RepoShield
privacy

What we store and what we don't

RepoShield runs on the principle that we should hold the smallest amount of data that lets the product work. This page is a plain-English description of that. It's not a lawyered policy; it's a contract between us about what happens when you scan a repo.

What we DO store

  • Scan metadata — repo URL, owner, name, commit SHA, scan timestamp, score, verdict, list of check IDs that fired, file paths, line numbers, and the snippet (the few lines of source) that triggered each finding.
  • Account data — your GitHub email, GitHub username, avatar URL, the Supabase user ID, and your current pricing tier.
  • API keys— only the SHA-256 hash. The plaintext is shown to you once at creation and never persisted. We can't recover a lost key; you have to revoke and regenerate.
  • GitHub App installation IDs — for users who install the app to scan private repos. We store the installation ID and its associated GitHub account name.
  • Slack webhook URLs — for users who wire up the Slack integration. Encrypted at rest in our database.

What we DO NOT store

  • The source code of repos we scan. We download it transiently into a worker buffer, run our checks, persist the FINDINGS only, and discard the source. The buffer is garbage-collected when the request ends.
  • GitHub access tokens. OAuth and App-installation tokens are minted on demand, used for the single scan, and discarded. Nothing about them is persisted.
  • IP addresses (long-term). We count anonymous scans by IP for rate-limiting (3/day) but the counter resets at UTC midnight. We do not store an IP-to-scan mapping for analytics or any other purpose.
  • Your local environment. The scanner runs in our Cloudflare Workers; nothing on your machine is inspected.

Retention

  • Free tier scan results are kept for 30 days, then auto-purged. Findings stay visible to the user (you) and to anyone you share the result link with during that window.
  • Pro / Maxx scan results are kept for 1 year.
  • Account data is kept until you delete your account.
  • API keys persist until you revoke them or delete your account.

Deletion

Sign in → dashboard → settings → “Delete account”. This is one-click and immediate. We delete:

  • your account row
  • all your scan rows
  • all your API keys (the hashes)
  • any Slack/PagerDuty/webhook integration rows
  • any GitHub App installation rows tied to your account

Backups are encrypted and rotate out within 30 days. After 30 days, your data is gone from every system we control.

If you can't reach the dashboard for some reason, email privacy@shieldrepo.com from the address on your account and we'll do it manually.

Data location

Data is stored in Supabase Cloud (Postgres) and Cloudflare R2 (incremental cache, when enabled). Both run on AWS infrastructure in the US (us-east-1 primary) with replicas in EU/Asia for read performance.

We don't currently offer EU-only data residency. If you need this for compliance reasons, email founder@shieldrepo.com.

Subprocessors

  • Cloudflare — application hosting, CDN, DDoS protection.
  • Supabase — Postgres database, authentication.
  • GitHub — OAuth, repo content fetch (read-only).
  • Stripe — billing (Pro/Maxx users only). We pass your email to Stripe; we never see your card.
  • npm registry — package metadata and provenance lookups during DP-007.
  • OSV.dev — open-source vulnerability database lookup during dependency analysis.

Cookies

We set exactly two cookies:

  • sb-* — Supabase session cookie (httpOnly, secure). Required for sign-in.
  • visitor-id — anonymous random ID for rate-limiting unauthenticated scans. No tracking, no analytics.

No third-party tracking pixels. No marketing cookies. No fingerprinting.

Changes

If we change this policy in a way that affects what we store about you or who we share it with, we will email you at the address on your account before the change takes effect.

→ security→ methodology