What we collect.
- ▪ Email address + display name (account creation)
- ▪ GitHub repository URLs you submit for scanning
- ▪ Scan results (findings, severity, file paths)
- ▪ Stripe customer ID (subscription only — no card data)
- ▪ Standard server logs (IP, user agent — 90 day retention)
What we do not retain.
// important
Your source code is fetched into an ephemeral worker for the duration of one scan, then discarded. Findings retained for audit are sanitized — repo URL stripped, only pattern + tier + line number kept.
Public findings opt-out.
// disclosure
Novel security patterns discovered in your scans may be submitted to the public NOWL-CVE database (security.nowl.build) for community benefit. This is fully opt-out at Settings → Privacy. When opted in, only anonymized patterns are shared — never your repo URL, never your code.
Your rights.
// gdpr · ccpa · kvkk
- ▪ Access: download all your data via Settings
- ▪ Erasure: delete account at Settings → Danger (immediate)
- ▪ Rectification: edit profile fields at any time
- ▪ Object: opt out of analytics + Public Findings DB
Data protection.
// dpo
Privacy questions to legal@nowl.build. Abuse reports to abuse@nowl.build.