Privacy Policy

1. Scope

This Privacy Policy applies to your use of the hosted Service operated at this domain, including the web application, hosted API endpoints, hosted MCP endpoint, and any CI or automation workflow that sends requests to those hosted endpoints. Separate companion integrations or tools that we provide outside the hosted Service, such as installable MCP client configuration, GitHub Actions code, helper scripts, or other open-source utilities, may handle information independently according to how you run and configure them in your own environment. However, any data submitted from those tools to the hosted Service is governed by this Policy.

The Service is intended for general informational and security analysis purposes and is not directed to any specific individual consumer market.

2. Information We Collect

We aim to collect only the minimum information needed to operate the Service.

Information you provide:

• The contents of files or request payloads you submit, such as package.json, package-lock.json, pnpm-lock.yaml, yarn.lock, and bun.lock, including submissions made through the hosted API, hosted MCP endpoint, or CI integrations configured to use the hosted Service.
• Search queries (for example, npm package names) you enter into the Service.
• Any other content you voluntarily transmit through the Service.

Information collected automatically:

• Standard request and diagnostic information that may be collected by our hosting and infrastructure providers, such as IP address, user-agent, request timestamps, referring page, and HTTP response codes.
• Approximate location derived from IP address (for example, country or region) where provided by analytics or infrastructure providers for traffic analysis.
• Browser, device, and usage characteristics that may be collected by analytics providers (see Section 5).

Information we do not collect:

• We do not require you to create an account, and we do not collect names, email addresses, phone numbers, or payment information through the Service.

3. How We Use Information

We use the information described above solely to:

• Provide, operate, maintain, and improve the Service.
• Generate scan results, dependency analyses, and shareable reports you explicitly create.
• Detect, prevent, and respond to abuse, fraud, security incidents, or technical issues.
• Understand aggregate usage patterns and traffic trends.
• Comply with applicable legal obligations.

We do not sell or rent your information, and we do not use it for personalized advertising.

4. Cookies and Similar Technologies

The Service may use cookies or similar technologies for purposes including:

• Remembering language and locale preferences, where supported.
• Operating analytics (see Section 5).

You can disable or delete cookies through your browser settings. Doing so may affect the functionality or appearance of the Service.

5. Analytics

The Service uses Google Analytics, a web analytics service provided by Google LLC, to understand visitor traffic in aggregate. Google Analytics may collect information such as IP address (sometimes truncated), device characteristics, pages visited, and on-page interactions. Use of Google Analytics is subject to the Google Privacy Policy.

You may opt out of Google Analytics by:

• Installing the Google Analytics Opt-out Browser Add-on.
• Using browser-level privacy signals such as Global Privacy Control (GPC) or Do Not Track (DNT), where those signals are supported by your browser, extensions, or relevant third-party services.
• Blocking third-party cookies in your browser settings.

6. Third-Party Services and Sub-processors

We rely on third-party providers to deliver the Service. Categories of providers may include:

• A cloud hosting and infrastructure provider that processes requests on our behalf.
• A managed key-value or caching provider used to store transient analysis artifacts and shareable reports you create.
• Analytics providers (see Section 5).
• Public and third-party security-related data sources, such as package registries, security advisories, and public datasets, which we may query on your behalf to generate results.

Each third party processes information under its own terms and privacy policy. We do not control, endorse, or assume responsibility for the practices of any third party. The list of providers may change without notice as we operate the Service.

7. Data Retention

We retain information only as long as reasonably necessary to provide the Service and for the legitimate purposes described in this Policy:

• Uploaded files and transient analysis artifacts are processed transiently and are typically discarded within approximately thirty (30) minutes after upload.
• Temporary report data associated with generated report pages is typically retained for approximately thirty (30) minutes when server-side report storage is available.
• Shareable analysis links that you explicitly create may remain available without a fixed expiration period until they are rotated, removed, or otherwise deleted as part of storage maintenance.
• Server logs may be retained for a limited period for security, abuse prevention, and operational diagnostics.
• Analytics datais retained according to the analytics provider’s standard retention practices.

We may retain information for longer where required by law or where necessary to enforce our Terms of Service or protect the safety of the Service and its users.

8. International Data Transfers

The Service is operated globally, and information may be processed in, transferred to, or stored in countries other than the country in which you reside. Privacy and data protection laws in those countries may differ from those in your country. By using the Service, you acknowledge and consent to such transfers.

9. Data Security

We use commercially reasonable technical and organizational measures, including those provided by our infrastructure providers, to protect information against unauthorized access, loss, alteration, or disclosure. However, no method of transmission over the Internet and no method of electronic storage is 100% secure, and we cannot guarantee absolute security. You use the Service at your own risk.

You are strongly advised not to upload secrets, credentials, tokens, environment files, proprietary source code, personal data, or any other confidential information to the Service. The Service is intended only for the analysis of dependency manifests and lockfiles.

10. Your Choices and Rights

Depending on your jurisdiction, you may have certain rights regarding personal information that relates to you, such as the right to access, correct, delete, restrict, or object to certain processing, or to data portability.

Because the Service does not require an account and does not collect identifiers that we can reliably link to a specific individual, we may be unable to identify or respond to data subject requests for anonymous or transient information. In any case, you may at any time:

• Stop using the Service.
• Configure your browser to block or delete cookies and clear local storage.
• Use Global Privacy Control or Do Not Track signals where supported.
• Opt out of Google Analytics as described in Section 5.
• Avoid creating shareable analysis links or stop distributing links you created.

11. Children's Privacy

The Service is not directed to, and is not intended for use by, children under the age of thirteen (13), or such higher minimum age as required by your local law (for example, sixteen (16) in parts of the European Economic Area). We do not knowingly collect information from children. If you believe a child has provided information to us, please contact us using the channel in Section 16 so we can consider appropriate action.

12. Disclosure for Legal Reasons

We may access, preserve, or disclose information when we believe in good faith that doing so is reasonably necessary to:

• Comply with applicable law, regulation, legal process, or enforceable governmental request.
• Enforce our Terms of Service or this Privacy Policy, including investigating potential violations.
• Detect, prevent, or otherwise address fraud, abuse, security, or technical issues.
• Protect against harm to the rights, property, or safety of PackageScanner, its users, or the public.

13. Third-Party Links and Content

The Service may contain links to, or surface content from, third-party websites, packages, registries, security advisories, public datasets, and maintainer profiles. We are not responsible for the content, privacy practices, security, or terms of those third parties. Your access to and use of such third-party resources is at your own risk and is governed by the applicable third party’s terms and privacy policy.

14. No Warranty

To the maximum extent permitted by applicable law, this Privacy Policy and the Service are provided on an “AS IS” and “AS AVAILABLE” basis. We disclaim all warranties, express or implied, regarding the security, accuracy, or completeness of any information described in this Policy. Our liability is further limited as set forth in our Terms of Service.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. The most current version will always be posted on this page along with the “Last updated” date. Your continued use of the Service after changes are posted constitutes your acceptance of the revised Policy. If you do not agree to the revised Policy, you must stop using the Service.

16. Contact

For inquiries regarding this Privacy Policy, please contact us only via direct message (DM) on X (formerly Twitter) at @tim_yone. This is the sole supported contact channel. Messages sent through any other channel will not be reviewed. Response time is at our sole discretion, and we may not respond at all. Please do not include sensitive personal information, credentials, or confidential data in any message.