Privacy Policy
Last updated: June 25, 2026
This Privacy Policy explains how Vulnfrog LLC ("Vulnfrog," "we," "us") collects, uses, and shares information when you use the Vulnfrog service (the "Service"). Questions: team@vulnfrog.com.
1. Information We Collect
Account information. When you sign in with GitHub through our identity provider, we receive your GitHub identity (user ID, username, email address, and avatar) and verified email. We store an internal account record.
Repository and installation data. When you install our GitHub App, we receive the installation, the repositories you grant access to, and repository metadata (names, default branch, visibility).
Scan findings. We store findings produced by scans — file paths, line numbers, rule identifiers, severities, descriptions, OWASP categories, and AI-generated analysis. Detected secrets are redacted before storage. We store findings metadata, not your full source code.
Source code (transient). To run a scan, your repository is cloned into an isolated, ephemeral workspace, scanned, and deleted when the scan ends (including on failure). To analyze findings and propose fixes, relevant code context is transmitted to our AI subprocessor for processing.
Billing information. Payments are processed by Stripe. We do not store full payment-card numbers; we store a customer/subscription identifier and plan/billing status.
Usage and technical data. We log Service usage, scan activity, request metadata, and diagnostic logs to operate, secure, and improve the Service.
2. How We Use Information
We use information to: provide and operate the Service (scanning, findings, PR reviews, fix pull requests); authenticate you and manage accounts; process payments and manage subscriptions; communicate Service and account messages; monitor, secure, debug, and improve the Service; and comply with legal obligations.
We do not sell your information. We do not use your source code or Customer Content to train machine-learning models.
3. AI Processing
Findings analysis and fix generation use a third-party AI model provider (currently Fireworks AI). Relevant code context and finding details are sent to the provider to return analysis and proposed fixes. This data is processed only to provide the Service and is not used by us to train models. Fireworks operates under a zero-data-retention policy: prompt and generation data exist only in volatile memory for the duration of the request, are not written to persistent storage, are discarded after the response, and are not used to train its models. When prompt caching is active, cached prompt data may persist in volatile memory for several minutes. Fireworks logs only request metadata (such as token counts) needed to deliver the service.
4. How We Share Information
We share information only with service providers ("subprocessors") that help us run the Service, and as required by law or to protect rights and safety. Our subprocessors include:
| Subprocessor | Purpose | Data |
|---|---|---|
| GitHub | Repository access, app installation, pull requests | Repo content (transient), identity, PR data |
| Clerk | Authentication | Identity, email |
| Stripe | Payments and subscriptions | Billing identifiers, plan status |
| Fireworks AI | AI analysis and fix generation | Code context, finding details |
| Railway | Application backend and database hosting | All stored data |
| Vercel | Frontend hosting | Request data |
| Resend | Transactional email | Email address |
We may also disclose information in connection with a merger, acquisition, or sale of assets, subject to this Policy.
5. Data Retention
We retain account, findings, and billing records for as long as your account is active and as needed to provide the Service, comply with legal obligations, resolve disputes, and enforce agreements. Cloned source code is not retained beyond the scan. You may request deletion (Section 7).
6. Security
We use measures including isolated ephemeral scan environments, least-privilege GitHub App permissions, secret redaction, encryption in transit, and access controls. No method of transmission or storage is perfectly secure, and we cannot guarantee absolute security.
7. Your Rights and Choices
Depending on where you live (e.g., under CCPA/CPRA), you may have rights to access, correct, delete, or port your personal information, and to object to or restrict certain processing. To exercise these rights, contact team@vulnfrog.com. You can also revoke the Service's access at any time from your GitHub settings, and uninstall the GitHub App. We do not sell your personal information, and we will not discriminate against you for exercising these rights.
8. International Transfers
We operate in the United States. If you access the Service from outside the US, your information may be processed in the US and other countries where our subprocessors operate.
9. Cookies
We use cookies and similar technologies necessary for authentication and session management.
10. Children
The Service is not directed to, and we do not knowingly collect personal information from, children under 13. If you believe a child provided us information, contact team@vulnfrog.com.
11. Changes
We may update this Policy; material changes will be notified in-product or by email and the "Last updated" date will change.
12. Contact
Vulnfrog LLC — team@vulnfrog.com.