Privacy Policy

Summary

• We collect three things per submission: the Git URL you submitted, an optional email address, and a truncated client IP plus user-agent string for rate limiting.
• We never store your full IP address. IPv4 is truncated to a /24; IPv6 to a /48.
• Scans and their findings are public by design and kept indefinitely. Emails are kept until you unsubscribe.
• No analytics, no advertising cookies, no third-party trackers on the public scanner path.
• You can ask for full erasure of an email subscription, or of a specific scan, by following the steps in “Your rights” below.

What we collect

• The submitted Git URL.This is the repository you asked us to scan — for example https://github.com/owner/repo. We store it verbatim and use it as the canonical identifier for the resulting public permalink.
• Optional email address.If you tick the “email me when it's done” box, we store the address you typed. It's only used to send the one-shot completion notification.
• Truncated client IP and user agent.When you submit a scan, our edge sees your IP address and your browser's user-agent string. Before either touches the database, we truncate IPv4 addresses to /24 (last octet zeroed) and IPv6 addresses to /48 (last 80 bits zeroed). We do not store the full IP.
• The scan output itself. Findings, SBOM, risk score, and the per-tool logs are computed by the pipeline and stored alongside the permalink. Treat everything in a scan permalink as public.

That's all. The public scanner doesn't use cookies, doesn't set analytics tags, and doesn't attempt to fingerprint your browser.

Why we collect it

• Truncated IP and user agent: rate limiting and abuse detection. A bad actor pointing the scanner at third parties needs to be stopped at the edge, and the truncated IP plus UA is the minimum signal that lets us do that without identifying individuals.
• Git URL: it is the scan. We need it to fetch the code, run the tools, and generate the public permalink page you (and anyone you share the link with) can read.
• Email: a single transactional message telling you the scan finished, with a link to the permalink. No marketing, no newsletter, no follow-ups.

Retention

• Scan and findings:stored indefinitely. The public scanner is partly an evolving public corpus of what real-world repositories look like; we don't auto-expire permalinks. You can request removal of an individual scan — see below.
• Email address:kept until you unsubscribe. Every notification we send carries a one-click unsubscribe link. Unsubscribing deletes the row from our database within seven days; we don't keep a suppression-list copy.
• Truncated IP and user agent: retained with the scan row for as long as the scan exists, so that an abuse complaint about a particular permalink can be correlated to the rate-limit window it came from.

Your rights

Wherever you are, you can ask us to delete what we hold about you. If you're in the EU, UK, or another region with statutory data-protection rights (GDPR, UK GDPR, CCPA, and similar), this section also describes how to exercise them.

• Unsubscribe an email: click the unsubscribe link at the foot of any notification email, or email privacy@socbox.cloud with the address you want removed. We delete the row within seven days.
• Erase a specific scan: email privacy@socbox.cloud with the permalink URL and a sentence about why (ownership, leaked secret you need rotated rather than indexed, legal request, etc.). Valid requests are honoured within thirty days; urgent secrets-leak takedowns are usually same-day.
• Access / correction / portability:the public corpus is, by definition, already accessible to you — every scan you submitted is at its public permalink. If you want a machine-readable bundle of every scan you can prove was yours, email privacy@socbox.cloud.
• Complaint:EU and UK residents have the right to lodge a complaint with their local supervisory authority. We'd rather you contact us first — if we've done something wrong we'd like the chance to fix it.

Sub-processors

The public scanner uses a deliberately short list of third-party services. As of the last-updated date above:

• Source Git hosts— when you submit a URL on GitHub, GitLab, Codeberg, or Gitea, we fetch the repository from that host. That fetch is just a publicgit clone— the host sees us downloading public code. They do not receive your email or your IP.

No analytics provider, no error tracker, no advertising partner. Email-delivery and billing sub-processors arrive with the full platform; they'll be listed here, and we'll bump the “last updated” date, when those features ship.

Cookies and tracking

The public scanner path (/, /scan/<id>, and the marketing pages) sets no cookies and uses no analytics. There is no consent banner because there is nothing to consent to.

Signed-in dashboards and paid tiers are still in development and not part of this build. When they ship, they'll use a session cookie (HTTP-only, SameSite=Lax) for login plus a CSRF token, and billing will run through a third-party payment processor. We'll document that cookie and billing data flow — including the processor — here as those features roll out. The public scanner path will remain cookie-free regardless.

Children's privacy

The scanner is not directed at children. We don't knowingly accept submissions or email addresses from anyone under sixteen. If you believe a child has submitted personal data to us, email privacy@socbox.cloud and we'll delete it.

Changes to this policy

We may update this policy. When we do, we'll update the “last updated” date at the top. If a change is material — for example, adding a new sub-processor, or starting to collect a new data category — we'll also note it on the home page or recent-scans feed for at least thirty days.

Contact

• Privacy / erasure requests: privacy@socbox.cloud
• Abuse and takedown: /abuse (or abuse@socbox.cloud)
• Security vulnerabilities in socbox itself: /security