Privacy Policy

This Privacy Policy applies to all users of RepoFort ("we", "us", "our"), operated by [YOUR NAME / COMPANY NAME]. By using our service, you agree to the practices described in this policy.

2.1 Information you give us directly

When you create an account:

• Your email address
• Your password (stored securely — we never see it in plain text; it is hashed using industry-standard encryption)
• Your name (optional, if you choose to provide it)

When you create a project:

• The GitHub repository URL you want to scan
• The live URL of your application
• A project name and description you provide

2.2 Information generated by using our service

When you run scans:

• The security findings identified in your code or on your live URL (headers, misconfigurations, vulnerability patterns)
• Your security scores and scan history
• Timestamps of when scans were run and completed

When you use our website:

• Your IP address
• Browser type and version
• Pages you visit and time spent on them
• Referring URL (how you found us)

2.3 Information we do NOT collect

We want to be explicit about what we do not store:

• We do not store the actual source code from your repositories — we fetch it temporarily to scan it and do not retain a copy
• We do not store the full content of web pages we scan — only the security headers and relevant response metadata
• We do not store raw secrets or credentials found during scans — we detect and flag that they exist but redact the actual values before storing
• We do not sell your data to anyone, ever
• We do not use your scan results to train AI models

We use your information only to provide and improve RepoFort:

• To run your scans. We use your project URLs and repository links to fetch and analyze your applications. Scan results are stored in your account so you can review them.
• To operate your account. Your email address is used to log you in, send confirmation emails, and contact you about your account when necessary.
• To improve the service. Aggregated, anonymized usage data (never individual scan results) helps us understand which features are useful and where we can do better.
• To keep the service secure. IP addresses and activity logs help us detect and prevent abuse, unauthorized access, and policy violations.
• To communicate with you. If you opt in to notifications, we may send you scan completion emails or security digests. You can unsubscribe at any time.

We do not use your data for advertising, and we do not share it with third parties for their marketing purposes.

We do not sell your personal information. We share your data with third parties only where strictly necessary to operate the service:

• Hosting and infrastructure — our cloud provider stores your account data and scan results on our behalf
• Authentication — we use Supabase to manage account creation and login; they process your email and password hash
• Payment processing (Pro plan) — if you upgrade, payments are handled by Stripe; we never see or store your full card details

All third-party providers are bound by data processing agreements and are prohibited from using your data for their own purposes.

We keep your account data and scan results for as long as your account is active. If you delete your account, we will delete your personal data and scan history within [X] days. Anonymized, aggregated usage statistics may be retained indefinitely.

We use industry-standard security practices to protect your information, including encrypted connections (HTTPS), hashed passwords, and access controls that limit who on our team can access production data. No method of transmission over the internet is 100% secure, and we cannot guarantee absolute security — but we take it seriously.

Depending on where you live, you may have rights over your personal data, including:

• Access — request a copy of the data we hold about you
• Correction — ask us to fix inaccurate data
• Deletion — ask us to delete your account and associated data
• Portability — request your data in a machine-readable format
• Opt-out of marketing emails — use the unsubscribe link in any email we send

To exercise any of these rights, contact us at [SUPPORT EMAIL]. We will respond within 30 days.

RepoFort uses cookies and similar technologies to keep you logged in and remember your preferences. We do not use advertising cookies or cross-site tracking. You can disable cookies in your browser settings, but doing so will prevent you from staying logged in.

RepoFort is not directed at children under 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us at [SUPPORT EMAIL] and we will delete it.

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date above and, where appropriate, notify you by email. Continued use of the service after changes take effect constitutes acceptance of the updated policy.

Questions about this Privacy Policy or how we handle your data? Contact us at [SUPPORT EMAIL].