Preview · SecretSweep is in private build · not accepting customers · launching Q2 2026

Privacy Policy

What is collected, what is not, and what you can do about it.

Last updated: April 15, 2026

01Data Controller and Scope

SecretSweep is operated by Iron Digital Labs LLC, based in Washington, United States. For privacy inquiries, contact support@secretsweep.com.

SecretSweep is offered from the United States to users located in the United States. The Service is not specifically directed to, marketed toward, or intended for residents of the European Economic Area, the United Kingdom, or Switzerland. If you access the Service from outside the United States, you do so on your own initiative and are responsible for compliance with applicable local laws. Nothing in this Policy limits any mandatory non-waivable privacy right that applies to you under the laws of your jurisdiction.

02Information Collected

  • Account data: GitHub user ID, username, email (where made available by GitHub), and avatar URL (collected via GitHub OAuth). For Pro and Power tier users who connect additional platforms: GitLab and Bitbucket user IDs, usernames, and avatar URLs (collected via their respective OAuth flows).
  • Repository metadata: Repository name, size, default branch, and scan settings, collected via GitHub App (Contents:Read permission) and, for Pro and Power tier users, via GitLab and Bitbucket OAuth (read-only repository access).
  • Scan results: Finding rule ID, file path, line number, redacted match preview (first and last 4 characters only), SHA-256 hash, severity, and status. Full secrets are never stored in plaintext. When a credential is verified as active, an encrypted copy (AES-256-GCM) is retained solely for automated monthly re-verification and is permanently deleted when the credential is revoked or the account is closed.
  • CI/CD build logs: GitHub Actions workflow run logs may be fetched and scanned for leaked credentials. Logs are downloaded to an isolated temp directory, scanned, and immediately deleted. No build log content is stored.
  • Billing data: Stripe customer ID, subscription ID, subscription status, and period end date. Credit card numbers are never stored by SecretSweep. Stripe handles all card data directly.

03How Data Is Used

SecretSweep processes the data listed above only to operate the Service:

  • Account operation: Account creation, authentication, repository scanning, billing, and support.
  • Detection: Processing commit metadata (author names and email addresses from git history) for the purpose of detecting leaked credentials.
  • Re-verification: Automated re-verification of detected credentials against provider APIs (AWS, GitHub, Stripe, OpenAI, Slack, SendGrid, npm) to determine if they remain active, so you can be alerted about unrevoked credentials.
  • Notifications: Email alerts about scan findings, which are configurable in account settings at any time.

SecretSweep does not sell personal data, does not share personal data with advertisers, and does not use personal data for automated profiling or decision-making that produces legal or similarly significant effects on users.

Where mandatory data-protection law of a user's jurisdiction requires a specific legal basis for processing, that basis is contract performance for account and billing operations, and legitimate interest in operating a secure scanning service for detection, re-verification, and abuse-prevention processing. This paragraph is included as a courtesy for users whose local law requires such disclosure; it is not an undertaking to comply with any specific foreign data-protection regime.

04Third-Party Processors

SecretSweep uses the following sub-processors:

  • GitHub (github.com): Authentication and repository access. Privacy policy: docs.github.com.
  • GitLab (gitlab.com): Repository access for Pro and Power tier users who connect GitLab. Privacy policy: about.gitlab.com/privacy.
  • Atlassian/Bitbucket (bitbucket.org): Repository access for Pro and Power tier users who connect Bitbucket. Privacy policy: atlassian.com/legal/privacy-policy.
  • Stripe (stripe.com): Payment processing. Privacy policy: stripe.com/privacy.
  • AWS (aws.amazon.com): Infrastructure hosting (us-east-1 region). Privacy policy: aws.amazon.com/privacy.
  • Cloudflare, Inc. (cloudflare.com): Authoritative DNS for secretsweep.com and inbound email routing for support@, security@, and founders@ addresses. Cloudflare receives DNS query metadata and the envelope and contents of inbound emails sent to those addresses before forwarding them to the operator's mailbox. Privacy policy: cloudflare.com/privacypolicy.
  • Google Fonts / jsDelivr (Tailwind CDN): Frontend asset delivery. Your browser contacts these services when loading pages; those services may log IP addresses in connection with asset requests in accordance with their own policies. SecretSweep does not receive that log data.

05Location of Processing

All personal data processed by SecretSweep is stored and processed in the United States (AWS us-east-1). SecretSweep does not operate servers, offices, or legal entities outside the United States.

As described in Section 1, the Service is offered to users in the United States and is not specifically directed to users outside the United States. Users who access the Service from other countries do so on their own initiative, and by using the Service they acknowledge that their data will be transferred to and processed in the United States. SecretSweep does not enter into Standard Contractual Clauses, Data Processing Agreements, or cross-border transfer instruments on request; users who require such instruments should not use the Service.

06Data Retention

  • Source code: Never stored. Repositories are cloned to a temporary directory, scanned, and deleted immediately.
  • Scan findings: Retained according to the user's retention setting (1, 7, 30, 90, 180, or 365 days). The default retention period is 365 days (1 year).
  • Account data: Deleted immediately upon account closure. Deletion runs as a single database transaction that removes sessions, scan findings, scans, allowlist entries, audit log entries, notification settings, repositories, and installations associated with the account, followed by the account record itself. The only residual record is the abuse-prevention entry described below.
  • Abuse-prevention record: When an account is deleted, a minimal record is retained indefinitely to enforce lifetime free-tier limits: your public GitHub user ID, irreversible hashed repository identifiers used only to count distinct repositories across deleted accounts, aggregate counters (number of distinct repositories scanned, number of scans in the current calendar month), and limited deletion metadata (month key, first and last deletion timestamps, deletion count). This record contains no source code, findings, email, avatar, tokens, or plaintext repository names. Paid-plan users receive the same safeguard.
  • Billing records: Retained for as long as required by applicable tax and accounting law.

07Cookies

SecretSweep uses the following strictly necessary cookies:

  • Session cookie: Session data is stored server-side in PostgreSQL; the cookie contains only an opaque session identifier. Attributes: HttpOnly, Secure, SameSite=Lax, 4-hour expiry.
  • CSRF cookie (_csrf): Provides cross-site request forgery protection. Attributes: HttpOnly, Secure, SameSite=Lax.
  • OAuth state cookies: Short-lived (up to 10 minutes) cookies used only during sign-in to prevent cross-site request forgery on the OAuth callback. One per provider when signing in with GitHub, GitLab, or Bitbucket. Attributes: HttpOnly, Secure, SameSite=Lax.

No analytics, advertising, or tracking cookies are used. The cookies listed above qualify as strictly necessary under common cookie-law frameworks and are exempt from the consent requirements that would otherwise apply to optional cookies.

08Your Choices and Requests

As a matter of practice, any user may request access to, correction of, or deletion of their personal data by contacting support@secretsweep.com, regardless of jurisdiction. Most of this is also self-service: you can edit your account in Settings and delete your account entirely from the Settings page, which triggers the retention schedule described in Section 6.

  • California (CCPA/CPRA): California residents have statutory rights to know, delete, and opt out of the sale of personal information. SecretSweep does not sell personal information and does not share it for cross-context behavioral advertising.
  • Washington State (My Health My Data Act): Does not apply. SecretSweep does not collect consumer health data.
  • Other jurisdictions: If your local law gives you additional statutory rights over your personal data (including but not limited to mandatory rights under the GDPR, UK GDPR, or similar regimes), those rights apply to the extent required by law. You may exercise any such rights by contacting the email address above. SecretSweep has not appointed a representative, data protection officer, or dispute-resolution body outside the United States.

09Children

SecretSweep is not directed at anyone under the age of 16. SecretSweep does not knowingly collect personal data from children under 16.

10Changes to This Policy

Material changes to this policy will be posted with at least 30 days notice before taking effect. For questions about changes, contact support@secretsweep.com.