Early access policy
This policy describes how AI App Security Review handles account data, scan activity, repository imports, and report-related information during early access. It should be reviewed before broader public launch.
Last updated
June 11, 2026
Overview
This policy describes how AI App Security Review handles account data, scan activity, repository imports, and report-related information during early access.
AI App Security Review provides a static pre-launch review for AI-built applications. You can upload a ZIP or import a selected GitHub repository so the service can identify security findings, launch blockers, and remediation priorities.
This policy is provided for early access and should be reviewed before broader public launch.
Uploaded or imported code is not executed, imported, installed, or run.
Dependencies are not installed and package-manager commands are not run inside reviewed projects.
Stored data
This version stores limited account, waitlist, and scan details. It is not designed to store raw project contents.
Account data may include basic account information such as your email address, account identifier, and verification status.
Verified email is required before running security reviews in this version.
If you join the waitlist, waitlist entries may be stored in Supabase. This can include your email address, what you are building, requested features, and submission date.
Do not submit project code, secrets, tokens, or private credentials in waitlist fields.
After a successful scan, limited scan details may be stored. This can include account identifier, source type, repository name if GitHub was used, branch/ref, scan date, launch status, readiness score, and blocker/warning/hardening counts.
This version is not designed to store full report history, raw source code, uploaded ZIPs, fetched repository contents, raw secret values, or private GitHub tokens.
Review inputs
ZIPs and GitHub contents are processed for review; sensitive evidence is masked before display or export.
Uploaded ZIPs and fetched GitHub repository contents are processed to generate the static review and are not stored as long-term product records.
The review indexes file paths, bounded text files, package manifests, lockfiles, and configuration/source signals needed for the report.
Potential secrets are masked before being shown in the browser, included in reports, exported to Markdown, or used in supported report workflows.
Secret values should not be stored as raw values. If a report flags a credential, rotate it in the provider dashboard and move it to protected server-side configuration.
GitHub import is a read-only repository review flow in this version. Repository contents are read for static analysis.
Import does not post comments, create pull requests, modify files, or write to the repository.
Operational logs should be limited to basic operational details such as timestamps, source type, success/failure state, scan size, and error type.
Logs should not include raw code, uploaded files, raw secret values, private GitHub tokens, private keys, or full report contents.
Services and control
The product relies on a small set of infrastructure providers and should support deletion requests as it matures.
The product may use third-party services for authentication, waitlist and scan details, hosting, and GitHub repository import.
These services process data according to their own terms and privacy practices.
Users should be able to request deletion of account-linked scan details and waitlist data as the product matures.
A dedicated support contact should be added before broader public launch. Until then, use the product owner's published contact channel.