Privacy Policy

1. Information We Collect

Account Information

When you create an account or use the Services, we may collect:

• your email address
• your name (if provided)
• organization or company name
• your Supabase Auth user ID
• account status and access permissions

This allows us to create and manage your account, authenticate access, and provide support.

GitHub Installation Metadata

When you install the Kleared GitHub App, we collect:

• GitHub account or organization login
• GitHub installation ID
• repository names and metadata for repositories you authorize
• installation permissions and access scope
• repository connection status

We do not request or store personal GitHub access tokens.

We only access repositories you explicitly authorize.

Scan Results and Security Findings

When scans are performed, we may collect and store:

• findings and rule results
• severity levels
• affected file paths
• line numbers
• code snippets necessary to identify findings
• generated diffs and remediation suggestions
• pull request metadata
• scan history and verification status
• badge verification state

We do not retain full source code beyond the operational requirements of the scan itself.

Limited code snippets necessary for findings, reports, debugging, and pull request generation may be retained as part of scan records.

Billing Information

For paid plans, we collect:

• Stripe customer ID
• subscription status
• billing period dates
• plan tier
• invoice and payment status

We do not store full payment card information.

Payment information is processed and stored by Stripe in accordance with their own policies.

Audit Logs

We store operational and security logs including:

• account activity
• repository connection events
• scan events
• badge issuance and revocation events
• billing-related events
• significant administrative actions

This helps us operate the platform, investigate issues, prevent fraud, and maintain internal compliance records.

Email Logs

We store:

• recipient address
• email delivery status
• message IDs
• send timestamps

This is used for support, operational communications, and delivery troubleshooting.

Email delivery is handled by Resend.

Product Analytics and Error Reporting

We may collect limited usage and diagnostic information including:

• feature usage patterns
• session events
• product interactions
• anonymized performance data
• crash reports and error logs
• browser and device metadata

This helps us improve product quality, reliability, and user experience.

We use providers such as PostHog and Sentry for this purpose.

We do not use behavioral advertising trackers.

2. What We Do Not Store

We do not intentionally store:

• your full source code after scan completion
• your GitHub personal access tokens
• your Supabase service role key
• your full payment card numbers
• unnecessary personal information we do not need to operate the Services

If temporary operational storage occurs during scans, it is limited to what is necessary to provide the Services.

3. How We Use Information

We use collected information to:

• provide and operate the Services
• authenticate users and manage accounts
• run repository scans and generate findings
• create remediation pull requests
• issue and revoke verification badges
• process payments and subscriptions
• provide customer support
• improve product functionality and security
• prevent abuse, fraud, and unauthorized access
• comply with legal obligations
• enforce our Terms of Service
• protect our business, users, and platform integrity

We may also use aggregated and anonymized data to improve our systems, scanners, and internal security models.

4. Where Data Lives

Our infrastructure currently includes:

• Supabase (Postgres database and authentication)
• Amazon Web Services (including aws-us-east-1 infrastructure)
• Railway (worker-side compute)
• Resend (transactional email)
• Stripe (billing and subscriptions)
• Sentry (error reporting)
• PostHog (anonymous analytics)

These providers process data only as necessary for service operation.

We may change providers over time without separately updating this list so long as the use remains consistent with this Privacy Policy.

5. Sharing of Information

We do not sell personal data.

We do not run advertising networks.

We do not share your scan results outside your authorized organization except:

• with service providers required to operate the Services
• when required by law, subpoena, court order, or government request
• when necessary to investigate fraud, abuse, security incidents, or legal violations
• in connection with a merger, acquisition, financing, restructuring, or sale of assets
• to protect the rights, safety, and operations of Kleared, our users, or the public

If ownership of Kleared changes, user data may be transferred as part of that transaction.

6. Data Retention

We retain information for as long as reasonably necessary to:

• provide the Services
• maintain account functionality
• satisfy billing and tax obligations
• investigate abuse or fraud
• comply with legal obligations
• protect platform security
• enforce our legal rights

Retention periods may vary by data type.

Audit and security logs may be retained longer where reasonably necessary for fraud prevention, legal defense, or compliance purposes.

We may retain backup copies for a limited period after deletion.

7. Deletion Requests

To request deletion, email hello@kleared.app from the email address associated with your account.

We will use reasonable efforts to delete your organization data, memberships, findings, scans, and badge records within a commercially reasonable timeframe.

Some records may be retained temporarily for:

• fraud prevention
• security investigations
• billing reconciliation
• legal compliance
• dispute resolution
• backup system expiration

Deletion requests do not apply where retention is legally required or reasonably necessary to protect our business interests.

8. Cookies

We use:

• strictly necessary cookies for authentication and session management
• limited analytics cookies for product improvement where enabled

We do not use third-party advertising cookies.

Anonymous analytics may be enabled through PostHog depending on deployment configuration.

9. Security

We use reasonable administrative, technical, and operational safeguards to protect data.

However, no system is completely secure.

We cannot guarantee absolute security of data, repositories, transmissions, or storage systems, and use of the Services is at your own risk.

You remain responsible for your own security controls, access permissions, credential management, and production review processes.

10. International Use

If you use the Services from outside the United States, you understand that your information may be processed and stored in the United States and other jurisdictions where our providers operate.

These jurisdictions may have different privacy protections than your local laws.

11. Children

The Services are intended for businesses and professional users and are not directed to children under 13.

We do not knowingly collect personal information from children.

12. Changes to This Policy

We may update this Privacy Policy from time to time.

If we do, we will update the effective date at the top of this page.

Continued use of the Services after updates become effective constitutes acceptance of the revised Privacy Policy.

13. Contact

Questions regarding privacy may be sent to:

hello@kleared.app