Privacy Policy

Last updated: April 1, 2026

1. Information We Collect

When You Use Our Service

We collect the following information:

  • URLs and Application Data: URLs you submit for scanning, GitHub repository URLs, and metadata about your applications
  • Scan Results: Vulnerability findings, security issues detected, severity ratings, and recommended fixes
  • Interaction Data: Features you use, buttons you click, time spent on the Service, and navigation patterns
  • Technical Data: IP address, device type, browser type, operating system, and approximate location (city/country level)

When You Create an Account

To access paid services, we collect:

  • Email address
  • Name (optional)
  • Company name (optional)
  • GitHub username and profile information (if signing in via GitHub OAuth)
  • Account preferences and settings

We use GitHub OAuth for authentication. We do not collect or store passwords.

Payment Information

Payment details are collected and processed by Stripe, our payment processor. We do not store complete credit card numbers, expiration dates, or CVV codes. Stripe stores this information according to their Privacy Policy and PCI compliance standards. We only store the last 4 digits of your card and billing address for your records.

Information from Public Sources

As part of our security research and outreach activities, we may collect publicly available information, including:

  • Domain and Certificate Data: We monitor public Certificate Transparency (CT) logs to identify newly registered domains and websites
  • Publicly Available Contact Information: We may collect business contact email addresses from publicly accessible website pages (e.g., contact pages, about pages), public WHOIS/RDAP records, and third-party business data providers
  • Website Metadata: Publicly visible HTTP headers, technology stack indicators, and server information from publicly accessible websites

We only collect information that is publicly accessible. We do not access private systems, bypass authentication, or use deceptive means to obtain information.

Third-Party Integrations

If you connect third-party services to Egida (GitHub, Slack), we collect and store:

  • GitHub API tokens (encrypted)
  • Slack webhook URLs (encrypted)
  • Repository and workspace metadata

2. Code Handling — CRITICAL

Your Code Is Never Stored or Persisted. This is central to our privacy commitment:

  • Real-Time Processing Only: Application code is analyzed in-memory during the scan and deleted immediately after analysis completes
  • No Persistence: Code is not written to disk, databases, or any persistent storage
  • No Backup Copies: We do not retain backups or archives of scanned code
  • No Training Data: Your code is not used to train AI models or improve our scanning engine
  • No Sharing: Code is not shared with third parties, including Stripe, analytics services, or subprocessors
  • Instant Deletion: After scan completion, code is immediately purged from memory

What we do store are the results of the scan — the vulnerabilities found, severity ratings, and fix recommendations. But the actual code itself is gone.

3. How We Use Your Information

We use the information we collect to:

  • Provide the Service: Scan applications, generate reports, send alerts, and manage your account
  • Improve Scanning: Analyze patterns in detected vulnerabilities (without storing the code) to improve our detection algorithms
  • Billing and Payments: Process subscriptions, send invoices, and detect fraud
  • Communication: Send service updates, security notices, and billing notifications
  • Security Outreach: Contact website owners about publicly visible security issues we have identified through passive scanning (see Section 3a below)
  • Support: Respond to your questions and troubleshoot issues
  • Analytics: Understand how users interact with our Service to improve features and user experience
  • Legal Compliance: Comply with applicable laws, regulations, and legal obligations

3a. Security Outreach Program

Egida operates a security outreach program in which we:

  • Monitor public Certificate Transparency logs to discover newly launched websites
  • Perform passive, non-intrusive security scans of publicly accessible websites (checking HTTP headers, DNS records, TLS configuration, and publicly accessible paths only)
  • Identify publicly available contact information for website owners
  • Send a single informational email notifying the website owner of any security issues found, with a link to our free scanning tool

Legal basis (GDPR): We process this data under the legitimate interest basis (Article 6(1)(f) GDPR). Our legitimate interest is to notify website owners of publicly visible security misconfigurations that may put their business and users at risk. We have conducted a Legitimate Interest Assessment and concluded that the benefit to the data subject (learning about security issues on their site) outweighs any minimal intrusion from receiving a single relevant email.

Your rights: You can opt out of these communications at any time by clicking the unsubscribe link in the email or contacting us at [email protected]. We maintain an active suppression list and will never contact you again after an unsubscribe request. We send a maximum of one initial email and one follow-up. We do not sell or share the contact information collected for outreach with any third parties.

Scanning ethics: Our passive scans do not attempt authentication, do not inject payloads, do not crawl beyond publicly accessible pages, and do not store content from any paths checked. We identify ourselves via our User-Agent header. We make a maximum of 15 requests per domain with a minimum of 500ms between requests.

4. Data Sharing

We do not sell, trade, or rent your personal data to third parties. However, we may share information with:

  • Stripe: Payment processor. We share billing information (name, email, billing address, last 4 of card) necessary to process payments. Stripe's Privacy Policy governs their handling of payment data.
  • Cloud Hosting Providers: We use secure cloud infrastructure to host our Service. Hosting providers have access to data in transit but are bound by strict data processing agreements
  • Slack and GitHub: Only if you explicitly connect these services to Egida. We share minimal data necessary for integration (webhook confirmations, scan alerts)
  • Legal Authorities: If required by law, court order, or government request, we may disclose information. We will notify you unless prohibited by law

All third-party service providers are contractually required to protect your information and use it only for the purposes we specify.

5. Data Security

We implement security measures to protect your data:

  • Encryption in Transit: All data transmitted between your browser and our servers uses TLS/SSL encryption (HTTPS)
  • Encryption at Rest: Sensitive data (API tokens, payment info) is encrypted in our database
  • Authentication: We use GitHub OAuth for user authentication. We do not store passwords
  • Access Controls: Access to user data is restricted and logged
  • API Token Management: Third-party API tokens (GitHub) are encrypted before storage

While we take reasonable steps to protect your data, no system is completely secure. We encourage you to use strong credentials and enable two-factor authentication on your GitHub account.

6. Data Retention

  • Scan Results: Retained while your account is active. After account deletion, scan results are deleted within 30 days
  • Code: Never retained. Deleted immediately after scan completes
  • Account Data: Retained while your account is active. Upon account deletion, we delete account data within 30 days, except where required by law
  • Payment Records: Retained for 7 years for tax and accounting purposes (required by law)
  • Logs: Server logs (IP addresses, request metadata) are retained for 90 days for security and troubleshooting purposes
  • Outreach Data: Contact information collected for security outreach is retained for up to 12 months. If you unsubscribe, your email is moved to our suppression list (retained indefinitely to ensure we never contact you again) and all other outreach data about your domain is deleted within 30 days
  • Suppression List: Email addresses that have unsubscribed are retained indefinitely to prevent future contact

You may request deletion of your data at any time by contacting [email protected].

7. Your Rights

Depending on your location, you may have the following rights:

GDPR Rights (EU, EEA, UK Residents)

  • Right to Access: Request a copy of all personal data we hold about you
  • Right to Rectification: Request correction of inaccurate personal data
  • Right to Erasure: Request deletion of your personal data ("right to be forgotten")
  • Right to Restrict Processing: Request that we limit how we use your data
  • Right to Data Portability: Request your data in a portable format to transfer to another service
  • Right to Object: Object to certain types of data processing
  • Right to Lodge a Complaint: File a complaint with your local data protection authority

CCPA Rights (California Residents)

  • Right to Know: Request what personal information we collect, use, and share
  • Right to Delete: Request deletion of personal information we have collected
  • Right to Opt-Out: Opt out of the "sale" or "sharing" of personal information (we do not sell data, so this applies minimally)
  • Right to Correct: Request correction of inaccurate personal information
  • Right to Limit Use: Limit use and disclosure of sensitive personal information
  • Non-Discrimination: We will not discriminate against you for exercising your rights

To exercise any of these rights, contact us at [email protected] with "Data Request" in the subject line. We will respond within 30 days (45 days for GDPR).

8. Cookies and Tracking

We use minimal cookies and tracking:

  • Session Cookies: Required for login and account functionality. Automatically deleted when you log out
  • Analytics Cookies: We use minimal analytics to understand how users interact with our Service. No third-party ad trackers
  • No Advertising Cookies: We do not use advertising networks or share data with ad platforms

You can disable cookies in your browser settings, but some features may not work properly. We do not use any cookie walls or require cookies for basic Service access.

9. Third-Party Services

Stripe (Payment Processing)

Stripe processes payments and may collect additional data. See Stripe's Privacy Policy for their practices. We only share data necessary for payment processing.

GitHub Integration

If you connect GitHub, we request permission to read repository metadata and register webhooks for push events. We do not store your GitHub code; we only trigger scans when you push. GitHub's Privacy Policy governs their data handling.

Slack Integration

If you connect Slack, we store an encrypted webhook URL to send scan alerts. We only send scan results (vulnerability summaries, not code) to your Slack workspace.

Analytics

We may use privacy-respecting analytics tools to understand Service usage patterns. These tools do not track individual users across websites or serve advertisements.

10. Children's Privacy

The Service is not directed to individuals under the age of 13. We do not knowingly collect personal information from children under 13. If we discover we have collected information from a child under 13, we will delete it immediately. If you believe we have collected information from a child under 13, please contact [email protected].

11. International Data Transfers

If you are located outside the United States, your data may be transferred to, stored in, and processed in the United States or other countries where our infrastructure is located. By using the Service, you consent to such transfers. We implement appropriate safeguards, including Standard Contractual Clauses, to protect your information during international transfers.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on the website and updating the "Last updated" date. Your continued use of the Service after changes constitutes acceptance of the updated Privacy Policy.

13. Contact Us

If you have questions about this Privacy Policy or our privacy practices, please contact us at:

Email: [email protected]

Postal Address: Egida LLC, Needham, MA 02492, USA

14. Data Protection Officer

For EU/UK residents with privacy concerns or to make a data subject request, you may also contact our Data Protection Officer at [email protected].