Privacy Policy
RepoRisk is a product of Infosec Chicago (“Infosec Chicago,” “we,” “our,” or “us”). This Privacy Policy explains how we collect, use, process, and disclose information when you access or use RepoRisk (the “Service”).
1. Information we collect
Account and authentication information
- Name, email address, and organization details you provide during signup
- Authentication identifiers and session information provided by Clerk
- Profile information received through social login providers (e.g., Google, Apple, Microsoft, Facebook), if you choose to use them
Submitted repositories and assessment data
- Repository URLs or extension sources submitted for analysis
- Assessment outputs, grades/scores, severity counts, and structured findings
- Metadata such as timestamps and processing status
Technical and usage data
- IP address, browser type, and device information
- Session and security logs
- Usage metrics and feature interaction data (if analytics is enabled)
2. How we use information
We process information to:
- Provide, operate, and improve the Service
- Authenticate users and maintain account security
- Generate structured risk assessment reports
- Provide customer support
- Monitor system performance and detect misuse
- Process billing and subscriptions (when enabled)
We process personal information based on legitimate business interests, contractual necessity, compliance with legal obligations, and user consent where applicable.
3. AI processing
RepoRisk uses third-party AI systems to analyze submitted repositories and extension code to generate structured reports.
For fully inclusive plans, submitted code and contextual analysis data may be processed via Anthropic Claude under a commercial API agreement that does not permit Anthropic to use submitted data for training its general foundation models.
For Bring Your Own Key (BYOK) plans, processing occurs under your own Anthropic API credentials and is governed by Anthropic’s commercial API terms.
Submitted content is processed solely for generating assessment outputs. We do not sell submitted repositories, submitted code, or analysis data.
4. Your responsibility for submitted content
You are responsible for ensuring you have the legal right to submit any repository or extension for analysis. For submitted code, Infosec Chicago acts as a service provider processing content solely to provide assessment outputs.
5. Infrastructure and third-party providers
We use third-party providers to operate the Service, including:
- Cloudflare (network, performance, and security)
- Railway (application hosting)
- Clerk (authentication)
- Sentry (error monitoring)
The following tools are anticipated but may not yet be enabled. If/when enabled, they will be used for the purposes noted:
- Google Analytics (website/product analytics)
- Paddle (billing and subscription management)
- Intercom (customer support and messaging)
6. Social login providers
If you authenticate using a third-party identity provider (e.g., Google, Apple, Microsoft, Facebook), we may receive limited profile information such as name and email address, as permitted by your account settings with that provider.
7. Data retention
We retain account and assessment data for as long as your account remains active or as needed for legitimate operational, security, and legal purposes.
Certain security logs and diagnostic records may be retained after account deletion for fraud prevention, legal compliance, or system integrity purposes.
8. Data location
Information may be processed and stored in the United States or other jurisdictions where our service providers operate.
9. Security
We implement reasonable technical and organizational measures designed to protect information. However, no system can guarantee absolute security.
10. Business transfers
In the event of a merger, acquisition, restructuring, or sale of assets, information may be transferred as part of that transaction, subject to applicable law.
11. Your rights
You may request access, correction, or deletion of personal information by contacting: [email protected]
12. Changes to this policy
We may update this Privacy Policy from time to time. The “Last updated” date reflects the effective date of changes. Continued use of the Service after changes become effective constitutes acceptance of the updated policy.