Privacy Policy
Last updated: June 2026
1. Introduction
This Privacy Policy explains how SafeShip, Inc. ("Ship Safe," "we," "us," or "our") collects, uses, shares, and protects your personal information when you use the Ship Safe security audit service at shipsafe.dev (the "Service"). By using the Service, you agree to the collection and use of information in accordance with this policy.
2. Information We Collect
Account Information
When you sign up via GitHub OAuth through our authentication provider (Clerk), we collect your name, email address, GitHub username, and profile image.
Repository Metadata
We collect repository names, branch information, commit hashes, and file paths referenced in scan findings. This metadata is necessary to display scan results and generate security reports.
Scan Results
Security findings, severity ratings, OWASP and CWE classifications, confidence scores, and code snippets referenced in findings are stored to power your dashboard and reports.
Billing Information
Payment details (credit card numbers, billing addresses) are collected and processed directly by Stripe. We do not store full payment card numbers on our servers. We retain your subscription tier, invoice history, and billing email.
Usage Data
We collect scan timestamps, API key usage metrics, and subscription tier information to operate and improve the Service.
3. Source Code: What We Do NOT Store
Ship Safe does not persist your source code. When a scan is triggered, we shallow-clone your repository into an isolated, sandboxed container with a 500 MB size cap and a 5-minute timeout. Once the scan completes, the cloned source code is immediately and permanently deleted. Source code is never written to our database, object storage, logs, or telemetry systems.
Only the scan findings (rule IDs, severity levels, file paths, and short code snippets referenced in findings) are retained. Raw source code is never available to Ship Safe staff or any third party after the scan window closes.
4. How We Use Your Data
- Run security scans — clone your repo, execute scanners, normalize findings, and grade your repository.
- Generate reports — produce PDF security reports and dashboard views of your scan history and findings.
- Create auto-fix PRs — for paid tiers, generate AI-powered code fixes and open pull requests on your repository.
- Process payments — manage your subscription and billing through Stripe.
- Send transactional emails — notify you of scan completions, new findings, and account activity.
- Improve the Service — analyze aggregate, anonymized usage patterns to improve scan accuracy and performance. We do not use your source code or findings to train AI models.
- Maintain security — monitor for abuse, debug errors, and maintain an audit trail of security-relevant actions.
5. Third-Party Processors
We share personal information with the following third-party service providers, each of which processes data solely for the purposes described below:
| Provider | Purpose | Location |
|---|---|---|
| Clerk | Authentication and user management | United States |
| Railway | Application hosting and scan infrastructure | United States |
| Cloudflare (R2) | PDF report storage | United States |
| Stripe | Payment processing | United States |
| Anthropic | AI-powered code fix generation | United States |
| Resend | Transactional email delivery | United States |
| Sentry | Error monitoring and performance tracking | United States |
We do not sell your personal information to any third party. We do not share your data with third parties for their own marketing purposes.
6. Data Retention and Deletion
We retain your account information and scan results for the duration of your active subscription plus 30 days. Source code is deleted immediately after each scan completes (see Section 3).
You may request deletion of your account and all associated data at any time by contacting privacy@shipsafe.dev or through your account settings. We will process deletion requests within 30 days.
You may also request a full export of your data (account information, scan results, findings, and audit logs) in a machine-readable format. Export requests are fulfilled within 30 days.
7. Cookies
Ship Safe uses only essential cookies required for authentication and session management, set by our authentication provider Clerk. We do not use advertising cookies, tracking pixels, or third-party analytics cookies. No cookie consent banner is required because we do not use non-essential cookies.
8. Your Rights (GDPR)
If you are located in the European Economic Area (EEA) or the United Kingdom, you have the following rights under the General Data Protection Regulation:
- Access — request a copy of the personal data we hold about you.
- Correction — request correction of inaccurate or incomplete personal data.
- Deletion — request erasure of your personal data (right to be forgotten).
- Restriction — request restriction of processing in certain circumstances.
- Portability — request your data in a structured, machine-readable format.
- Objection — object to processing based on legitimate interests.
To exercise any of these rights, contact privacy@shipsafe.dev. We will respond within 30 days.
9. California Privacy Rights (CCPA)
If you are a California resident, the California Consumer Privacy Act (CCPA) grants you additional rights:
- Right to Know — you may request disclosure of the categories and specific pieces of personal information we have collected about you, the sources of collection, the business purpose, and the categories of third parties with whom we share it.
- Right to Delete — you may request deletion of your personal information, subject to certain exceptions.
- Right to Opt-Out — Ship Safe does not sell personal information. We do not share personal information for cross-context behavioral advertising.
- Non-Discrimination — we will not discriminate against you for exercising any of your CCPA rights.
To submit a CCPA request, email privacy@shipsafe.dev with the subject line "CCPA Request." We will verify your identity and respond within 45 days.
10. Security
We implement appropriate technical and organizational measures to protect your personal data, including encryption at rest (AES-256-GCM) for sensitive credentials, TLS 1.2+ for all data in transit, isolated scan environments, role-based access control, and append-only audit logging. For full details, see our Trust page.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. Your continued use of the Service after changes are posted constitutes your acceptance of the revised policy.