Privacy Policy — RepoReady

Overview

RepoReady (“we,” “us,” or “our”) operates the RepoReady service at repoready.app. This Privacy Policy explains what information we collect, how we use it, and the choices you have. We keep this simple because we run a small, focused service — not an ad network.

Information We Collect

Account information

When you sign in via GitHub OAuth, our authentication provider (Clerk) receives your GitHub username, email address, and profile photo. We store your Clerk user ID and, when you subscribe, your Stripe customer ID. We do not store passwords.

GitHub access

RepoReady requests read access to your GitHub repositories so we can fetch file contents for scanning. Your GitHub OAuth access token is held by Clerk — it is never stored in our database or application servers. We use the token only to list your repos and fetch files during an active scan.

Scan data

When a scan runs, we fetch selected files from your repository (API routes, middleware, environment config patterns, payment code). We store the following about each finding:

— The rule that fired and its severity
— The file path within your repo
— A code snippet of at most 10 lines around the match
— The SHIP-SAFE domain and fix guidance text

Full file contents are never stored in our database. We do not store file content beyond the 10-line snippet.

Billing information

Payment processing is handled entirely by Stripe. We never see or store credit card numbers. We store your Stripe customer ID and subscription status (active, past_due, canceled) to gate access to paid features.

Usage data

We collect basic server logs (IP address, request path, timestamp) for security monitoring and rate limiting. We do not use third-party analytics trackers like Google Analytics.

How We Use Your Information

✓ To run SHIP-SAFE audits on repos you select
✓ To display scan results and history in your dashboard
✓ To manage your subscription and billing via Stripe
✓ To send transactional emails (scan complete notifications) via Resend
✓ To enforce per-tier feature limits (free scan cap, repo limits, finding gating)
✓ To protect the service from abuse via rate limiting and security logging

We do not sell your data. We do not use your repository code or findings to train AI models. We do not share your data with third parties for advertising purposes.

Data Sharing

We share your data only with the following service providers, solely to operate RepoReady:

ClerkAuthentication and GitHub OAuth token storagePrivacy ↗

NeonPostgreSQL database hosting (scan results, subscriptions)Privacy ↗

StripePayment processing and subscription managementPrivacy ↗

ResendTransactional email deliveryPrivacy ↗

VercelApplication hosting and serverless executionPrivacy ↗

Public Reports

Every scan generates a public report URL at repoready.app/reports/[id]. This page shows the top 3 findings from your scan and is intentionally crawlable by search engines (for viral distribution). If you do not want a report indexed, you can avoid sharing the URL — reports are not listed anywhere on our site. We do not currently provide a deletion mechanism for individual reports, but you may contact us to request deletion.

Data Retention

We retain your scan data and account information for as long as your account is active. If you delete your account, we will delete your scan history, findings, and personal information within 30 days. Stripe retains billing records independently per their own policy.

Security

We enforce HTTPS on all endpoints. GitHub tokens are stored by Clerk and never written to our application database. Database access uses short-lived credentials via Neon. We apply rate limiting to all scan-trigger and auth endpoints. Code snippets stored in our database are capped at 10 lines and never include the surrounding context that would make secrets extractable.

Your Rights

Depending on your location, you may have rights to:

— Access the personal data we hold about you
— Request correction of inaccurate data
— Request deletion of your account and associated data
— Revoke GitHub OAuth access at any time via GitHub Settings → Applications

To exercise these rights, email us at privacy@repoready.app.

Cookies

We use session cookies set by Clerk for authentication only. We do not use advertising cookies or third-party tracking pixels.

Children

RepoReady is not directed at children under 13. We do not knowingly collect data from children. If you believe a child has provided us with personal information, please contact us and we will delete it.

Changes to This Policy

We may update this policy as the service evolves. When we make material changes, we will update the “Last updated” date above and, where appropriate, notify active subscribers by email. Continued use of the service after changes constitutes acceptance of the updated policy.

Contact

Questions about this policy? Email us: privacy@repoready.app