Privacy Policy
Last updated: April 13, 2026
CodeShield.sh (“CodeShield,” “we,”) takes privacy seriously. This policy explains what data we collect, why, and what rights you have — in particular under the EU General Data Protection Regulation (GDPR).
Data controller: CodeShield.sh — privacy@codeshield.sh.
1. Data we collect
| Category | Examples | Purpose |
|---|---|---|
| Account | Name, email, GitHub ID, avatar | Authentication, billing |
| Billing | Stripe customer ID, subscription status | Process payments (we never see full card numbers) |
| Scan content | Code you submit, repo URLs, file paths | Produce scan results |
| Scan metadata | Findings, severities, timestamps | History, reporting, auditing usage |
| Technical | IP, user-agent, log data | Security, rate-limiting, abuse prevention |
| Analytics (optional) | Page views, click events | Product improvement (Google Analytics, PostHog) |
2. Legal bases (GDPR Art. 6)
- Contract — to provide the Service you signed up for.
- Legitimate interests — to keep the platform secure, prevent abuse, and improve the product.
- Legal obligation — tax, accounting, and fraud-prevention records.
- Consent — optional analytics and marketing emails. You can withdraw consent at any time.
3. Code & scan data
Source code you submit is processed only to produce scan results. We:
- Do not sell your code or scan data.
- Do not use your code to train public AI models.
- Send small code snippets to Anthropic (Claude) only when you explicitly request an AI auto-fix. Anthropic processes them under its commercial terms and does not train on API data.
- Store scan findings and metadata for as long as your account is active, so you can review history. You can request deletion at any time.
4. Sub-processors
We rely on the following vendors to deliver the Service. Each has been reviewed for security and GDPR compliance.
| Vendor | Purpose | Location |
|---|---|---|
| Vercel | Hosting | EU / US |
| GitHub | OAuth, repo access | US |
| Stripe | Payments | IE / US |
| Anthropic | AI auto-fix (optional) | US |
| Resend | Transactional email | US |
| PostHog / Google Analytics | Product analytics | EU / US |
International transfers rely on Standard Contractual Clauses (SCCs) where applicable.
5. Retention
- Account data — as long as your account is active.
- Billing invoices — 7 years (legal requirement).
- Scan findings — while your account is active; deleted on request.
- Server logs — 30 days.
6. Your rights (GDPR)
You can at any time:
- Access a copy of the data we hold about you.
- Correct or update inaccurate data.
- Delete your account and data (“right to be forgotten”).
- Export your data (portability).
- Object to processing or withdraw consent.
- Lodge a complaint with your local data-protection authority.
Email privacy@codeshield.sh and we’ll respond within 30 days.
7. Security
- HTTPS-only, HSTS enforced, modern TLS.
- API keys stored as SHA-256 hashes, never in plaintext.
- Stripe PCI DSS-certified — we never store card data.
- Rate limiting, CSRF protection, and strict CSP headers.
- Incident response: we will notify affected users within 72 hours of confirming a breach.
8. Cookies
We use a minimal set of cookies:
- Essential — authentication session, CSRF token, scan quota.
- Analytics (opt-in) — PostHog / Google Analytics to understand usage. You may disable these at any time via browser settings.
9. Children
The Service is not intended for children under 16. We do not knowingly collect data from minors.
10. Changes
We’ll update this page when something material changes and notify you in-app or via email when required.
11. Contact
Email privacy@codeshield.sh for any privacy-related request.