Last updated: June 1, 2026
When you sign in with GitHub, we receive and store: your GitHub user ID, login name, display name, email address (if public), and avatar URL. We also store an encrypted copy of your GitHub OAuth access token, used solely to fetch your repository list and clone repositories for scanning.
We store scan findings: file paths, line numbers, severity levels, scanner names, and finding descriptions. We do not store your source code.
Your data is used exclusively to provide the LegacyCode MRI service: authenticating your session, listing your repositories, running scans, and displaying results to you. We do not sell your data, share it with third parties for advertising, or use it to train machine learning models.
Scan findings are summarised using the Claude API (Anthropic). The findings text (file paths, vulnerability descriptions) is sent to Claude for summarisation and then discarded. Your source code is never sent to any external AI service.
Your account data and scan history are retained as long as your account is active. You can delete your account and all associated data at any time from Settings → Account. Repository clones are deleted immediately after each scan completes — typically within 5–10 minutes of scan initiation.
GitHub tokens are encrypted at rest using AES-256-CBC with unique per-token IVs. Connections are encrypted in transit using TLS 1.2+. We use industry-standard infrastructure (Railway, Vercel, Supabase) with SOC 2 Type II certified providers.
We use a single session cookie to keep you signed in. We do not use tracking cookies or third-party analytics. See our Cookie Policy for details.
You have the right to access, correct, export, or delete your personal data at any time. To exercise these rights, use the account settings page or use our contact form.
Questions about this policy? Use our contact form.