- 01No trackers. Zero analytics or advertising cookies — a handful of strictly-necessary ones keep sign-in and bot protection working.
- 02Your code is processed to audit it. Scan working copies are deleted the moment a scan ends, and your code is never used to train AI models.
- 03We store the minimum. Our own database keeps your user id and email; your name and avatar stay with the auth provider.
- 04Nothing is sold. No selling or renting personal information, ever — and we honor Global Privacy Control.
- 05Short memories. The security activity log purges itself after 30 days; deleting a project deletes its scans and findings.
This policy explains what UNPWND Inc., a Canadian federal corporation (“unpwnd,” “we,” “us”), collects when you use unpwnd.com and the unpwnd service (the “Service”), why, who it’s shared with, and the choices you have.
01Who we are, and whose data this covers#
UNPWND Inc., a Canadian federal corporation, operates unpwnd. For visitor, account, billing, and communications data, we are the data controller (and the organization accountable for it under Canada’s PIPEDA).
Your repositories are different. When you connect a repository, its contents — including any personal data inside it — are processed on your instructions to produce your audit results. For that data, you are the controller and we act as your processor. If you need a data processing agreement (DPA), contact [email protected].
02What we collect#
Account. When you sign up (via our authentication provider, Clerk), Clerk handles your name, avatar, and sign-in identity (e.g., GitHub). Our own database stores just your user id and email address, plus the internal account and workspace identifiers we assign.
Workspaces and teams. Workspace names, member roles, and — when you invite someone — the invitee’s email address and the inviter’s identity.
Repositories and scan data. Repository names and metadata for the repositories you connect; scan configuration and history; and the findings the Service produces. Repository contents are fetched into a temporary working copy for the duration of a scan and deleted when it ends; findings keep the minimal context needed to locate and explain each issue — file paths, line references, and short code excerpts (with detected secrets masked). If you enable GitHub issue sync, findings (including those excerpts) are also written to your repository’s issue tracker at your direction.
Billing. Your plan, credit balance and usage ledger, and Stripe customer and subscription identifiers. Payments are processed by Stripe — we never see or store full card numbers.
Communications and forms. What you submit through our public forms: newsletter subscription (email), support requests (name, email, topic, message), and job applications (name, email, optional phone, GitHub/portfolio links, and your written answers).
Technical and security data. IP address and user-agent, used for rate limiting and abuse prevention (rate-limit counters are held in memory only); security-relevant product events (e.g., sign-ins, invites, plan changes) recorded in an activity log together with the reported IP and user-agent, and purged automatically after 30 days.
We don’t collect more than this, and the Service has no advertising SDKs or third-party analytics scripts.
03How we use it#
- Provide the Service — run the audits you request, show findings, manage workspaces and access, process payments and credits.
- AI analysis — during a scan, repository contents read by the audit agents are processed by our AI subprocessor to produce findings. Under our agreement with the provider, your code is not used to train their models. (Pre-scan cost estimates are computed locally and send nothing to the AI provider.)
- Security and abuse prevention — rate limiting, bot protection, activity logging, incident investigation.
- Communications — transactional email (invites, receipts, scan and billing notices), replies to your support requests, and the newsletter you asked for (every issue includes unsubscribe).
- Improving the Service — aggregate, de-identified usage measures (e.g., scan volume). We do not profile you and we do not sell personal information.
04Legal bases (EEA/UK visitors)#
Where the GDPR applies, we rely on: contract (providing the Service you signed up for), legitimate interests (securing the Service, preventing abuse, improving it in ways you’d reasonably expect), consent (newsletter; any optional cookies, if we ever introduce them), and legal obligation (tax and accounting records).
05Who we share it with#
We share personal data only with the providers below, only for the purposes shown, under contracts that restrict their use of it. We do not sell or rent personal information to anyone.
| Provider | Purpose | What they process |
|---|---|---|
| Clerk | Authentication and sessions | Name, email, avatar, sign-in identifiers, auth cookies |
| GitHub | Source-code hosting integration | Repository access via the app installation you control |
| Anthropic | AI analysis engine for audits | Repository contents read during a scan; not used for model training |
| Stripe | Payments, subscriptions, invoices | Name, email, payment details (held by Stripe), billing history |
| Resend | Transactional email + newsletter | Recipient email addresses and message content |
| Cloudflare | Bot protection (Turnstile) on public forms | Connection metadata + reported IP during challenge verification |
| Railway | Application hosting and databases | All Service data, encrypted in transit and at rest |
We may also disclose information if the law requires it, to protect the Service and its users, or as part of a merger or acquisition (we’d notify you of a change in ownership).
06Cookies#
We use a small set of first-party cookies, and no advertising or tracking cookies at all.
Strictly necessary — required for the site to function
| Cookie | Set by | Purpose | Lifetime |
|---|---|---|---|
__session, __client_uat | Clerk | Keeps you signed in; session security | Session – 1 year |
unpwnd_consent | unpwnd | Remembers your cookie choices | 12 months |
| Challenge cookies | Cloudflare | Bot protection where the Turnstile widget appears | Minutes–session |
Functional — remember your in-product choices
| Cookie | Set by | Purpose | Lifetime |
|---|---|---|---|
unpwnd_active_ws | unpwnd | Remembers which workspace you last used | Session; 12 months with functional consent |
pw_seen | unpwnd | Remembers you’ve dismissed the first-run plans screen | Session; 12 months with functional consent |
We also use browser localStorage for small UI preferences (e.g., panel width, per-project “don’t ask again” flags). These stay on your device and are never transmitted.
Analytics — none. We currently set no analytics cookies. If we ever introduce product analytics, they will stay off unless you opt in through the cookie preferences.
You can change your choices any time via Cookie settings in the footer, and we honor the Global Privacy Control signal. Blocking strictly necessary cookies in your browser will break sign-in.
07How long we keep things#
| Data | Retention |
|---|---|
| Account & workspaces | Until deletion — projects and workspaces delete in-product (removing their scans, findings, and notifications); account deletion on request |
| Repository contents | Duration of a scan only; the working copy is deleted when the scan ends |
| Findings & scan history | Until you delete the project or workspace |
| Team invitations | Expire after 7 days |
| Activity (audit) log | 30 days, purged daily |
| Billing records | As long as tax and accounting law requires |
| Support requests | Handled by email; retained up to 24 months |
| Job applications | 12 months, then deleted |
| Newsletter subscription | Until you unsubscribe |
08Security#
Security is the product, and it’s how we run it: encryption in transit (TLS) and at rest, least-privilege repository access through the hosting provider’s app-installation model (read-only contents and metadata; issue-write only if you enable issue sync), scoped short-lived tokens, hardened public endpoints (rate limiting, bot protection), and internal access limited to what operating the Service requires. No provider can promise perfect security — if we confirm an incident affecting your data, we will notify you without undue delay.
09International transfers#
We are a Canadian company; our subprocessors process data primarily in the United States. Wherever your data is processed, it gets the protections described in this policy and our subprocessor contracts. For EEA/UK data: Canada holds EU and UK adequacy decisions for commercial organizations, and onward transfers to our subprocessors rely on appropriate safeguards such as Standard Contractual Clauses.
10Your rights and choices#
You can update account details in Settings, and delete projects and workspaces in the product (which deletes their scans and findings). To delete your entire account, contact us and we’ll complete it promptly.
Depending on where you live, you may have rights to access, correct, delete, or receive a copy of your personal data, to object to or restrict certain processing, and to withdraw consent (like unsubscribing). Under Canada’s PIPEDA you may access and correct your personal information and complain to the Office of the Privacy Commissioner of Canada. EEA/UK residents can also complain to their supervisory authority. California residents: we do not sell or “share” personal information as the CCPA/CPRA defines those terms, and we don’t use sensitive personal information beyond providing the Service; you may exercise access, deletion, and correction rights without discrimination.
To exercise any of these, email [email protected]. We’ll verify the request and respond within the legally required time.
If personal data inside a customer’s repository concerns you, we’ll refer your request to that customer (the controller) and assist them as their processor.
11Children#
The Service is for adults and businesses. It is not directed at children under 16, and we don’t knowingly collect their data; if you believe a child has provided us personal data, contact us and we’ll delete it.
12Changes to this policy#
We’ll update this policy as the Service evolves. Material changes get at least 14 days’ notice (email or in-product) before taking effect, and every version shows its effective date.
13Contact#
UNPWND Inc. — a Canadian federal corporation
[email protected] · [email protected]