Back

Privacy Policy

Last updated: February 2026

1. Data Controller

Shieldify is operated by Pierre HERAUD, sole proprietorship (micro-entreprise), registered under SIRET 883 108 623 00025, located at 4 rue Henri Esteve, 34130 Lansargues, France.

Contact: contact@shieldify.dev

2. Data We Collect

Account data

When you create an account, we collect:

  • Email address
  • Hashed password (argon2id — we never store plaintext passwords)
  • Language preference

OAuth data

When you connect a GitHub or GitLab account, we store:

  • Provider username and avatar URL
  • OAuth access token (encrypted at rest with AES-256-GCM)

Scan data

When you run a security scan, we process:

  • Repository metadata (name, URL, branch, detected languages)
  • Analysis results (vulnerability findings, scores) — stored as JSON
  • Generated PDF reports

Your source code is never stored. It is cloned into an ephemeral Docker container that runs in RAM only (tmpfs). The container is destroyed immediately after the scan completes.

Payment data

Payments are processed by Stripe. We never receive or store your credit card number. We only store Stripe customer IDs, subscription IDs, and payment intent IDs for accounting purposes.

Technical data

We automatically collect:

  • IP address (for rate limiting and security, not stored long-term)
  • Browser language preference (Accept-Language header)

3. How We Use Your Data

  • Provide and operate the Shieldify service
  • Authenticate you and secure your account
  • Access your repositories via OAuth to perform security scans
  • Generate and deliver security audit reports
  • Process payments and manage your credit balance
  • Send transactional emails (verification, password reset, scan completion)

We do not use your data for advertising, profiling, or selling to third parties.

4. Legal Basis (GDPR Art. 6)

  • Contract performance: account creation, scan execution, report delivery
  • Legitimate interest: security, fraud prevention, service improvement
  • Consent: optional marketing communications (if any in the future)

5. Data Sharing & Sub-processors

We share data with the following third-party services, strictly necessary for operating Shieldify:

ServicePurposeData sharedLocation
OVHcloud SASApplication hostingAll application dataFrance (Roubaix)
Scaleway (Iliad Group)Object storage (reports)PDF reports, scan results JSONFrance (Paris)
Anthropic (Claude AI)AI-powered analysisAnonymized scan findings (no source code)United States
StripePayment processingEmail, payment dataUnited States (EU data center)
Brevo (ex-Sendinblue)Transactional emailEmail address, nameFrance
GitHub / GitLabRepository accessOAuth tokensUnited States / varies

For services located outside the EU (Anthropic, Stripe), data transfers are covered by Standard Contractual Clauses (SCCs) or EU adequacy decisions where applicable.

6. Data Retention

  • Account data: retained until you delete your account
  • Scan results & reports: retained until you delete your account
  • Source code: never stored — destroyed in real-time after each scan
  • Payment records: retained for 10 years (French accounting law)
  • Server logs: 30 days maximum

When you delete your account, all personal data is permanently deleted (hard delete, no soft delete). This is irreversible.

7. Your Rights (GDPR)

As an EU resident, you have the right to:

  • Access your personal data
  • Rectify inaccurate data
  • Erase your data ("right to be forgotten") — via account deletion
  • Port your data in a machine-readable format
  • Object to processing based on legitimate interest
  • Restrict processing in certain circumstances

To exercise these rights, contact us at contact@shieldify.dev. We will respond within 30 days.

You may also lodge a complaint with the French data protection authority: CNIL, 3 Place de Fontenoy, 75007 Paris — www.cnil.fr.

8. Security

  • Passwords hashed with argon2id
  • OAuth tokens encrypted at rest (AES-256-GCM)
  • All connections over HTTPS (TLS 1.2+)
  • Rate limiting on all API endpoints
  • Source code never stored on disk — ephemeral Docker containers with tmpfs
  • Presigned URLs for report downloads (expire in 15 minutes)

9. Cookies

We use only strictly necessary cookies:

  • shieldify_lang: stores your language preference (EN/FR)
  • Refresh token: httpOnly, secure cookie for authentication

We do not use analytics, tracking, or advertising cookies.

10. Changes to This Policy

We may update this policy from time to time. Significant changes will be communicated via email to registered users. The "last updated" date at the top reflects the latest revision.