ShadowOps markShadowOpsPrivacy Policy

Privacy Policy

Last updated: 3 July 2026

The short version

We scan your code for security issues and explain what we find in plain English. To do that we temporarily clone your repo, scan it, and delete it. Scan results are stored encrypted and tied to your account. We don't sell your data. We don't read your code ourselves. If you label findings, we keep a small encrypted snippet to help improve detection — you can opt out.

1. Who we are

ShadowOps is a security scanner for AI-generated code. If you have questions about this policy or want to exercise your rights, contact us at privacy@shadowops.in.

2. What we collect

Account information

DataStorageWhy
Email addressEncrypted (Fernet) + HMAC indexAccount identification, transactional emails
Name (if provided)Encrypted at restDisplay in the UI
PasswordPBKDF2-SHA256 hash — never plain textAuthentication
OAuth tokens (GitHub / GitLab / Bitbucket)Encrypted at restAccessing connected repos on your behalf

Scan data

DataStorageWhy
Repo URL or uploaded file referenceEncrypted at restLinking results to your account
Scan results (findings, score, verdict)Encrypted at rest in MongoDBShowing you your history
Files scanned, duration, scanners runEncrypted at restDisplaying scan metadata

Finding labels (optional)

If you mark a finding “Real issue” or “Not a problem,” we may store: the code snippet (max 500 characters, encrypted), the file extension, rule ID, category, severity, and your label. We do not store the repo URL, file path, or your email address with these labels. See Section 5 for how to opt out.

3. Your code: what we do and don't keep

This is the most important section for most users.

What happens during a scan:

  1. We clone your repo (or receive your upload) into an isolated, ephemeral sandbox.
  2. We run static analysis rules. We never execute your code.
  3. We store the findings encrypted in your account.
  4. The cloned repo is deleted immediately after the scan completes.

What we retain: findings (rule name, severity, affected file path, short snippet), the repo URL, and scan metadata (timestamp, score, verdict, file count, duration).

What we do not retain: your full source code, any file that wasn't flagged by a rule, or the values of secrets we detect as vulnerabilities (we report that they exist; we don't log their values).

4. How we protect your data

  • Encryption at rest: sensitive fields are encrypted with Fernet symmetric encryption before being written to the database.
  • Password hashing: passwords are hashed with PBKDF2-SHA256. We cannot recover your password.
  • Transport: all traffic uses TLS.
  • OAuth tokens: used only to clone repos you've explicitly connected.

We take reasonable precautions — no system is perfectly secure and we won't overstate our protections. If we become aware of a breach affecting your data, we'll notify you.

5. Finding labels and opt-out

Labels help us distinguish real issues from false positives and improve accuracy for everyone. The stored data is minimal, encrypted, and not linked to your identity or repository.

To opt out: go to Settings → Privacy → Finding Labelsand disable “Contribute labels to improve detection.” You can also email privacy@shadowops.in to request deletion of any labels already submitted.

6. Third parties

OAuth providers (GitHub, GitLab, Bitbucket): when you connect a repo, you authenticate through that provider's OAuth flow. Their privacy policies govern what they collect during that process.

AI enrichment: when enrichment is enabled, a code snippet and finding description may be sent to an AI language model provider to generate an improved explanation. See the enrichment settings for the specific provider in use.

We do not sell your data to any third party.

7. Retention and deletion

  • Account data: retained while your account is active.
  • Scan results: retained until you delete them or close your account.
  • Finding labels: retained until you opt out and request deletion, or close your account.
  • Cloned repos: deleted immediately after scan completion.
  • Account closure: email privacy@shadowops.in — we'll delete your data within 30 days.

8. Your rights

Depending on where you are, you may have rights to access, correct, export, or delete your personal data. To exercise any of these rights, contact privacy@shadowops.in. We'll respond within 30 days.

9. Children

ShadowOps is not directed at anyone under 16. We don't knowingly collect data from children. If you believe we have, contact us and we'll delete it.

10. Changes

If we make material changes, we'll update the “Last updated” date at the top and, for significant changes, notify you by email or in-app notice.