AppSafe

Privacy Policy

Last updated: June 8, 2026

1. Information We Collect

When you use AppSafe, we collect:

• Account information: Your name, email address, OAuth provider identifiers, and OAuth profile image when provided by Google or GitHub.
• Site data: URLs and domains you submit for scanning, along with domain verification tokens.
• Scan results: Security findings, scores, grades, scan timestamps, failure messages, and redacted indicators of exposed secrets generated from scanning your sites.
• Public report data: Shareable report tokens and the findings shown on public report URLs when you use report sharing features.
• Billing data: Stripe customer and subscription identifiers for paid plans. Payment card details are handled by Stripe and are not stored by AppSafe.
• Session data: We store your IP address and browser user agent string alongside each login session for authentication, security monitoring, and rate limiting purposes.

2. How We Use Your Information

• To provide and maintain the security scanning service.
• To verify ownership of sites you submit.
• To send service and account-related transactional emails.
• To enforce rate limits and prevent abuse.
• To investigate unauthorized scanning reports, service misuse, payment issues, and security incidents.
• To improve our scanning capabilities and service quality.

3. Data Storage and Security

Your data is stored in a PostgreSQL database. Authentication is handled through Google and GitHub OAuth. Sessions use secure, HTTP-only cookies. Secret findings are redacted before being stored or displayed, but scan results may still contain sensitive security context about your application. We do not sell your personal data.

4. Data Retention

Account data is retained for the lifetime of your account. Scan results are retained so you can track security improvements over time. You can delete your account and all associated application data (sites, scans, sessions, and reports) at any time from your dashboard. Account deletion is immediate and irreversible. Some limited records may remain where required for security, legal, tax, fraud-prevention, or payment dispute purposes.

5. Third-Party Services

We use the following third-party services:

• Resend: For sending service notifications and account-related transactional emails.
• Stripe: For checkout, subscription billing, invoices, and payment processing.
• Google and GitHub: For OAuth sign-in when you choose to use social login.
• Upstash Redis: For production rate limiting when configured.
• Hosting and database providers: For running the application and storing account, site, and scan data.

These providers may process data in countries other than your own. Where required, we rely on appropriate transfer safeguards provided by those services.

6. Cookies

We use essential cookies only for authentication (session tokens). We do not use analytics cookies, tracking pixels, or any third-party cookies. A single session cookie (better-auth.session_token) is set when you log in and removed when you log out or when it expires.

7. Your Rights

Under GDPR and similar regulations, you have the right to:

• Access the personal data we hold about you.
• Request correction of inaccurate data.
• Delete your account and all associated data (available in your dashboard).
• Request export of your account, site, and scan data in a portable format by contacting us.
• Withdraw consent for data processing.
• Object to or restrict certain processing where applicable.

You can also contact us if a public report exposes information you believe should be removed.

8. Contact

For privacy-related requests, contact us at [email protected].

9. Changes

We may update this policy from time to time. We will notify you of significant changes via email.