Skip to content
Français Get started

Privacy Policy

Last updated:

This Privacy Policy explains how Attestely (“we”, “us”, “our”) collects, uses, and protects your personal data when you use our security scanning service at attestely.com, the dashboard at app.attestely.com, the public API at api.attestely.com, and the open-source CLI.

We try to keep this document short and readable. If anything is unclear, email us at privacy@attestely.com.

1. Who we are

Attestely is operated as a French SAS (société par actions simplifiée), currently in pre-registration phase. The legal entity, registered office, and SIREN will be added here once filed .

We have not appointed a formal Data Protection Officer (DPO) — under Article 37 of the GDPR we are not required to, as we are not a public body, we do not engage in large-scale systematic monitoring of data subjects, and we do not process special categories of data at scale. The founder personally answers privacy correspondence.

2. Data we collect

2.1 — Account data

When you sign in via GitHub OAuth, we receive from GitHub:

  • Your GitHub login (handle), display name, and primary email address
  • Your GitHub user ID (numeric identifier)
  • Your avatar URL
  • The OAuth access token, scoped to the permissions you granted

We never see your GitHub password. We do not request OAuth scopes beyond what is needed to read repository metadata, scan pull requests, and post review comments. You can revoke our access at any time from GitHub OAuth settings.

2.2 — Repository data

Once you install our GitHub App on selected repositories, we may read:

  • Repository metadata (name, owner, default branch, primary language, visibility)
  • The list of pull requests we scan and their commit SHAs
  • Code snippets corresponding to scanner findings (the lines flagged plus a small surrounding context — typically 5–10 lines)
  • Workflow run logs that we need to assemble a scan result

We do not mirror your full repository, nor store it in our database. Code blobs are processed in-memory by our worker pipeline and discarded once the scan is complete.

2.3 — Scan data

For each scan, we persist:

  • Raw scanner output (Trivy, Semgrep, gitleaks reports) — automatically deleted after 30 days
  • Processed findings (signature, rule ID, file path, line number, severity, LLM-written description and suggested fix when applicable) — kept until you delete them or close your account
  • Scan metadata (timestamps, repository ID, PR number, files scanned, LLM token cost for billing transparency)

2.4 — Billing data

If you upgrade to a paid plan, we use Stripe as our payment processor. We store on our side:

  • Your Stripe customer ID (link to your account)
  • The last 4 digits of your card and its brand (display only, in your settings)
  • Invoice metadata (amount, date, status, line items)
  • Your business name and country if you provided them for invoicing

We do not store full card numbers, CVCs, or bank details. Stripe is PCI DSS Level 1 certified.

2.5 — Usage data

To operate and improve the service we collect:

  • API request metadata (endpoint, response code, latency, user ID) for monitoring and capacity planning
  • Session activity (login time, IP address, user agent) for security anomaly detection
  • Sanitized error logs (no PII inside — sensitive fields are scrubbed)

Our marketing site uses Plausible, a cookieless, EU-hosted analytics service. Plausible does not use cookies, does not fingerprint visitors, and aggregates data in a way that cannot be traced back to an individual. No personal data is sent to Plausible.

3. How we use your data

We use your data to:

  • Operate the service: run scans, post PR review comments, manage your subscription
  • Send transactional emails (scan completions, security alerts, billing receipts, account changes)
  • Detect security anomalies (logins from unfamiliar locations, abuse patterns)
  • Provide customer support when you contact us
  • Comply with our legal obligations (accounting records, fraud prevention)
  • Improve the service via aggregated metrics that cannot identify individuals

We do not:

  • Sell your data to third parties
  • Train AI or machine-learning models on your code (our LLM provider, Anthropic, is configured with their no-training data policy)
  • Share your data with advertisers or data brokers
  • Profile you for marketing purposes
  • Use your data outside the scope you signed up for

Under Article 6 of the GDPR, we process your data on the following bases:

  • Contract performance — when you sign up, we need to process your account and repository data to deliver the service you asked for.
  • Legitimate interest — security monitoring (login anomaly detection, abuse prevention), aggregated product analytics, and customer support communications.
  • Legal obligation — keeping invoices and accounting records for the duration required by French law (currently 10 years).
  • Consent — for any optional processing where consent is required (for example, opting in to a non-transactional newsletter, which we do not currently operate).

5. Where your data is hosted

  • Primary database (Postgres via Supabase): Paris, France (eu-west-3)
  • Edge workers (Cloudflare): Cloudflare's EU edge network, with Paris as the primary egress
  • Object storage (Cloudflare R2): EU region
  • Transactional email (Resend): EU region
  • LLM analysis (Anthropic Claude): US-based provider; we send only code snippets, configured with the no-training data policy. Anthropic acts as a data processor under our agreement. We are actively working towards a Zero Data Retention contract.

With the exception of the Anthropic LLM call above, no personal data is transferred outside the European Economic Area under our default configuration. Where transfers occur, they rely on the Standard Contractual Clauses adopted by the European Commission.

6. How long we keep your data

  • Raw scanner output: 30 days, then automatically purged.
  • Processed findings and metadata: for as long as your account exists, or until you delete them individually.
  • Billing records: 10 years (French commercial code).
  • Sanitized API logs: 90 days.
  • Account data after deletion: a 90-day grace period during which you can restore your account, then full erasure. This soft-disconnect window is documented in our internal ADR-006.

7. Your rights under the GDPR

You have the right to:

  • Access the personal data we hold on you (Settings → Profile → Export, or by email).
  • Rectify inaccurate or incomplete data.
  • Erase your account and all associated data (“Delete account” in Settings, or by email).
  • Restrict processing in certain circumstances.
  • Data portability — export your data in a structured, machine-readable format (JSON).
  • Object to processing based on legitimate interest.
  • Withdraw consent at any time where processing is based on consent.
  • Lodge a complaint with a supervisory authority — for users based in France, the CNIL.

To exercise these rights, email privacy@attestely.com. We aim to respond within 30 days (the legal maximum).

8. Security measures

We protect your data with measures including:

  • HTTPS everywhere (TLS 1.2+), with strict transport security headers
  • Secrets managed via Cloudflare Workers environment bindings — never in source code
  • Least-privilege OAuth and GitHub App permissions
  • Sanitized error logs (PII scrubbed before they reach our log store)
  • Regular dependency vulnerability scanning (we eat our own dog food)
  • Encrypted backups, encrypted at rest

More details on our security posture live at /security.

9. Cookies

The marketing site (attestely.com) uses no tracking cookies. The dashboard (app.attestely.com) uses essential cookies for authentication and CSRF protection only. See Cookie Policy for the full list.

10. Children

Attestely is not directed at children under 16. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, please contact us so we can delete it.

11. Changes to this policy

We may update this policy as the service evolves or to comply with new regulations. Material changes will be announced by email to all active users at least 14 days in advance. Past versions are kept in the git history of our marketing-site repository.

12. Contact

For any privacy-related question or to exercise your rights, email privacy@attestely.com. You can also reach us through the feedback form if it's easier.