Privacy Policy

1. Overview

codescan.dev ("the Service") is a free security scanner for GitHub repositories operated by Ludo Technologies Inc. ("we", "us"), a company headquartered in Kanagawa, Japan. This policy explains what information we handle when you use the Service, why we handle it, and the choices you have.

Scanning a public repository does not require an account: you simply submit its URL and view the resulting report. To scan a private repository, you sign in with GitHub so the Service can access it on your behalf — see "Information we process" below for what that involves.

2. Information we process

We process the following categories of data:

• Repository URLs you submit. When you start a scan, we record the GitHub URL, normalize the owner and repository name, and use it to fetch the repository.
• GitHub sign-in data (when you scan a private repository). If you sign in with GitHub, we receive your GitHub account identifier and username and an OAuth access token. The token is granted GitHub's repo scope, which GitHub defines broadly — it can read and write your public and private repositories. codescan.dev only uses it to read repository contents in order to run scans, and never creates, modifies, or deletes anything in your repositories. The token is encrypted and stored only in a session cookie in your browser, and it is discarded when you sign out.
• Cloned repository contents (transient). We temporarily clone the repository so that scanners can inspect it. Source files are deleted from our infrastructure after the scan completes; we do not retain a long-term copy of the code.
• Scan findings and metadata. We persist the structured results of each scan — for example rule identifiers, severity, file paths, line numbers, dependency names and versions, and short code snippets reproduced from the repository. These results are what we render on the report page.
• Technical request data. Like most web services, our servers log information about requests, including IP address, user agent, requested URL, referrer, and timestamp. This data is used to operate the Service, prevent abuse, and diagnose problems.
• Analytics data. We use Google Analytics to understand aggregate usage patterns. See "Cookies and analytics" below.
• Correspondence. If you email us, we retain the message and your email address to respond and keep records of the conversation.

We do not knowingly request or store sensitive personal data, and we do not ask you for your name, address, or payment information.

3. How we use this information

• To run the scan you requested and display the report.
• To produce a shareable scan page that can be revisited via its URL.
• To operate, maintain, secure, and improve the Service, including investigating errors and detecting abuse.
• To understand how the Service is used in aggregate, so we can prioritize improvements.
• To respond to questions or feedback you send us.
• To comply with applicable law and respond to lawful requests.

4. Who can view a scan report

When a scan completes, we generate a unique scan ID and host the report at a URL of the form /scan/<id>. Visibility depends on the repository:

• Public repositories. Anyone who knows the URL can view the report. The URLs use unguessable identifiers and are marked noindex so that search engines do not list them, but the reports themselves are not password-protected. Because the scanned code is already public on GitHub, the findings describe code that is publicly available.
• Private repositories. Reports for private repositories are restricted to the signed-in GitHub user who started the scan. The report page, its data API, and its social preview image are not served to anyone else, and private reports are excluded from any shared cache.

If you would like a specific scan report removed, please contact us using the address below.

5. Cookies and analytics

We use Google Analytics, a service provided by Google LLC, to collect aggregate information about how visitors use the Service. Google Analytics sets cookies and may process information such as your IP address, device, browser, and pages visited. The data is used to produce aggregate reports — we do not use it to identify individual visitors.

You can opt out of Google Analytics by installing the official Google Analytics Opt-out Browser Add-on or by configuring your browser to block analytics cookies. We do not use cookies for advertising.

6. Third-party services

We rely on third parties to operate the Service. They process data on our behalf or as independent controllers as described below:

• GitHub — source of the repositories we clone for scanning, and the identity provider used when you sign in to scan private repositories.
• Cloud hosting and infrastructure providers — host the application, database, and scan workers.
• Google Analytics — aggregate usage analytics, as described above.

These providers may store data outside Japan, including in the United States. They are bound by their own terms and privacy policies.

7. Retention

• Cloned source code is deleted from scan workers after the scan finishes.
• Scan findings and the associated report page are retained so the shareable URL keeps working. We may delete reports that have not been viewed for a long period, are abusive, or are subject to a removal request.
• Server and access logs are retained for a limited period — long enough to investigate incidents and abuse — and then rotated out.
• Analytics data is retained according to the default settings of the analytics provider.

8. Security

We apply reasonable technical and organizational measures to protect the data we hold, including encryption in transit (HTTPS), access controls on our infrastructure, isolation between scan workloads, and encryption of GitHub access tokens before they are stored in your session cookie. No service connected to the internet can be made perfectly secure, and we cannot guarantee absolute security.

9. Your rights

Depending on where you live, you may have rights under applicable privacy laws, including Japan's Act on the Protection of Personal Information (APPI), the EU/UK GDPR, or similar laws. These may include the right to access, correct, or delete personal data we hold about you, or to object to certain processing.

Because we do not require an account, the personal data we hold about visitors is typically limited to server logs and analytics data tied to a browser. To exercise any of these rights, contact us using the address below. We may need to ask for additional information to locate the relevant records.

10. Children

The Service is intended for developers and is not directed at children under the age of 13 (or the equivalent minimum age in your jurisdiction). We do not knowingly collect personal data from children.

11. Changes to this policy

We may update this policy as the Service evolves or as the law requires. When we make material changes we will update the "Last updated" date at the top of this page. Continued use of the Service after a change indicates acceptance of the revised policy.

12. Contact

Questions, removal requests, and privacy-related inquiries can be sent to contact@ludo-tech.org.

See also our Terms of Service.