Privacy Policy
Last updated: 3 July 2026
The short version
We scan your code for security issues and explain what we find in plain English. To do that we temporarily clone your repo, scan it, and delete it. Scan results are stored encrypted and tied to your account. We don't sell your data. We don't read your code ourselves. If you label findings, we keep a small encrypted snippet to help improve detection — you can opt out.
1. Who we are
ShadowOps is a security scanner for AI-generated code. If you have questions about this policy or want to exercise your rights, contact us at privacy@shadowops.in.
2. What we collect
Account information
| Data | Storage | Why |
|---|---|---|
| Email address | Encrypted (Fernet) + HMAC index | Account identification, transactional emails |
| Name (if provided) | Encrypted at rest | Display in the UI |
| Password | PBKDF2-SHA256 hash — never plain text | Authentication |
| OAuth tokens (GitHub / GitLab / Bitbucket) | Encrypted at rest | Accessing connected repos on your behalf |
Scan data
| Data | Storage | Why |
|---|---|---|
| Repo URL or uploaded file reference | Encrypted at rest | Linking results to your account |
| Scan results (findings, score, verdict) | Encrypted at rest in MongoDB | Showing you your history |
| Files scanned, duration, scanners run | Encrypted at rest | Displaying scan metadata |
Finding labels (optional)
If you mark a finding “Real issue” or “Not a problem,” we may store: the code snippet (max 500 characters, encrypted), the file extension, rule ID, category, severity, and your label. We do not store the repo URL, file path, or your email address with these labels. See Section 5 for how to opt out.
3. Your code: what we do and don't keep
This is the most important section for most users.
What happens during a scan:
- We clone your repo (or receive your upload) into an isolated, ephemeral sandbox.
- We run static analysis rules. We never execute your code.
- We store the findings encrypted in your account.
- The cloned repo is deleted immediately after the scan completes.
What we retain: findings (rule name, severity, affected file path, short snippet), the repo URL, and scan metadata (timestamp, score, verdict, file count, duration).
What we do not retain: your full source code, any file that wasn't flagged by a rule, or the values of secrets we detect as vulnerabilities (we report that they exist; we don't log their values).
4. How we protect your data
- Encryption at rest: sensitive fields are encrypted with Fernet symmetric encryption before being written to the database.
- Password hashing: passwords are hashed with PBKDF2-SHA256. We cannot recover your password.
- Transport: all traffic uses TLS.
- OAuth tokens: used only to clone repos you've explicitly connected.
We take reasonable precautions — no system is perfectly secure and we won't overstate our protections. If we become aware of a breach affecting your data, we'll notify you.
5. Finding labels and opt-out
Labels help us distinguish real issues from false positives and improve accuracy for everyone. The stored data is minimal, encrypted, and not linked to your identity or repository.
To opt out: go to Settings → Privacy → Finding Labelsand disable “Contribute labels to improve detection.” You can also email privacy@shadowops.in to request deletion of any labels already submitted.
6. Third parties
OAuth providers (GitHub, GitLab, Bitbucket): when you connect a repo, you authenticate through that provider's OAuth flow. Their privacy policies govern what they collect during that process.
AI enrichment: when enrichment is enabled, a code snippet and finding description may be sent to an AI language model provider to generate an improved explanation. See the enrichment settings for the specific provider in use.
We do not sell your data to any third party.
7. Retention and deletion
- Account data: retained while your account is active.
- Scan results: retained until you delete them or close your account.
- Finding labels: retained until you opt out and request deletion, or close your account.
- Cloned repos: deleted immediately after scan completion.
- Account closure: email privacy@shadowops.in — we'll delete your data within 30 days.
8. Your rights
Depending on where you are, you may have rights to access, correct, export, or delete your personal data. To exercise any of these rights, contact privacy@shadowops.in. We'll respond within 30 days.
9. Children
ShadowOps is not directed at anyone under 16. We don't knowingly collect data from children. If you believe we have, contact us and we'll delete it.
10. Changes
If we make material changes, we'll update the “Last updated” date at the top and, for significant changes, notify you by email or in-app notice.