Last updated: 13 May 2026
We collect the following information when you use CodeScan: • Account information: email address and hashed password when you register. • Usage data: number of files scanned, scan timestamps, and your subscription tier. • Payment information: processed securely by Stripe. We never store credit card numbers. • Support tickets: name, email, phone (optional), and issue description submitted via our support form. • Technical data: IP address, browser type, and access timestamps for security and abuse prevention.
We use the information we collect to: • Provide, operate, and improve the CodeScan service. • Process payments and manage your subscription. • Send transactional emails (receipts, subscription updates, support responses). • Enforce our Terms of Service and prevent abuse. • Analyse usage patterns to improve features (aggregate, anonymised data only).
Files you upload or scan through the CodeScan web interface are: • Processed in-memory on isolated serverless functions. • Never written to disk or stored in any database. • Never used to train AI models. • Discarded immediately after the scan response is sent. For CLI users, files are transmitted over HTTPS directly from your machine to our API and are subject to the same protections.
We do not sell your personal information. We share data only with: • Stripe (payment processing) • Supabase (authentication and usage data storage) • Anthropic (AI analysis — only file content during a scan, not your account data) • Resend (transactional email delivery) • Vercel (hosting infrastructure) All sub-processors are contractually bound to protect your data.
• Account data: retained while your account is active. Deleted within 30 days of account closure. • Usage logs: retained for 12 months for billing and abuse prevention. • Support tickets: retained for 2 years. • Payment records: retained as required by applicable law (typically 7 years).
Depending on your jurisdiction, you may have the right to: • Access the personal data we hold about you. • Correct inaccurate data. • Request deletion of your data. • Export your data in a portable format. • Object to or restrict certain processing. To exercise these rights, contact us at support@flowlog.dev.
We use only essential session cookies required for authentication. We do not use tracking or advertising cookies. We do not use third-party analytics cookies.
We use industry-standard security measures including TLS encryption in transit, encrypted storage at rest, and access controls. However, no system is 100% secure. If you discover a security vulnerability, please report it to support@flowlog.dev.
CodeScan is not directed to children under 16. We do not knowingly collect personal information from anyone under 16.
The CodeScan Chrome Extension ("the Extension") is subject to the following additional disclosures required by the Chrome Web Store: Data accessed by the Extension: • Active tab URL — to detect whether you are on a GitHub, Azure DevOps, or AWS CodeCommit repository page. The URL is read locally in your browser; it is never transmitted to our servers. • Tab title — used solely to extract the repository name displayed in the popup. • chrome.storage.local — stores your last scan result (grade, score, vulnerability counts) locally on your device for display in the popup. No personal data is stored. Data NOT collected by the Extension: • We do not read, collect, or transmit your source code through the Extension. • We do not track your browsing history. • We do not collect any personally identifiable information through the Extension. • We do not use cookies in the Extension context. How the Extension works: 1. When you visit a supported repository page, the Extension detects the repository URL locally. 2. Clicking "Scan This Repository" opens the CodeScan web application (codescan.flowlog.dev) in a new tab with the repository pre-filled. The scan is performed by the web application — not by the Extension itself. 3. The Extension popup displays your most recent scan result retrieved from local storage. Permissions justification: • tabs / activeTab: Required to read the current tab's URL to detect repository pages. • storage: Required to save and display your last scan result in the popup. • Host permissions (github.com, dev.azure.com, visualstudio.com, console.aws.amazon.com): Required for the content script to inject the "⬡ Scan" button into repository pages. No data from these pages is transmitted externally. • codescan.flowlog.dev: Required to open the scanner application and retrieve your scan history for display in the popup.
We may update this Privacy Policy. We will notify you of material changes via email or a notice on the platform. Continued use of CodeScan after changes constitutes acceptance of the updated policy.
For privacy-related questions or requests: Email: support@flowlog.dev Website: codescan.flowlog.dev/contact