Privacy Policy

Last updated: February 24, 2026

What We Collect

When you use ShipCheck, we collect:

  • Account information: Email, name, authentication data
  • Scan data: URLs you scan, scan results, site ownership verification tokens
  • Redacted evidence: Only the specific security patterns we detect (e.g., "sk_live_...R8F9"), never full response bodies
  • Consent records: Timestamp, IP address, and consent text for every scan
  • Usage data: Scan frequency, plan usage, feature usage

What We DON'T Store

  • Raw response bodies from your applications
  • Full API keys or secrets (only redacted patterns for evidence)
  • Session tokens or authentication cookies from your apps
  • Complete stack traces or error pages

Repository Scanning

When you use Repo Secrets Scanning (Builder and Pro plans), the following applies:

  • We do not store your source code. Repository contents are cloned to a temporary directory, scanned, and deleted immediately after processing.
  • We do not store full secret values. Only masked previews (e.g., first and last 4 characters) are retained as evidence.
  • We store masked previews and fingerprint hashes for findings, which power ignore rules and scan history.
  • Private repository access is read-only through the GitHub App. You can revoke access at any time from your GitHub settings.
  • ZIP uploads are processed in memory and deleted immediately after scanning.

Data Retention

Scan evidence and results are retained for 30 days by default. Account data is retained until account deletion. You can request data export or deletion at any time.

Contact Us

Questions about privacy? Email us at privacy@shipcheckhq.com