Privacy Policy

What we collect

When you sign up with GitHub OAuth, we receive your GitHub username and email address. We store these alongside your plan tier and billing status.

When you run an audit, we temporarily load your repository's file contents into memory to run our AI analysis. We do not persist your source code. We store only the findings (titles, descriptions, file paths, severities) and your aggregate score.

When you upgrade to a paid plan, Stripe processes your payment. We store a Stripe customer ID and subscription status but never your card details.

How we use your data

We use your email to send audit completion notifications and (on paid plans) weekly score digests. We use your GitHub login to associate audit results with your account and to display your projects in the dashboard.

We use Anthropic's Claude API to analyze your code. Anthropic's data usage policy applies to the content sent to their API. We send code file contents during analysis; we do not send personally identifying information about you or your users.

We never sell your data. We never use your code to train AI models.

Data storage and security

Your data is stored in Supabase (Postgres) with row-level security enabled. Every user can only access their own projects and audit results — this is enforced at the database layer, not just the application layer.

Backups are encrypted at rest. All traffic between your browser and our servers is encrypted in transit via TLS.

Your source code is not stored. It is loaded, analyzed, and discarded within the lifetime of a single audit run.

Data retention and deletion

Audit findings and scores are retained for as long as you have an active account. You can delete individual projects from your dashboard, which deletes all associated audits and findings.

To delete your entire account and all associated data, use the "Delete account" button in Settings → Account. This is immediate and irreversible.

If you cancel your paid plan, your account downgrades to the Free tier. Your existing audit history is retained.

Cookies and tracking

We use a single session cookie to keep you logged in via Supabase Auth. We do not use third-party advertising cookies or cross-site tracking.

We may use Plausible Analytics (a privacy-first, cookieless analytics provider) to understand aggregate traffic patterns. No personal data is collected by our analytics.

Your rights (GDPR/CCPA)

If you are in the EU or California, you have the right to access, correct, or delete your personal data. You can do most of this from your dashboard. For anything else, email privacy@shipright.tech.

We will respond to data requests within 30 days. We do not discriminate against users who exercise their privacy rights.

Changes to this policy

We may update this policy as the product evolves. If we make material changes, we'll notify you by email. Continued use of ShipRight after changes take effect constitutes acceptance of the new policy.