Last Updated: November 24, 2025
GuardScan is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and protect information when you use GuardScan.
- Your source code NEVER leaves your machine (for static analysis)
- No code is uploaded to GuardScan servers
- AI features use YOUR API keys - we never see your code
- Telemetry is optional and can be disabled
- All data is anonymized when telemetry is enabled
If you enable telemetry (default: enabled, can be disabled with --no-telemetry), we collect:
-
Client ID
- Anonymous identifier generated on first run
- Used to track usage patterns (not personal identification)
- Stored locally in your configuration
-
Repository ID
- Hash of your repository path
- Used to track repository-level statistics
- Cannot be reversed to identify your repository
-
Usage Statistics
- Commands executed (e.g., "security", "scan", "run")
- Lines of code scanned (aggregate counts)
- Feature usage (which commands are used most)
- Error types (for debugging, no stack traces)
-
System Information (Anonymized)
- Node.js version
- Operating system type (not specific version)
- GuardScan version
- ❌ Source code - Never collected or transmitted
- ❌ File contents - Never collected or transmitted
- ❌ API keys - Never collected or stored
- ❌ Personal information - No names, emails, or identifiers
- ❌ Repository paths - Only hashed repository IDs
- ❌ File names - Not collected
- ❌ Git history - Not collected
- ❌ Network information - No IP addresses stored
When telemetry is enabled, we use the collected data to:
-
Product Improvement
- Understand which features are most used
- Identify areas for improvement
- Prioritize development efforts
-
Bug Fixes
- Identify common error patterns
- Improve error handling
- Enhance stability
-
Analytics
- Aggregate usage statistics
- Measure adoption of features
- Track version distribution
- Location: Cloudflare Workers (global edge network)
- Database: Supabase (PostgreSQL)
- Retention: Data is retained for up to 1 year
- Security: All data is encrypted in transit and at rest
You can disable telemetry at any time:
guardscan --no-telemetry security# Edit your config file
guardscan config
# Or manually edit: ~/.guardscan/config.yaml
# Set telemetry.enabled: falseexport GUARDSCAN_NO_TELEMETRY=true
guardscan securityWhen you use AI features (code review, documentation generation, etc.):
- Stored locally in your configuration file (
~/.guardscan/config.yaml) - Never transmitted to GuardScan servers
- Sent directly to your chosen AI provider (OpenAI, Anthropic, etc.)
- Code snippets are sent to your AI provider (OpenAI, Claude, etc.)
- GuardScan does NOT see your code or AI responses
- You control which AI provider receives your code
- Review your AI provider's privacy policy (OpenAI, Anthropic, Google, etc.)
- When using Ollama, everything stays local
- No data leaves your machine
- No network requests to external services
- No network requests required
- Works completely offline
- No data transmission
- Direct connection to your AI provider
- No GuardScan servers involved
- Your code goes directly to OpenAI/Claude/etc.
- HTTPS only - All data encrypted in transit
- Minimal data - Only metadata, no code
- Optional - Can be completely disabled
- npm registry - Checks for updates
- No personal data sent
- Can be disabled by setting environment variable
-
Encryption
- All data encrypted in transit (HTTPS/TLS)
- Database encryption at rest
- Secure API endpoints
-
Access Control
- Limited access to telemetry data
- No access to source code (we don't collect it)
- Regular security audits
-
Infrastructure
- Cloudflare Workers (edge network)
- Supabase (PostgreSQL database)
- Industry-standard security practices
-
Local Storage
- Configuration files stored locally
- API keys stored in local config
- Cache files stored locally
-
Best Practices
- Don't commit config files to version control
- Use environment variables for sensitive data
- Regularly rotate API keys
- Telemetry Data: Stored in Supabase (PostgreSQL) - location depends on your Supabase region
- Processing: Cloudflare Workers (global edge network)
- Your Code: Never stored anywhere - stays on your machine
GuardScan uses the following third-party services:
- npm Registry: For package installation and version checking
- AI Providers (if configured): OpenAI, Anthropic, Google, Ollama
- Cloudflare Workers: Backend API for telemetry
- Supabase: Database for telemetry storage
Note: When telemetry is disabled, no data is sent to Cloudflare or Supabase.
- Retention: Up to 1 year
- Deletion: You can request deletion by emailing ntanwir10@outlook.com
- Anonymization: Data is anonymized and cannot be linked to individuals
- Configuration: Stored locally, you control it
- Cache: Stored locally, can be cleared with
guardscan reset - Logs: Stored locally, you control retention
GuardScan is not intended for users under 13 years of age. We do not knowingly collect personal information from children.
We may update this Privacy Policy from time to time. Changes will be:
- Posted on this page
- Dated with "Last Updated" timestamp
- Communicated via GitHub releases for significant changes
For privacy-related questions or concerns:
- Email: ntanwir10@outlook.com
- GitHub Issues: For general questions (not sensitive privacy matters)
You have the right to:
- Disable telemetry at any time
- Request data deletion (email ntanwir10@outlook.com)
- Access your data (if telemetry is enabled)
- Use GuardScan completely offline (no telemetry, no network)
What GuardScan Collects (if telemetry enabled):
- Anonymous client ID
- Hashed repository ID
- Usage statistics (commands, LOC counts)
- System information (Node.js version, OS type)
What GuardScan Does NOT Collect:
- Source code
- File contents
- API keys
- Personal information
- Repository paths
- File names
Your Control:
- ✅ Disable telemetry anytime
- ✅ Use completely offline
- ✅ Control your API keys
- ✅ Your code never leaves your machine (for static analysis)
GuardScan is committed to privacy-first development. Your code stays yours.
Last Updated: 2025-11-24