Privacy Policy
Last updated: 2025-08-20
Your privacy is critically important to us. This notice explains what data Rafter ("we," "us," or "our") collects, why we collect it, how we use it, and the choices you have. It applies to our website, the Rafter application, and any related services (collectively, the "Services").
Information We Collect
- GitHub account information (username, email, avatar)
- Repository information for scanning purposes
- Usage data and analytics
- Payment information (processed securely through Stripe)
- Correspondence with you
We collect information you provide directly to us, such as when you create an account, use our services, or contact us for support.
We do not intentionally collect "special category" data (e.g., health, political opinions) or government-issued IDs.
Web Analytics and Usage Data
We use analytics tools to understand how visitors interact with our website and improve our services. We have implemented cookie and analytics consent controls to ensure you have control over analytics tracking.
Vercel Web Analytics Data Collection
We use Vercel Web Analytics to understand how visitors interact with our website. Vercel Web Analytics is designed with privacy in mind and collects only aggregated, anonymous data that cannot identify individual users.
Vercel Web Analytics collects the following anonymous data points:
- Page views - Which pages you visit on our website
- Referrer information - How you arrived at our website (e.g., from Google search, social media)
- Device information - Browser type, operating system, device type (mobile/desktop/tablet)
- Geographic location - Country and region (city level) based on IP address
- Website performance - Page load times and performance metrics
Important Privacy Features:
- No personal identifiers - Vercel Web Analytics does not collect personal information that could identify you
- No cross-site tracking - Data is not used to track you across different websites
- No cookies required - Uses a hash created from the incoming request instead of cookies
- 24-hour session lifespan - Visitor session data is automatically discarded after 24 hours
- Aggregated data only - All data is anonymized and used only for statistical analysis
PostHog Analytics (Optional)
With your consent, we also use PostHog for enhanced analytics and user behavior tracking. PostHog analytics are only initialized after you accept our cookie and analytics consent banner.
PostHog Data Collection (with consent):
- User interactions - Button clicks, form submissions, and page navigation patterns
- Session recordings - Anonymous recordings of user sessions (if enabled)
- Feature flags - A/B testing and feature rollout data
- Custom events - Specific actions you take within our application
- Device and browser information - Technical details for debugging and optimization
PostHog Privacy Features:
- Consent-based - Only collects data after explicit user consent
- Data minimization - Collects only necessary data for service improvement
- IP anonymization - IP addresses are anonymized by default
- Data retention - Data is retained according to our data retention policy
- User control - You can opt-out at any time by clearing cookies or contacting us
DeepPrediction Analytics (Optional)
With your consent, we also use DeepPrediction for user behavior analysis and website optimization. DeepPrediction analytics are only initialized after you accept our cookie and analytics consent banner.
DeepPrediction Data Collection (with consent):
- User interactions - Mouse movements, clicks, scrolls, and form interactions
- Session recordings - Anonymous recordings of user sessions for behavior analysis
- Page navigation - How users navigate through our website
- Performance metrics - Page load times and user experience data
- Device and browser information - Technical details for optimization
DeepPrediction Privacy Features:
- Consent-based - Only collects data after explicit user consent
- Data minimization - Collects only necessary data for service improvement
- Anonymous recordings - Session recordings are anonymized and cannot identify individual users
- Data retention - Data is retained according to our data retention policy
- User control - You can opt-out at any time by clearing cookies or contacting us
Your Rights:
- You can withdraw consent at any time by clearing your browser cookies
- You can request data deletion by contacting our privacy team
- You can opt-out of specific tracking features through our cookie settings
How We Use Your Information
- Provide, operate, and maintain the Services.
- Perform automated security scans and generate reports in plain language.
- Authenticate you via GitHub and authorize repository access.
- Enforce subscription limits and process payments through Stripe.
- Send transactional messages (e.g., receipts, scan completion notices, critical service updates).
- Respond to inquiries and provide customer support.
- Monitor, debug, and analyze usage to improve performance and user experience.
- Conduct aggregate, de-identified analytics and research.
- Detect, investigate, and mitigate security threats or abusive behavior.
- Comply with applicable laws, court orders, and law-enforcement requests.
We never sell your personal data.
Legal Bases for Processing (GDPR / UK GDPR)
We process personal data only when permitted by law:
- Performance of a contract – to deliver the Services you request.
- Legitimate interests – to secure and improve our platform, prevent fraud, detect and prevent abuse, and communicate product updates.
- Consent – for optional marketing emails and non-essential cookies.
- Legal obligation – to comply with tax, accounting, and regulatory requirements.
Data Security
We implement appropriate technical and organizational security measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction.
Your GitHub access tokens are securely stored and are never shared with third parties.
Sharing & Disclosure
| Recipient | Purpose | Safeguards |
|---|---|---|
| GitHub, Inc. | OAuth authentication and repository access | OAuth scopes limited to repo, read:user, user:email |
| Stripe, Inc. | Payment processing and subscription management | PCI-DSS compliant; we don't see full card details |
| Cloud Infrastructure Providers | Hosting, object storage, background queueing | ISO 27001/ SOC 2 certified |
| Vercel, Inc. | Web analytics and performance monitoring | Privacy-focused analytics; no personal identifiers collected |
| PostHog, Inc. | Enhanced analytics and user behavior tracking (with consent) | Consent-based collection; IP anonymization; data minimization |
| DeepPrediction, Inc. | User behavior analysis and website optimization (with consent) | Consent-based collection; anonymous recordings; data minimization |
| Analytics & Error-Tracking Vendors (e.g., Sentry) | Product analytics, crash reports | IP anonymization / pseudonymization where possible |
| Legal & Safety | Respond to lawful requests or protect rights, property, or safety | Only when legally required |
All third parties are vetted for strong security controls and must agree to process data only on our instructions (Data Processing Agreements).
Cookies & Similar Technologies
We use:
- Essential cookies – authentication, session management, fraud prevention.
- Analytics technologies – Vercel Web Analytics uses request-based identification instead of cookies for privacy.
- Optional analytics cookies – PostHog analytics cookies (only with your consent) for enhanced user behavior tracking.
- Optional analytics cookies – DeepPrediction analytics cookies (only with your consent) for user behavior analysis and website optimization.
- Local storage – theme preference, dismissible banners, cookie and analytics consent preferences.
Browser "Do Not Track" signals are honored for non-essential tracking.
Data Retention
| Data Type | Retention Period |
|---|---|
| Account & Subscription Data | While account is active + 6 years (tax & audit) |
| Scan Requests & Reports | while account is active, may expire after 90 days; Enterprise plan may customize |
| GitHub Access Tokens | Rotated automatically on manual revocation; deleted on account closure |
| Communication Records | while account is active + 2 years, for context and training purposes |
| Marketing Preferences Log | Until you unsubscribe + 2 years |
| Vercel Web Analytics Data | Aggregated data retained for service improvement; individual session data discarded after 24 hours |
| PostHog Analytics Data | Retained for up to 2 years for service improvement; can be deleted upon request |
| DeepPrediction Analytics Data | Retained for up to 2 years for service improvement; can be deleted upon request |
We may retain backups for disaster-recovery for up to 30 days beyond the above periods.
Security Measures
- TLS 1.3 encryption in transit; AES-256 encryption at rest.
- OAuth tokens stored with envelope encryption and access-time restrictions.
- Principle of least privilege for infrastructure roles.
- Regular penetration tests and dependency vulnerability scanning.
- Automated logging and anomaly detection.
- Incident-response plan with 72-hour breach-notification window (GDPR Art. 33).
- No system is 100% secure; you are responsible for keeping your GitHub credentials safe.
International Data Transfers
We are headquartered in the United States but rely on global cloud infrastructure. Where data are transferred outside your jurisdiction:
- EEA/UK→US: we use the EU–US Data Privacy Framework or standard contractual clauses (SCCs).
- Additional safeguards (encryption, access controls, data-minimization) apply.
Your Rights & Choices
| Jurisdiction | Rights |
|---|---|
| EEA / UK GDPR | Access, rectification, erasure, restriction, portability, objection, automated-decision review |
| California (CCPA/CPRA) | Know, delete, correct, opt-out of "sharing," limit sensitive data use |
| Other Regions | We extend comparable rights where feasible |
To exercise rights, contact our privacy team. We will verify your identity and respond within 30 days. You may lodge a complaint with your local Data Protection Authority; a list is available at https://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm.
Children's Privacy
The Services are not intended for anyone under 18 or the age of majority in your jurisdiction, whichever is greater. We do not knowingly collect data from children. If you believe a child has provided us personal information, contact us and we will delete it.
Automated Decision-Making
We do not use automated processing that produces legal or similarly significant effects on you (GDPR Art. 22). Vulnerability-severity scanning is automated.
Third-Party Links
Our site may contain links to external sites we don't control. This policy applies only to Rafter; review the privacy notices of any third-party sites you visit.
Contact Us
If you have any questions about this Privacy Policy, please contact our privacy team.