Privacy Policy

Last updated: March 30, 2026

What we collect

Anonymous users (no sign-in):

  • Your dependency file is parsed entirely in your browser. We never see the file.
  • Only package names and versions are sent to our API for scoring.
  • No cookies, no tracking, no analytics.

Signed-in users (GitHub OAuth):

  • GitHub profile: name, email, avatar URL, GitHub user ID
  • GitHub OAuth access token (used for API calls on your behalf)
  • Watchlist entries you save (package lists, up to 20 projects)
  • Authentication cookies (session management only)

GitHub App (if installed):

  • PR metadata: repo name, PR number, changed file names
  • Dependency file contents (read-only, for analysis)
  • Activity logs: which PRs were analyzed, package counts (capped at 100 per installation)

How we use it

  • Score your dependencies using public registry and GitHub API data
  • Cache results in Redis to improve response times (12-72 hour TTL)
  • Display your watchlist and activity feed on your dashboard
  • Post health report comments on your PRs (GitHub App only)

We do not sell, share, or monetize your data. Ever.

Data retention

  • Package score cache: 12-72 hours (based on download popularity)
  • Shared report links: 30 days
  • Watchlist entries: until you delete them
  • Activity logs: last 100 events per GitHub App installation
  • Bot settings: until you delete your account

Third-party services

  • GitHub API - to fetch repository health signals
  • npm, PyPI, crates.io, Go proxy, RubyGems, Packagist, Maven Central, pub.dev - to fetch package metadata
  • Upstash Redis - to cache results and store user data
  • Vercel - to host the application

Your rights

You can at any time:

  • Delete your data - go to Dashboard and remove all watchlist entries, or contact us to delete your account entirely
  • Export your data - use the Export JSON/CSV buttons on any report
  • Revoke access - remove the GitHub OAuth app from your GitHub settings
  • Uninstall the bot - remove the GitHub App from your repos at any time

For GDPR data deletion requests, email privacy@orelsec.com

Cookies

We use a single authentication cookie when you sign in with GitHub. This cookie is strictly necessary for the sign-in feature to work. We do not use analytics cookies, tracking cookies, or advertising cookies. No cookie consent banner is needed because we only use strictly necessary cookies.

Contact

Questions about this policy? Email privacy@orelsec.com