How Graneth collects, uses, and protects your personal data.
This Privacy Policy explains what personal data Graneth collects, why, and the rights you have over it. It covers both the free pre_flight_check tool and the paid team dashboard.
GitHub identity — username, avatar, and email address (only if granted), obtained via GitHub OAuth with least-privilege scopes.
GitHub access token — encrypted at rest with AES-256-GCM, used only to read the repositories and pull requests you connect.
Code you submit for scanning — file contents and diffs from connected repositories, processed to produce findings.
Scan results and findings — severity, file/line location, and remediation history, stored in our PostgreSQL database.
Billing metadata — credit balance and purchase history; card details are handled entirely by Stripe and never reach our servers.
Usage and log data — request metadata such as IP address, timestamps, and rate-limit counters, used to prevent abuse.
Contract — to provide the scanning service you sign up for (Art. 6(1)(b)).
Legitimate interest — to secure the Service against abuse and improve detection accuracy (Art. 6(1)(f)).
Legal obligation — to retain billing records required for tax and accounting (Art. 6(1)(c)).
Consent — for any optional communications you opt into (Art. 6(1)(a)).
To run static analysis (Semgrep) and LLM-assisted triage (Anthropic Claude) on submitted code, generate findings and remediation suggestions, enforce the policies you configure, process credit purchases through Stripe, and secure the Service against abuse.
Graneth does not use your code, findings, or account data to train machine learning models — ours or anyone else's. Code sent to Anthropic's API for LLM-assisted triage is processed under Anthropic's commercial API terms, which do not use API inputs or outputs to train Anthropic's models by default.
Scan results, findings, and false-positive memory are kept until you delete them from Settings or close your account. Billing records are retained for as long as applicable tax law requires. Encrypted GitHub tokens are deleted on sign-out or account deletion.
We use a small set of sub-processors to operate the Service — Anthropic for LLM-assisted analysis, Stripe for payments, GitHub for authentication and repository access, Railway for hosting, and Amazon S3 for encrypted database backups. See the DPA & Sub-processors page for the full table with purposes and locations.
Our sub-processors are based in, or run infrastructure in, the United States. Where personal data leaves the European Economic Area, we rely on the sub-processor's Standard Contractual Clauses or an equivalent safeguard.
If GDPR or a similar regime applies to you, you may request access, correction, erasure, portability, or restriction of your personal data, and object to processing based on legitimate interest. Use the export and delete tools on the Settings page, or contact us directly. You may also lodge a complaint with your local data protection authority.
See the Trust & Security page for the technical and organizational measures protecting your data, including AES-256-GCM encryption at rest, PostgreSQL row-level tenant isolation, and RBAC on every MCP tool call.
The Service is not directed at children under 16, and we do not knowingly collect their personal data.
We may update this Policy as the product evolves. Material changes will be reflected by updating the date on this page.
graneth.dev is reserved but not yet registered — this address activates once the domain is live. Until then, reach the team via the repository link in Settings.