← Back to PullGuard

Privacy Policy

Last updated: April 8, 2026

1. What We Collect

PullGuard collects minimal information necessary to provide the service:

• Account information: Email address (for license key delivery and support)
• Organization/repository names: Used for license key binding and billing
• Payment information: Processed by Stripe; PullGuard does not store credit card numbers

2. What We Do NOT Collect

PullGuard does not collect, transmit, or store:

• Your source code: All analysis runs on your own GitHub Actions runners. Code never leaves your infrastructure.
• Analysis results: Findings, scores, grades, and reports are generated locally and stay in your CI pipeline.
• Usage telemetry: PullGuard has zero analytics, tracking, or telemetry. No data is sent to PullGuard servers during scans.
• Repository contents: The Docker image processes files locally and writes results to stdout and GitHub Actions outputs.

3. External API Calls

During analysis, the scanner makes calls to the following public APIs for dependency vulnerability and version checking:

• OSV API (api.osv.dev) — queries the Open Source Vulnerabilities database for known CVEs. Only package names and versions are sent.
• Package registries (registry.npmjs.org, pypi.org, proxy.golang.org, search.maven.org, rubygems.org) — checks latest versions for dependency freshness scoring. Only package names are sent.

No source code, file contents, or analysis results are transmitted in these API calls. Air-gapped mode disables all external calls using a local vulnerability database.

4. Data Processing

PullGuard is a self-hosted tool. All data processing occurs on your infrastructure:

• The Docker image runs as a container in your GitHub Actions workflow
• Source files are read from the checked-out repository on the runner
• Results are written to the runner's filesystem and GitHub Actions outputs
• No data leaves the runner except the external API calls described above

5. GDPR Compliance

PullGuard processes minimal personal data (email address for account setup). We do not process source code on our servers, so no Data Processing Agreement is required for code analysis. For questions about data rights, contact us at hello@pullguard.dev.

6. Data Retention

We retain your email address and organization name for the duration of your subscription. Upon cancellation, account data is deleted within 30 days. We do not retain any source code or analysis results as these never leave your infrastructure.

7. Cookies

The PullGuard website (pullguard.dev) does not use cookies, local storage, or any client-side tracking. No analytics scripts (Google Analytics, Mixpanel, Segment, etc.) are loaded. No cookie consent banner is required because no cookies are set.

8. GDPR Rights

If you are in the European Economic Area (EEA), you have the right to:

• Access: Request a copy of any personal data we hold about you
• Rectification: Request correction of inaccurate personal data
• Erasure: Request deletion of your personal data ("right to be forgotten")
• Portability: Request your data in a machine-readable format
• Objection: Object to processing of your personal data

To exercise any of these rights, contact hello@pullguard.dev. We will respond within 30 days.

9. Third-Party Services

We use Stripe for payment processing. Stripe's privacy policy applies to payment data. PullGuard does not use any other third-party services for data processing.

10. Contact

For privacy questions or data requests: hello@pullguard.dev