Privacy

Privacy Policy

What we collect, why, how long we keep it, and how to delete it — in plain English.

Last updated 8 July 2026

The short version

We collect as little as possible to run the scanner. We delete your code after every scan. We never sell your data, never share it, and never use your code to train AI. The only things we keep are your account email and your findings report — and you can have both deleted any time by emailing us.

What we collect, and why

  • Your account — your email address and a securely hashed (scrambled, non-reversible) version of your password. We use these to sign you in and to count your free scans. We do not store your password itself.
  • Your code, temporarily — when you scan a repo or upload a ZIP, we copy it into a private temporary folder, run the scan, and delete that folder when the scan finishes or fails. No human reads it, and no copy is kept.
  • Your findings report — the results of a scan, stored so you can revisit or share the link. Secret values are blacked out ([REDACTED]) before anything is saved.
  • Basic technical data — your IP address is used briefly to limit abuse (rate limiting), and our server logs record scan events (the repo URL or file name, time, and score) so we can operate and debug the service.
  • A GitHub token, only if you give one — used only for that scan: to list your repositories in the scan form and to download the one you pick. It is held in memory while the scan runs, then discarded. Never written to disk, logs, or reports.

What we never do

  • We never sell or rent your data to anyone.
  • We never share your code or results with third parties, except the limited processors listed below.
  • We never use your code or results to train AI models.
  • We set no advertising or analytics cookies, and use no third-party trackers. The only cookie we use is an essential one that keeps you signed in.

The services we rely on

To run the product we use a small number of trusted providers:
  • Fly.io — hosts the application and stores your account and reports, on a server in London.
  • Google (Gemini API) — writes the plain-English explanations. We send it a redacted summary of each finding (the rule name, the file path, and a description with secrets removed). We do not send it your source code.
  • OSV.dev / npm — we look up known vulnerabilities for the package names in your project. Only package names and versions are sent, never your code.
  • Key issuers, only for the optional live-key check — if you switch on the extra check that tests whether an exposed key still works, we make one read-only call to the company that issued the key (Stripe, OpenAI, Anthropic, GitHub, Slack, or Resend) to ask whether it is active. Each key is sent only to its own issuer — which already has it — and is never stored or logged.

How long we keep things

  • Your code: deleted the moment the scan ends.
  • Findings reports: kept for 30 days, then automatically deleted.
  • Your account: kept until you ask us to delete it.

Your choices and how to delete your data

You can stop using the service at any time. To have your account and any stored reports permanently deleted, email habdikadir99@gmail.com from the address you signed up with, and we'll remove them. If you are in the UK or EU, you have rights over your personal data under the GDPR (access, correction, deletion); email us to exercise them.

Contact and changes

Auditly AI is in beta, so this policy may change as the product grows — the date at the top shows when it last did. Questions about privacy, or a request about your data? Email habdikadir99@gmail.com.

Want the operational details of how a scan handles your code? See "How we handle your code".