This policy explains what allclear ("we", "us") collects, how we use it, and the choices you have. allclear is a security scanner for web apps. We have built it to hold as little of your data as possible.
What we collect
Your email address, which you confirm with a one-time code. We use it to log you in and to send your scan reports.
Scan results: the domain or repository you scanned, the findings, the severity, and the letter grade. This is what powers your scan history and fix verification.
GitHub connection (only if you connect a repo): the installation identifier and your account name, so we can run repo scans you request. We do not receive your GitHub password.
Payment records (only if you upgrade): the payment and order identifiers returned by our payment provider. We never see or store your card details.
A session token stored in your browser's local storage to keep you signed in. We do not use advertising or tracking cookies.
What we do not store
Your source code. When you connect a repo, we read it in memory only long enough to scan it, then discard it. It is never written to our servers, never used to train anything, and never shared.
The full value of any secret we find. Secrets are masked in the report (for example, sk_l••••••aaaa).
Passwords or credentials for the sites you scan. The free surface scan needs none, and the deep scan reads only what is publicly served.
How we use your data
To run the scans you request and email you the report.
To show you your scan history and tell you whether a fix worked on a re-scan.
To process a one-time upgrade payment, if you choose to make one.
To understand overall usage (counts of users and scans) so we can improve the product.
Who we share it with
We do not sell your data. We use a small set of service providers to operate allclear, and share only what each needs:
Resend, to deliver confirmation codes and report emails.
Razorpay and PayPal, to process payments.
GitHub, to read repositories you explicitly connect (read-only).
OSV.dev (Google's Open Source Vulnerabilities database), to look up known vulnerabilities for your dependency names and versions.
DigitalOcean and Vercel, who host our backend and website.
How long we keep it
We keep your account and scan results for as long as your account is active or as needed to provide the service. You can ask us to delete all of your data at any time by emailing us (see below), and we will remove it.
Security
Access to your code and sites is read-only. Secrets are masked. Data is transmitted over HTTPS. We aim to collect the minimum needed to run the service.
Your rights
You can ask us to show you the data we hold about you, correct it, or delete it. Email us and we will act on it. If you are in a region with data protection laws (for example India's DPDP Act or the GDPR), those rights apply to you.
Children
allclear is for developers and businesses and is not intended for anyone under 18.
Changes
If we change this policy, we will update the date above and, for significant changes, let you know by email.