Privacy Policy

Last updated: 2025-08-20

Your privacy is critically important to us. This notice explains what data Rafter ("we," "us," or "our") collects, why we collect it, how we use it, and the choices you have. It applies to our website, the Rafter application, and any related services (collectively, the "Services").

Information We Collect

• GitHub account information (username, email, avatar)
• Repository information for scanning purposes
• Usage data and analytics
• Payment information (processed securely through Stripe)
• Correspondence with you

We collect information you provide directly to us, such as when you create an account, use our services, or contact us for support.

We do not intentionally collect "special category" data (e.g., health, political opinions) or government-issued IDs.

Web Analytics and Usage Data

We use Vercel Web Analytics to understand how visitors interact with our website. Vercel Web Analytics is designed with privacy in mind and collects only aggregated, anonymous data that cannot identify individual users.

Vercel Web Analytics Data Collection

Vercel Web Analytics collects the following anonymous data points:

• Page views - Which pages you visit on our website
• Referrer information - How you arrived at our website (e.g., from Google search, social media)
• Device information - Browser type, operating system, device type (mobile/desktop/tablet)
• Geographic location - Country and region (city level) based on IP address
• Website performance - Page load times and performance metrics

Important Privacy Features:

• No personal identifiers - Vercel Web Analytics does not collect personal information that could identify you
• No cross-site tracking - Data is not used to track you across different websites
• No cookies required - Uses a hash created from the incoming request instead of cookies
• 24-hour session lifespan - Visitor session data is automatically discarded after 24 hours
• Aggregated data only - All data is anonymized and used only for statistical analysis

How We Use Your Information

• Provide, operate, and maintain the Services.
• Perform automated security scans and generate reports in plain language.
• Authenticate you via GitHub and authorize repository access.
• Enforce subscription limits and process payments through Stripe.
• Send transactional messages (e.g., receipts, scan completion notices, critical service updates).
• Respond to inquiries and provide customer support.
• Monitor, debug, and analyze usage to improve performance and user experience.
• Conduct aggregate, de-identified analytics and research.
• Detect, investigate, and mitigate security threats or abusive behavior.
• Comply with applicable laws, court orders, and law-enforcement requests.

We never sell your personal data.

Legal Bases for Processing (GDPR / UK GDPR)

We process personal data only when permitted by law:

• Performance of a contract – to deliver the Services you request.
• Legitimate interests – to secure and improve our platform, prevent fraud, detect and prevent abuse, and communicate product updates.
• Consent – for optional marketing emails and non-essential cookies.
• Legal obligation – to comply with tax, accounting, and regulatory requirements.

Data Security

We implement appropriate technical and organizational security measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction.

Your GitHub access tokens are securely stored and are never shared with third parties.

Sharing & Disclosure

| Recipient | Purpose | Safeguards | |-----------|---------|------------| | GitHub, Inc. | OAuth authentication and repository access | OAuth scopes limited to repo, read:user, user:email | | Stripe, Inc. | Payment processing and subscription management | PCI-DSS compliant; we don't see full card details | | Cloud Infrastructure Providers | Hosting, object storage, background queueing | ISO 27001/ SOC 2 certified | | Vercel, Inc. | Web analytics and performance monitoring | Privacy-focused analytics; no personal identifiers collected | | Analytics & Error-Tracking Vendors (e.g., Sentry) | Product analytics, crash reports | IP anonymization / pseudonymization where possible | | Legal & Safety | Respond to lawful requests or protect rights, property, or safety | Only when legally required |

All third parties are vetted for strong security controls and must agree to process data only on our instructions (Data Processing Agreements).

Cookies & Similar Technologies

We use:

• Essential cookies – authentication, session management, fraud prevention.
• Analytics technologies – Vercel Web Analytics uses request-based identification instead of cookies for privacy.
• Local storage – theme preference, dismissible banners.

Browser "Do Not Track" signals are honored for non-essential tracking.

Data Retention

| Data Type | Retention Period | |-----------|-----------------| | Account & Subscription Data | While account is active + 6 years (tax & audit) | | Scan Requests & Reports | while account is active, may expire after 90 days; Enterprise plan may customize | | GitHub Access Tokens | Rotated automatically on manual revocation; deleted on account closure | | Communication Records | while account is active + 2 years, for context and training purposes | | Marketing Preferences Log | Until you unsubscribe + 2 years | | Vercel Web Analytics Data | Aggregated data retained for service improvement; individual session data discarded after 24 hours |

We may retain backups for disaster-recovery for up to 30 days beyond the above periods.

Security Measures

• TLS 1.3 encryption in transit; AES-256 encryption at rest.
• OAuth tokens stored with envelope encryption and access-time restrictions.
• Principle of least privilege for infrastructure roles.
• Regular penetration tests and dependency vulnerability scanning.
• Automated logging and anomaly detection.
• Incident-response plan with 72-hour breach-notification window (GDPR Art. 33).
• No system is 100% secure; you are responsible for keeping your GitHub credentials safe.

International Data Transfers

We are headquartered in the United States but rely on global cloud infrastructure. Where data are transferred outside your jurisdiction:

• EEA/UK→US: we use the EU–US Data Privacy Framework or standard contractual clauses (SCCs).
• Additional safeguards (encryption, access controls, data-minimization) apply.

Your Rights & Choices

| Jurisdiction | Rights | |--------------|--------| | EEA / UK GDPR | Access, rectification, erasure, restriction, portability, objection, automated-decision review | | California (CCPA/CPRA) | Know, delete, correct, opt-out of "sharing," limit sensitive data use | | Other Regions | We extend comparable rights where feasible |

To exercise rights, contact our privacy team. We will verify your identity and respond within 30 days. You may lodge a complaint with your local Data Protection Authority; a list is available at https://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm.

Children's Privacy

The Services are not intended for anyone under 18 or the age of majority in your jurisdiction, whichever is greater. We do not knowingly collect data from children. If you believe a child has provided us personal information, contact us and we will delete it.

Automated Decision-Making

We do not use automated processing that produces legal or similarly significant effects on you (GDPR Art. 22). Vulnerability-severity scanning is automated.

Third-Party Links

Our site may contain links to external sites we don't control. This policy applies only to Rafter; review the privacy notices of any third-party sites you visit.

Contact Us

If you have any questions about this Privacy Policy, please contact our privacy team.