1. Who We Are
CodeFence ("we", "our", "us") operates the developer security platform at codefence.cc. This policy explains what data we collect, why we collect it, and how we protect it.
2. Data We Collect
- Account data: Name, email address, and password (managed securely via Clerk authentication).
- Repository metadata: Repository names, URLs, branch names, and commit metadata from connected Git providers (GitHub, GitLab, Bitbucket, Azure DevOps).
- Scan results: Security findings including secret patterns, vulnerability identifiers (CVEs), IaC misconfigurations, and container scan results.
- Billing data: Payment information is processed by Stripe. We store only your subscription plan and status — never your card details.
- Usage data: Pages visited on codefence.cc, referrer URLs, and session activity. This is anonymous and used to improve the product.
- IP address: Logged at signup for fraud prevention and rate limiting.
3. What We Do NOT Collect
- We do not store your source code. Scans run against your repositories and only findings (not code) are stored.
- We do not sell your data to third parties.
- We do not use advertising trackers or third-party analytics (no Google Analytics, no Facebook Pixel).
4. How We Use Your Data
- To provide and operate the CodeFence security scanning service.
- To send security alerts, scan results, and product updates via email.
- To process billing and manage your subscription via Stripe.
- To improve the product through anonymized usage analytics.
- To comply with legal obligations.
5. Data Storage & Security
Your data is stored on servers located in the European Union. We use encryption in transit (TLS) and at rest. Access to production data is restricted to authorized personnel only. Secrets detected in your repositories are stored in hashed form — we never store raw secret values in plaintext.
6. Third-Party Services
- Clerk — authentication and session management (clerk.com/privacy)
- Stripe — payment processing (stripe.com/privacy)
- GitHub / GitLab / Bitbucket / Azure DevOps — repository access via OAuth, governed by their respective privacy policies
7. Your Rights
You have the right to:
- Access the personal data we hold about you
- Request correction or deletion of your data
- Export your data in a portable format
- Withdraw consent and close your account at any time
To exercise any of these rights, email us at [email protected].
8. Cookies & Local Storage
See our Cookie Policy for details. In short: we use session storage for anonymous page visit tracking, localStorage for your auth token, and Clerk/Stripe set their own necessary cookies for authentication and payments.
9. Data Retention
We retain your account data for as long as your account is active. Scan results are retained for 90 days on the Free plan and 1 year on paid plans. After account deletion, all personal data is removed within 30 days.