Privacy Policy

Effective: 2026-04-21 · Version 1.0

Securie ("Securie", "we", "us") operates securie.ai. This policy explains what data we handle, why, how long, and the rights you have.

1. Who we are

Securie is a Delaware C-Corp at [registered address to be added]. Our Data Protection contact is privacy@securie.ai.

2. Data we collect

  • Account data — your email, OAuth identity (GitHub / Apple / Google), organization name, and billing contact when you upgrade.
  • Repository content — when you install our GitHub App or Vercel Integration, we process pull-request diffs and configuration files solely to produce a finding + suggested fix. On paid tiers we do not retain repository content beyond the current scan run.
  • Findings & attestations — signed metadata about vulnerabilities we discovered in your repos and the fixes you accepted. Retained for audit (7 years minimum).
  • Usage telemetry — IP address, browser user-agent, feature events (login, scan-run, fix-accept). Aggregated and retained for up to 24 months.

3. Legal bases (GDPR Art. 6)

  • Contract performance — for scanning and fix-generation your workflow depends on.
  • Legitimate interest — for telemetry required to operate and secure the service.
  • Consent — for optional research / product-improvement use, which you may revoke at any time in Settings.

4. Data residency

Default processing region is the US (AWS us-east-1). EU-residency customers may elect eu-central-1 at the Indie tier and above; DPA applies automatically. No transfers to countries without an adequacy decision without the Standard Contractual Clauses 2021 (Modules 2 & 3) being in force.

5. Sub-processors

  • AWS (infrastructure)
  • Stripe (billing)
  • Vercel (edge & hosting)
  • Cloudflare (DNS + WAF)
  • DeepInfra, OpenRouter, OpenAI, Anthropic, Google — model inference providers (see §6)

6. AI model processing

We use open-weight models self-hosted where possible (Foundation-Sec-8B on our hardware). Where we call external AI providers for marginal cases, we do so under their zero-data-retention commitments; your repository content is not used to train their models. Model identifiers that served a request are recorded in the finding's signed attestation so you can audit what touched your code.

7. Your rights

You can access, correct, export, or delete your data at any time. Submit a Data Subject Access Request to dsar@securie.ai(we reply within 30 days as required by GDPR Art. 15–17, and within 45 days as required by CCPA §1798.130).

8. Security

We use the platform we sell: Securie scans Securie. Disclosures to security@securie.ai (PGP available; see /security/disclosure). SOC 2 Type II engagement in progress with a Big-4-adjacent auditor.

9. Changes

Material changes trigger an email to account owners at least 30 days before effective date. Non-material edits are dated-versioned on this page.