Privacy Policy

Effective: 2026-04-21 · Version 1.0

Securie ("Securie", "we", "us") operates securie.ai. This policy explains what data we handle, why, how long, and the rights you have.

1. Who we are

Securie is a Delaware C-Corp at [registered address to be added]. Our Data Protection contact is privacy@securie.ai.

2. Data we collect

  • Account data — your email, OAuth identity (GitHub / Apple / Google), organization name, and billing contact when you upgrade.
  • Repository content — when you install our GitHub App or Vercel Integration, we process pull-request diffs and configuration files solely to produce a finding + tested repair. On paid tiers we do not retain repository content beyond the current scan run.
  • Findings & attestations — signed metadata about vulnerabilities we discovered in your repos and the repairs you accepted. Retained for audit (7 years minimum).
  • Usage telemetry — IP address, browser user-agent, feature events (login, scan-run, fix-accept). Aggregated and retained for up to 24 months.

3. The no-training guarantee

We do not use your code as training data — on any tier, free or paid. Not for our own models, not via third-party providers, not for product improvement, not for shared corpora, not under any circumstance. Securie ships stock-weight OSS models and does not fine-tune, distill, or train them.

This is a contractual guarantee, not a configurable toggle. It is enforced at three layers:

  • Contract — the no-training obligation for every tenant.
  • Technical — Securie has no fine-tuning or model-training pipeline. The infrastructure that could have ingested code into a training corpus was removed in its entirety; there is nothing left that could train on your code.
  • Process — the absence of any training pipeline is covered by our internal access controls and is published as a signed Training-data attestation.

4. Free tier

On the free Public OSS tier, Securie scans your public-repository code to produce your scan results, findings, and badge. That code is processed at scan time and is not retained for training, shared corpora, or any model — the §3 no-training guarantee above applies to the free tier identically to paid tiers. Aggregated, non-code usage telemetry (see §2) is the only data retained beyond your own findings.

5. Legal bases (GDPR Art. 6)

  • Contract performance — for scanning and fix-generation your workflow depends on.
  • Legitimate interest — for telemetry required to operate and secure the service.
  • Consent — for optional research / product-improvement use, which you may revoke at any time in Settings.

6. Data residency

Default processing region is the US (AWS us-east-1). EU-residency customers may elect eu-central-1 on paid managed plans; DPA applies automatically. No transfers to countries without an adequacy decision without the Standard Contractual Clauses 2021 (Modules 2 & 3) being in force.

7. Sub-processors

  • AWS (infrastructure)
  • Stripe (billing)
  • Vercel (edge & hosting)
  • Cloudflare (DNS + WAF)
  • DeepInfra, OpenRouter, OpenAI, Anthropic, Google — model inference providers (see §6)

8. AI model processing

We use self-hosted and external AI providers under managed routing and data-handling controls. Where we call external AI providers, we do so under no-training or zero-data-retention commitments where available; your repository content is not used to train their shared models. The evidence bundle records the policy and control path used for each run.

9. Your rights

You can access, correct, export, or delete your data at any time. Submit a Data Subject Access Request to dsar@securie.ai(we reply within 30 days as required by GDPR Art. 15–17, and within 45 days as required by CCPA §1798.130).

10. Security

We use the platform we sell: Securie scans Securie. Disclosures to security@securie.ai (PGP available; see /legal/responsible-disclosure).

11. Changes

Material changes trigger an email to account owners at least 30 days before effective date. Non-material edits are dated-versioned on this page.