshield.dev.