California Privacy Notice
Last updated: 2025-08-20
This California Privacy Notice ("CA Notice") supplements our Privacy Policy and applies solely to California residents ("consumers" or "you") in accordance with the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, "CCPA/CPRA").
1 Scope
This CA Notice explains:
- What personal information we collect (by statutory category).
- Why we collect it and with whom we disclose it.
- Your CCPA/CPRA rights and how to exercise them.
Unless otherwise noted, the terms in this CA Notice have the same meaning as defined in the CCPA/CPRA.
2 Personal Information We Collect
| Statutory Category (Cal. Civ. Code § 1798.140) | Examples we collect | Source | Business / Commercial Purpose | Disclosed to* | | -------------------------------------------------------------- | ------------------------------------------------------------------------- | -------------------------- | ------------------------------------------- | --------------------------------- | | Identifiers | Name, GitHub username, email address, IP address, device ID | Directly from you; cookies | Account creation, sign-in, security logging | Service providers | | Customer Records | Billing name, address, last four digits & expiry of payment card (Stripe) | You; Stripe | Subscription management, fraud prevention | Stripe, finance vendors | | Protected Classifications | Not collected intentionally | — | — | — | | Commercial Information | Subscription tier, payment history, scan counts | Internal | Provide & bill the Service, analytics | Service providers | | Internet / Network Activity | Log files, pages viewed, referring URL, interaction events | Your device | Analytics, debugging, security monitoring | Analytics vendors | | Geolocation Data | Approximate location from IP (city/region) | Your device | Localize content, fraud detection | Infrastructure partners | | Professional Information | Repository owner/org name, branch names | GitHub API | Perform scans you request | None (beyond hosting) | | Sensitive Personal Information (Cal. Civ. Code § 1798.121) | GitHub OAuth access token | You / GitHub | Authenticate & authorize scans | Not sold/shared |
*"Disclosed to" means shared with vendors who qualify as "service providers" or "contractors" under the CCPA/CPRA and may only use personal information as specified in our contracts.
We do not knowingly "sell" or "share" (for cross-context behavioral advertising) personal information, including that of minors under 16.
Vercel Web Analytics
We use Vercel Web Analytics to understand website usage patterns. Vercel Web Analytics is designed with privacy in mind and collects only aggregated, anonymous data:
Data Collected by Vercel Web Analytics:
- Page views - Which pages you visit on our website
- Referrer information - How you arrived at our website
- Device information - Browser type, operating system, device type
- Geographic location - Country and region (city level) based on IP address
- Website performance - Page load times and performance metrics
Privacy Features:
- No personal identifiers - Does not collect personal information that could identify you
- No cross-site tracking - Data is not used to track you across different websites
- No cookies required - Uses a hash created from the incoming request instead of cookies
- 24-hour session lifespan - Visitor session data is automatically discarded after 24 hours
- Aggregated data only - All data is anonymized and used only for statistical analysis
Vercel Web Analytics qualifies as a "service provider" under the CCPA/CPRA and may only use data as specified in our agreement with Vercel.
3 Retention
We retain each category of personal information only as long as necessary to fulfill the purposes outlined above, comply with legal obligations, resolve disputes, and enforce agreements. Specific retention periods are listed in our main Privacy Policy.
Vercel Web Analytics Data: Aggregated data is retained for service improvement purposes; visitor session data is automatically discarded after 24 hours.
4 Your California Privacy Rights
| Right | What It Means | | -------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------ | | Right to Know / Access | You can request the specific pieces and categories of personal information we have collected about you in the past 12 months. | | Right to Delete | You can ask us to delete personal information we collected, subject to certain exceptions. | | Right to Correct | You can request that we correct inaccurate personal information we maintain. | | Right to Opt-Out of Sale or Sharing | Because we do not sell or share personal information for cross-context advertising, this right currently does not apply. | | Right to Limit Use of Sensitive Personal Information | We use sensitive data (GitHub tokens) only to provide the Service you request, so this right does not apply. | | Right to Non-Discrimination | We will not deny goods/services, charge different prices, or provide a different level of quality if you exercise your rights. |
5 How to Exercise Your Rights
- Email: Send a request to our privacy team with "California Privacy Request" in the subject line.
We must verify your identity before fulfilling any request. Verification may involve validating your email address and, for sensitive actions (e.g., deletion), re-authenticating via GitHub OAuth. You may designate an authorized agent; we will require proof of authorization and your written permission.
We will confirm receipt within 10 business days and respond substantively within 45 days (90 days for complex requests, with notice).
6 Metrics (Past Calendar Year)
| Request Type | Received | Fulfilled (whole / in part) | Avg. Days to Respond | | ----------------------- | ------------------ | --------------------------- | -------------------- | | Access / Know | 0 | N/A | N/A | | Delete | 0 | N/A | N/A | | Correct | 0 | N/A | N/A | | Opt-Out of Sale / Share | 0 (not applicable) | N/A | N/A |
(Metrics will be updated annually, as required by Cal. Civ. Code § 1798.130.)
7 "Shine the Light" (Cal. Civ. Code § 1798.83)
We do not disclose personal information to third parties for their own direct-marketing purposes. Therefore, "Shine the Light" disclosures are not required.
8 Contact
Questions about this CA Notice? Contact our privacy team.
This CA Notice is intended to meet our obligations under the CCPA/CPRA. If you are not a California resident, please refer to our main Privacy Policy.