← Back to Home
Privacy Policy
Last updated: May 2026
Summary: We collect only what's necessary to provide the Service. We never sell your data. Scan results are yours and are deleted when you delete your account.
1. Information We Collect
1.1 Account Information
When you register, we collect your email address and a securely hashed password. If you use Google OAuth, we receive your email and name from Google.
1.2 Site & Scan Data
When you add a site and run scans, we collect:
- The URL(s) you submit for scanning.
- Scan results (vulnerabilities, headers, SSL status, open ports).
- Uploaded source code archives (for SAST scans) — these are processed in isolated temporary directories and deleted immediately after scanning.
1.3 Browser Extension Data
The Dev-Buddy browser extension may collect:
- Console errors and network events from pages you choose to monitor.
- DOM inspection data for CSS debugging.
This data is sent only to your configured Dev-Buddy server endpoint and is never shared with third parties.
1.4 Usage & Analytics
We collect basic usage metrics (page views, feature usage) to improve the Service. We do not use third-party tracking scripts.
2. How We Use Your Data
- To provide and maintain the Service.
- To process security scans and generate reports.
- To send you security alerts and notifications (if configured).
- To process payments through Stripe.
- To improve the Service and fix bugs.
3. Data Sharing
We do not sell, rent, or share your personal data with third parties except:
- Stripe: Payment processing (email, billing info).
- AI Providers: When you use AI-powered features, anonymized scan data may be sent to OpenAI or Anthropic for analysis. No personally identifiable information is included.
- Legal Requirements: If required by law or to protect our rights.
4. Data Security
- All passwords are hashed using PBKDF2 with per-user salts (120,000 iterations).
- API authentication uses JWT tokens and service keys.
- HTTPS is required for all production deployments.
- Uploaded source code is processed in isolated temporary directories and deleted immediately.
- WAF and rate limiting protect against abuse.
5. Data Retention (Public Beta)
- Account data is retained while your account is active.
- Public Beta: scan results and agent events are retained for up to 30 days, then deleted or anonymized.
- After full launch, retention may extend up to 12 months unless you delete data sooner.
- When you delete your account, associated data is permanently removed within 30 days.
6. Your Rights (GDPR)
If you are in the European Economic Area (EEA), you have the right to:
- Access: Request a copy of your personal data.
- Rectification: Correct inaccurate data.
- Erasure: Request deletion of your data.
- Portability: Receive your data in a structured format.
- Objection: Object to certain data processing activities.
To exercise these rights, contact us at [email protected].
7. Cookies
We use essential cookies only (authentication tokens stored in localStorage). We do not use advertising or tracking cookies.
8. Children's Privacy
The Service is not intended for users under 18 years of age. We do not knowingly collect data from minors.
9. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email or in-app notification.
10. Contact
For privacy-related questions, contact us at [email protected].