Preview · SecretSweep is in private build · not accepting customers · launching Q2 2026

Privacy Policy

What is collected, what is not, and what you can do about it.

Last updated: April 26, 2026

01Data Controller and Scope

SecretSweep is operated by Iron Digital Labs LLC, based in Washington, United States. For privacy inquiries, contact support@secretsweep.com. For security vulnerability reports, contact security@secretsweep.com.

SecretSweep is offered from the United States to users located in the United States. The Service is not specifically directed to, marketed toward, or intended for residents of the European Economic Area, the United Kingdom, or Switzerland. If you access the Service from outside the United States, you do so on your own initiative and are responsible for compliance with applicable local laws. Nothing in this Policy limits any mandatory non-waivable privacy right that applies to you under the laws of your jurisdiction.

02Information Collected

  • Account data: GitHub user ID, username, email (where made available by GitHub), avatar URL, Terms acceptance timestamp, acceptance IP address, and acceptance User-Agent (collected via GitHub OAuth and the acceptance flow). For Pro and Power tier users who connect additional platforms: GitLab and Bitbucket user IDs, usernames, and avatar URLs (collected via their respective OAuth flows).
  • Repository metadata: Repository name, size, default branch, visibility, provider identifiers, scan settings, selected/enabled status, scan schedule, and installation metadata. For GitHub, this is collected via GitHub App Metadata: Read and Contents: Read; Actions: Read is used only for Power CI/CD log scanning. SecretSweep scans only repositories you explicitly enable in the app, even if your GitHub App installation grants access to additional repositories.
  • Scan results: Finding rule ID, file path, line number, source (repo or ci_log), commit metadata where available, redacted match preview (first and last 4 characters only), SHA-256 hash, severity, finding status, verification status, verification details, scan trigger, and audit history. Full secrets are never stored in plaintext. When a credential is verified as active, an encrypted copy (AES-256-GCM) is retained solely for automated monthly re-verification and is permanently deleted when the credential is revoked or the account is closed.
  • Provider verification data: For paid verification, the full candidate secret-shaped string may be sent to the relevant provider API to determine whether it is active or revoked. Current verifier targets are AWS STS (when both AWS key parts are present), GitHub, GitLab, Stripe, OpenAI, Slack tokens, Slack incoming webhooks (hooks.slack.com), SendGrid, npm, DigitalOcean, Doppler, Netlify, Heroku, Notion, Cloudflare, Discord, and Telegram. HTTP verifier requests use the SecretSweep-Verifier User-Agent where supported. This happens during scans and, for active findings, during monthly re-verification.
  • CI/CD build logs: GitHub Actions, GitLab Pipeline, and Bitbucket Pipeline logs may be fetched and scanned for leaked credentials. Logs are downloaded to an isolated temp directory, scanned, and immediately deleted. No build log content is stored.
  • Settings, audit, and CLI data: Notification preferences, timezone, scan retention, theme preference, CLI API key metadata (last 4 characters and timestamps only), allowlist entries, team detection rules, account-level audit log entries, and CLI telemetry for Pro and Power users who use the private CLI channel (CLI version, OS, architecture, scanned file count, finding count, and duration). Team detection rules are preserved but disabled if your subscription no longer includes them, so you can restore them by re-subscribing to Power or delete them from Settings at any time.
  • Billing data: Stripe customer ID, subscription ID, subscription status, and period end date. Credit card numbers are never stored by SecretSweep. Stripe handles all card data directly.

03How Data Is Used

SecretSweep processes the data listed above only to operate the Service:

  • Account operation: Account creation, authentication, repository sync, repository scanning, billing, support, and abuse prevention.
  • Detection: Processing repository content, CI/CD logs, and commit metadata (author names and email addresses from git history) for the purpose of detecting leaked credentials in repositories you enabled.
  • Verification and re-verification: Sending candidate secret strings to supported provider APIs to determine whether credentials remain active, so you can prioritize rotation and receive stale-active alerts.
  • Notifications: Transactional email alerts, billing notices, scan alerts, stale-secret alerts, and optional channel alerts if configured. SecretSweep does not send marketing emails today.
  • Audit and exports: Maintaining an audit trail for user-visible account, rule, verification, and remediation actions, and generating account or repository exports at your request.

SecretSweep does not sell personal data, does not share personal data with advertisers, and does not use personal data for automated profiling or decision-making that produces legal or similarly significant effects on users.

Where mandatory data-protection law of a user's jurisdiction requires a specific legal basis for processing, that basis is contract performance for account and billing operations, and legitimate interest in operating a secure scanning service for detection, re-verification, and abuse-prevention processing. This paragraph is included as a courtesy for users whose local law requires such disclosure; it is not an undertaking to comply with any specific foreign data-protection regime.

04Third-Party Processors

SecretSweep uses the following sub-processors:

  • GitHub (github.com): Authentication and repository access. Privacy policy: docs.github.com.
  • GitLab (gitlab.com): Repository access for Pro and Power tier users who connect GitLab. Privacy policy: about.gitlab.com/privacy.
  • Atlassian/Bitbucket (bitbucket.org): Repository access for Pro and Power tier users who connect Bitbucket. Privacy policy: atlassian.com/legal/privacy-policy.
  • Stripe (stripe.com): Payment processing. Privacy policy: stripe.com/privacy.
  • AWS (aws.amazon.com): Infrastructure hosting, queueing, email delivery via Amazon SES, and AWS STS verification for AWS key pairs (us-east-1 region unless otherwise stated). Privacy policy: aws.amazon.com/privacy.
  • Cloudflare, Inc. (cloudflare.com): Authoritative DNS for secretsweep.com and inbound email routing for support@, security@, and founders@ addresses. Cloudflare receives DNS query metadata and the envelope and contents of inbound emails sent to those addresses before forwarding them to the operator's mailbox. Privacy policy: cloudflare.com/privacypolicy.
  • Provider verification APIs: GitHub, GitLab, Stripe, OpenAI, Slack, SendGrid, npm, AWS, DigitalOcean, Doppler, Netlify, Heroku, Notion, Cloudflare, Discord, and Telegram receive candidate secret strings only when SecretSweep runs a supported verification or re-verification check for your enabled repositories.
  • Sentry (sentry.io): Error monitoring if configured in production. SecretSweep does not intentionally send source code, plaintext secrets, or full build logs to Sentry. Privacy policy: sentry.io/privacy.
  • Google Fonts / jsDelivr (Tailwind CDN): Frontend asset delivery. Your browser contacts these services when loading pages; those services may log IP addresses in connection with asset requests in accordance with their own policies. SecretSweep does not receive that log data.

05Location of Processing

All personal data processed by SecretSweep is stored and processed in the United States (AWS us-east-1). SecretSweep does not operate servers, offices, or legal entities outside the United States.

As described in Section 1, the Service is offered to users in the United States and is not specifically directed to users outside the United States. Users who access the Service from other countries do so on their own initiative, and by using the Service they acknowledge that their data will be transferred to and processed in the United States. SecretSweep does not enter into Standard Contractual Clauses, Data Processing Agreements, or cross-border transfer instruments on request; users who require such instruments should not use the Service.

06Data Retention

  • Source code: Never stored. Repositories are cloned to a temporary directory, scanned, and deleted immediately.
  • Scan findings: Retained according to the user's retention setting (1, 7, 30, 90, 180, or 365 days). The default retention period is 365 days (1 year).
  • Team detection rules: Retained while your account remains open, even if a paid subscription ends. If your plan no longer includes team rules, saved rules are disabled and excluded from scans and CLI sync until you re-subscribe to Power. You can delete them any time from Settings.
  • Account data: Deleted immediately upon account closure. Deletion runs as a single database transaction that removes sessions, scan findings, scans, CLI telemetry, team rules, allowlist entries, audit log entries, notification settings, repositories, and installations associated with the account, followed by the account record itself. The only residual record is the abuse-prevention entry described below.
  • Abuse-prevention record: When an account is deleted, a minimal record is retained indefinitely to enforce lifetime free-tier limits: your public GitHub user ID, irreversible hashed repository identifiers used only to count distinct repositories across deleted accounts, aggregate counters (number of distinct repositories scanned, number of scans in the current calendar month), and limited deletion metadata (month key, first and last deletion timestamps, deletion count). This record contains no source code, findings, email, avatar, tokens, or plaintext repository names. Paid-plan users receive the same safeguard.
  • Billing records: Retained for as long as required by applicable tax and accounting law.

07Cookies

SecretSweep uses the following strictly necessary cookies on the SecretSweep domain:

  • secretsweep: Session data is stored server-side in PostgreSQL; the cookie contains only an opaque session identifier. Attributes in production: HttpOnly, Secure, SameSite=Lax, 4-hour expiry.
  • _csrf: Provides cross-site request forgery protection. Attributes in production: HttpOnly, Secure, SameSite=Lax.
  • secretsweep_theme and secretsweep_theme_resolved: Store your selected appearance preference and the browser-resolved light or dark value so pages render without a visible theme flash. Attributes in production: Secure, SameSite=Lax, 365-day expiry. These cookies are not HttpOnly so the theme script can update them.
  • oauth_state, oauth_state_gitlab, and oauth_state_bitbucket: Short-lived cookies used only during OAuth sign-in or connection flows to prevent cross-site request forgery on the callback. Attributes in production: HttpOnly, Secure, SameSite=Lax, up to 10-minute expiry.

When you use Stripe Checkout or the Stripe customer portal, Stripe may set cookies on Stripe-controlled domains for payment, fraud prevention, and session operation. Those cookies are governed by Stripe's policies. No analytics, advertising, or tracking cookies are used by SecretSweep.

08Your Choices and Requests

As a matter of practice, any user may request access to, correction of, export of, or deletion of their personal data by contacting support@secretsweep.com, regardless of jurisdiction. Most of this is also self-service: you can edit your account in Settings, download an account export from /account/export, adjust notification preferences, and delete your account entirely from the Settings page, which triggers the retention schedule described in Section 6.

  • California (CCPA/CPRA): California residents have statutory rights to know, delete, and opt out of the sale of personal information. SecretSweep does not sell personal information and does not share it for cross-context behavioral advertising.
  • Washington State (My Health My Data Act): Does not apply. SecretSweep does not collect consumer health data.
  • Other jurisdictions: If your local law gives you additional statutory rights over your personal data (including but not limited to mandatory rights under the GDPR, UK GDPR, or similar regimes), those rights apply to the extent required by law. You may exercise any such rights by contacting the email address above. SecretSweep has not appointed a representative, data protection officer, or dispute-resolution body outside the United States.

09Children

SecretSweep is not directed at anyone under the age of 16. SecretSweep does not knowingly collect personal data from children under 16.

10Security Incidents

If SecretSweep determines that a security incident creates a legally reportable breach-notification obligation, SecretSweep will provide notice consistent with applicable law, including Washington breach-notification requirements where they apply.

11Changes to This Policy

Material changes to this policy will be posted with at least 30 days notice before taking effect. SecretSweep may also use email or an in-app banner for material changes. For questions about changes, contact support@secretsweep.com.