Overview
This Privacy Policy explains how ALGIS ('we', 'us', 'our') collects, uses, and protects information when you use the service ('Service'). We are committed to handling your data with transparency and respect.
The short version: we collect only what we need to provide the Service, we do not sell your personal data, and your source code submitted for scanning is not stored after the scan is complete.
Data we collect
Account information: if you create an account, we collect your email address, a hashed password, and the date of account creation. We do not collect your name unless you provide it.
Scan inputs: when you submit code, files, or a URL for scanning, the content is processed in memory to generate your report. By default, the raw source code is not retained after the scan completes. See the section below for details on how scans are handled.
Scan reports: if you choose to save a report to your account history, we store the findings data (severity, title, description, fix steps) but not the original source code.
Usage data: we collect standard server logs including IP address, browser user-agent, timestamps, and pages visited. This data is used for security, debugging, and aggregate analytics.
Payment data: if you subscribe to a paid plan, payment processing is handled entirely by our payment processor. We do not store credit card numbers or payment details directly.
How scans are handled
This is the most important section of this policy for most users.
When you submit code, files, or a URL for scanning, the content is loaded into an isolated scan session. The deterministic analysis tools and AI pipeline process the content and produce a findings report.
Your source code is never written to persistent storage. It is not retained, indexed, archived, or used for any purpose beyond generating your report. When the scan session ends, the raw code is removed from memory.
Your code is never used to train, fine-tune, or improve any AI or machine learning model. It is sent to AI providers solely to generate the analysis for your specific scan, within the scope of your scan session.
Saved reports: you may optionally save a scan report to your account. Saved reports contain only the findings data (what was found, severity, description, fix steps). The source code that produced those findings is not stored.
These practices are architectural commitments, not just policies. The system is designed so that storing source code requires deliberate engineering work. The default pipeline does not write it to storage.
How we use your data
We use the data we collect for the following purposes:
Providing the Service: processing scans and delivering reports to you.
Account management: creating and maintaining your account, authenticating your identity, and managing your subscription.
Communications: sending transactional emails such as account confirmations, password resets, and subscription receipts. If you opt in, we may also send product updates.
Security and fraud prevention: monitoring for abuse, unauthorized access, and API misuse.
Aggregate analytics: understanding which features are used most often, where errors occur, and how the product can be improved. This analysis uses aggregated, non-personally-identifiable data.
Legal compliance: fulfilling our obligations under applicable law.
We do not sell your personal data to third parties. We do not use your data for advertising.
Third-party processors
We share data with a limited number of third-party service providers who help us operate the Service. All processors are bound by data processing agreements.
AI analysis: we use Anthropic's API to power the AI triage and deep analysis layers of the scan pipeline. Code submitted for scanning is sent to Anthropic's API within the scope of your scan session only. Anthropic does not use API-submitted content for training.
Cloud infrastructure: the Service runs on secure, industry-standard cloud infrastructure. Server logs and account data are stored in access-controlled data centers operated by our infrastructure providers.
Payment processing: payments are settled in USDC stablecoin through the x402 protocol, directly from your own self-custody wallet. We do not use a traditional card processor and never receive or store raw payment card data.
Email delivery: a third-party email provider is used to send transactional emails such as account confirmations and receipts.
We do not share your data with any third party for advertising, marketing, or data brokerage purposes.
Data retention
Scan code: not stored. Removed from memory when the scan session ends.
Saved reports: retained until you delete them from your account, or until your account is deleted.
Account information: retained while your account is active. Deleted within 30 days of account deletion, subject to legal hold obligations.
Server logs: retained for 90 days for security and debugging purposes, then deleted.
Payment records: retained as required by applicable financial and tax regulations, typically 7 years.
Your rights
Depending on your location, you may have certain rights regarding your personal data:
Access: you can request a copy of the personal data we hold about you.
Correction: you can ask us to correct inaccurate data.
Deletion: you can request that we delete your account and associated personal data.
Portability: you can request your data in a machine-readable format.
Objection: you can object to certain types of processing.
Restriction: you can request that we restrict processing in certain circumstances.
To exercise any of these rights, contact us at the email address in the Contact section. We will respond within 30 days.
If you are in the European Economic Area, you also have the right to lodge a complaint with your local data protection authority.
International transfers
The Service is operated by ALGIS. If you access the Service from another country, your data may be transferred to and processed in countries where ALGIS or its service providers operate.
Where we transfer data from the European Economic Area to countries not deemed adequate by the European Commission, we rely on appropriate safeguards such as Standard Contractual Clauses.
Changes to this policy
We may update this Privacy Policy from time to time. When we do, we will update the 'Last updated' date at the top of this page.
For material changes, we will provide notice through the Service or by email to your registered address at least 14 days before the change takes effect.
Your continued use of the Service after a change takes effect constitutes your acceptance of the updated policy.