Privacy Policy

At NPM Scan, we take your privacy seriously. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.

Please read this policy carefully. If you do not agree with the terms of this Privacy Policy, please do not access the service.

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

• Email address
• Name (if provided)
• Authentication credentials (managed by Clerk)
• Account creation date
• Subscription status and plan type

1.2 GitHub Data

When you connect your GitHub account, we collect:

• GitHub access tokens (stored encrypted with AES-256-GCM)
• Repository names and metadata
• Organization names and memberships
• Contents of package.json files in selected repositories
• Repository structure (for monorepo support)

We do NOT collect or store your actual source code, commit history, or any files other than package.json files necessary for dependency analysis.

1.3 Payment Information

Payment information is processed by Stripe, our third-party payment processor. We store:

• Stripe customer ID
• Subscription ID
• Payment status and history
• Last 4 digits of payment method (provided by Stripe)

We do NOT store full credit card numbers, CVV codes, or other sensitive payment details. All payment data is handled securely by Stripe in compliance with PCI-DSS standards.

1.4 Usage Data

We automatically collect:

• Scan history (repositories scanned, timestamps, results)
• Vulnerability detection data
• Repository health scores
• Feature usage statistics
• Error logs and diagnostic data

1.5 Technical Data

When you use our service, we may collect:

• IP address
• Browser type and version
• Device information
• Operating system
• Referring URLs
• Pages visited and actions taken

2. How We Use Your Information

We use the information we collect to:

• Provide and maintain the service
• Scan your repositories for dependency vulnerabilities
• Process payments and manage subscriptions
• Send you service-related notifications
• Respond to your support requests
• Improve and optimize the service
• Detect and prevent fraud, abuse, or security incidents
• Comply with legal obligations
• Send you marketing communications (with your consent)

3. Third-Party Services

We use the following third-party services to operate NPM Scan:

3.1 Clerk (Authentication)

We use Clerk for user authentication and account management. Clerk may collect and process:

• Email address and name
• Authentication data
• Session information

Privacy Policy: https://clerk.com/legal/privacy

3.2 Stripe (Payments)

We use Stripe to process payments. Stripe collects and processes:

• Payment card information
• Billing address
• Transaction data

Privacy Policy: https://stripe.com/privacy

3.3 GitHub API

We use the GitHub API to access repository data. GitHub may log API requests. We only request the minimum necessary permissions to perform dependency scanning.

Privacy Policy: https://docs.github.com/en/site-policy/privacy-policies/github-privacy-statement

3.4 Vercel (Hosting)

Our service is hosted on Vercel, which may collect technical data such as IP addresses and request logs.

Privacy Policy: https://vercel.com/legal/privacy-policy

3.5 MongoDB Atlas (Database)

We use MongoDB Atlas to store application data. All data is encrypted at rest and in transit.

Privacy Policy: https://www.mongodb.com/legal/privacy-policy

4. Data Security

We implement industry-standard security measures to protect your data:

• Encryption: All GitHub tokens are encrypted using AES-256-GCM encryption before storage
• HTTPS: All data transmission uses TLS/SSL encryption
• Access Control: Strict authentication and authorization checks
• Database Security: MongoDB Atlas with encryption at rest
• API Security: Rate limiting and CRON secret protection
• Regular Audits: We regularly review our security practices

For more details about our security practices, visit our Security page.

While we strive to protect your data, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

5. Data Retention and Deletion

5.1 How Long We Keep Your Data

We retain your data:

• Account data: Until you delete your account
• Scan history: For the duration of your subscription
• Payment records: As required by law (typically 7 years)
• GitHub tokens: Until you revoke access or delete your account
• Logs: Up to 90 days for debugging and security purposes

5.2 How to Delete Your Data

You can request deletion by:

• Deleting your account through account settings
• Contacting us at nicktheodoulou96@gmail.com

Upon deletion, we will remove your personal data within 30 days, except where we are required by law to retain certain information (e.g., payment records for tax purposes).

6. Your Rights (GDPR & CCPA)

Depending on your location, you may have the following rights:

6.1 European Users (GDPR)

• Right to Access: Request a copy of your personal data
• Right to Rectification: Correct inaccurate data
• Right to Erasure: Request deletion of your data
• Right to Restrict Processing: Limit how we use your data
• Right to Data Portability: Receive your data in a machine-readable format
• Right to Object: Object to certain data processing
• Right to Withdraw Consent: Withdraw previously given consent

6.2 California Users (CCPA)

• Right to know what personal data is collected
• Right to know if personal data is sold or shared
• Right to opt-out of the sale of personal data
• Right to request deletion of personal data
• Right to non-discrimination for exercising your rights

Note: We do NOT sell your personal data to third parties.

6.3 How to Exercise Your Rights

To exercise any of these rights, contact us at nicktheodoulou96@gmail.com. We will respond to your request within 30 days.

7. Cookies and Tracking

7.1 Essential Cookies

We use essential cookies required for the service to function:

• Authentication session cookies (managed by Clerk)
• CSRF protection tokens
• Load balancing cookies

7.2 Analytics Cookies (Optional)

We may use analytics services to understand how users interact with our service. If implemented, we will:

• Request your consent before setting analytics cookies
• Provide an opt-out mechanism
• Use privacy-friendly analytics tools when possible

7.3 Managing Cookies

You can control cookies through your browser settings. However, disabling essential cookies may impact the functionality of the service.

8. Children's Privacy

Our service is not intended for children under 18 years of age. We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal information, please contact us and we will delete it.

9. International Data Transfers

Your data may be transferred to and processed in countries other than your own. These countries may have different data protection laws.

We ensure appropriate safeguards are in place for international transfers, including:

• Using services that comply with GDPR and CCPA
• Implementing standard contractual clauses
• Ensuring adequate data protection measures

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

• Posting the updated policy on this page
• Updating the “Last updated” date
• Sending an email notification for significant changes

Your continued use of the service after changes are posted constitutes acceptance of the updated policy.

11. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us: