Privacy Policy

1. What We Collect

Account Information

When you create an account, we collect your email address. Authentication is handled by Supabase. We do not store passwords directly.

Scan Data

• Repository URLs you submit for scanning.
• Scan results including findings, severity ratings, file paths, code snippets (limited context around findings), and remediation recommendations.
• Scan metadata such as language detected, lines of code, scan duration, and tier at time of scan.

What We Do Not Collect

• Your full source code. Repositories are cloned to a temporary directory during scanning and deleted immediately after. We do not retain copies of your codebase.
• GitHub tokens. If you provide a Personal Access Token for private repo scanning, it is held in memory only during the clone operation and is never written to disk or database.
• We do not use tracking cookies, analytics scripts, or third-party advertising trackers.

2. Cookies

BattleHarden uses only essential cookies required for the Service to function:

• Authentication session cookies — to keep you signed in. Set by Supabase Auth. These are first-party, httpOnly, and expire when your session ends or after 7 days of inactivity.
• CSRF protection tokens — to prevent cross-site request forgery on form submissions.

We do not use analytics cookies, advertising cookies, or any third-party tracking cookies. Because we use only strictly necessary cookies, no consent banner is required under GDPR. However, we disclose their use here for transparency.

3. Legal Basis for Processing (GDPR Article 6)

We process your personal data on the following legal bases:

• Contract performance (Art. 6(1)(b)) — processing your repository scans, delivering reports, managing your account and subscription. This data is necessary to provide the Service you have contracted for.
• Legitimate interest (Art. 6(1)(f)) — computing anonymized aggregate statistics (e.g., total scans, average findings per scan) to improve the Service. These statistics never identify individual users or repositories. We have conducted a balancing test and determined that this processing does not override your rights and freedoms.
• Consent (Art. 6(1)(a)) — if we send marketing communications in the future, we will obtain your opt-in consent first. You can withdraw consent at any time.
• Legal obligation (Art. 6(1)(c)) — to comply with applicable tax, anti-fraud, and other legal requirements related to payment processing.

4. How We Use Your Data

• To perform code analysis scans you request.
• To generate and deliver scan reports and deliverable archives.
• To send transactional emails (scan complete, scan failed, password reset).
• To manage your subscription and process payments.
• To compute anonymized, aggregate statistics displayed on the platform (e.g., total scans completed, average findings per scan). These statistics never identify individual users or repositories.

Automated Decision-Making (GDPR Article 22)

Our scanning process uses automated analysis to identify potential security vulnerabilities in your code. This automated processing produces scan reports with severity grades. These grades are informational and do not produce legal effects or similarly significant effects on you. No access to the Service is restricted or modified based on automated scan results. You are always free to evaluate, accept, or disregard any finding.

5. Third-Party Services and International Transfers

We use the following third-party services to operate BattleHarden:

• Supabase — Authentication and user management. Your email and hashed password are stored by Supabase. See Supabase Privacy Policy.
• Stripe — Payment processing. Your payment information is handled directly by Stripe and is never sent to our servers. See Stripe Privacy Policy.
• Resend — Transactional email delivery. We send your email address and email content to Resend for delivery. See Resend Privacy Policy.
• Vercel — Frontend hosting. Standard web server logs (IP address, browser type, pages visited) are collected by Vercel. See Vercel Privacy Policy.

We do not sell your data to any third party. We do not share your data with third parties except as described above to operate the Service.

International Data Transfers

BattleHarden is operated from the United States. The third-party services listed above (Supabase, Stripe, Resend, Vercel) are US-based companies. If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, your personal data may be transferred to and processed in the United States.

These transfers are governed by Standard Contractual Clauses (SCCs) as approved by the European Commission, which each of our subprocessors maintains. You can request copies of the relevant SCCs by contacting us at privacy@battleharden.dev.

6. Data Storage and Security

Scan results and account data are stored in a PostgreSQL database. All connections use TLS encryption. The frontend is served over HTTPS with HSTS enabled.

Report access is protected by HMAC-signed tokens or authenticated JWT sessions. Private repository scan results are additionally gated to the authenticated owner.

Breach Notification

In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33. If the breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay (GDPR Article 34), providing details of the breach, its likely consequences, and the measures we are taking to address it.

7. Data Retention and Deletion

• Repository clones: Deleted immediately after scan completion (or failure).
• Scan results: Retained as long as your account is active.
• Account deletion: You can delete your account at any time from your account settings. This permanently removes your user record and all associated scan data from our database. Active subscriptions are cancelled.
• Backup retention: Database backups are retained for up to 30 days by our hosting provider (Supabase). After this period, all data in backups is permanently purged.

8. Your Rights

You have the right to:

• Access the personal data we hold about you (available in your account settings, or by emailing us).
• Rectification — request correction of inaccurate personal data we hold about you.
• Erasure — delete your account and all associated data at any time.
• Data portability — export your scan data (available via report downloads for paid tiers).
• Restrict processing — request that we limit processing of your personal data in certain circumstances.
• Object — object to processing based on legitimate interest. We will cease processing unless we have compelling legitimate grounds.
• Withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
• Lodge a complaint — you have the right to lodge a complaint with a supervisory authority. If you are in the EEA, you may contact the supervisory authority in your member state of residence. A list of supervisory authorities is available at edpb.europa.eu.

How to exercise your rights: Email privacy@battleharden.dev with your request. We will respond within 30 days (or sooner as required by applicable law). We may need to verify your identity before processing your request.

For EU/EEA residents: these rights are provided in accordance with GDPR. For California residents: these rights are provided in accordance with CCPA.

9. Changes to This Policy

We may update this privacy policy from time to time. Material changes will be communicated via email. The effective date at the top of this page reflects the most recent revision.

10. Data Controller

The data controller for BattleHarden is:

For general questions or support, you can also reach us on X: @BattleHardenDev.