Legal

Privacy Policy

How BreachScope handles account data, scan data, logs, settings, and optional customer-supplied provider keys.

Last updated: May 20, 2026

Data We Collect

We collect account information, authentication records, project and repository metadata, scan records, findings, policy records, integration metadata, API key metadata, audit logs, settings, and support or security communications you send to us.

If you choose to save provider keys for workflows such as model-assisted analysis, web intelligence, notifications, or ticket routing, those keys are customer-supplied and encrypted before storage.

How We Use Data

  • Provide CLI authentication, dashboard access, project management, and scan ingestion.
  • Store findings, triage decisions, policy results, evidence exports, and audit history.
  • Run customer-enabled integrations with customer-owned credentials.
  • Protect the service through rate limiting, abuse prevention, monitoring, and security investigations.
  • Maintain documentation, legal notices, product quality, and operational support.

What We Do Not Do

We do not provide third-party service accounts or credentials. We do not intentionally publish dashboard, API, login, or CLI auth data to crawlers. We do not use saved provider keys for workflows you have not enabled.

Sharing And Providers

We may share data with infrastructure, authentication, database, analytics, email, hosting, storage, logging, security, and support providers that help operate BreachScope. Customer-enabled integrations may send selected findings or notifications to providers you configure.

Public product pages, legal pages, sitemap, robots policy, and AI-readable product files may be indexed. Private dashboard and API routes are disallowed for crawlers.

Retention And Deletion

Account records, scan records, findings, settings, and audit logs are retained while needed to provide the service, meet security needs, resolve disputes, comply with legal obligations, or preserve audit history. You can delete scan data in dashboard settings where the feature is available.

Security

API keys are hashed where they are used for authentication. Saved provider keys are encrypted at rest. Scan upload payloads are validated and size-limited. Sandbox scans exclude local environment files by default.

Your Choices And Rights

Depending on your location, you may have rights to access, correct, delete, restrict, export, object to processing, or withdraw consent where consent is the basis for processing. Contact the project maintainer or service operator listed in the repository for privacy requests.

Changes

We will update this policy when data practices materially change. New data uses should be reflected here before they begin.