Privacy policy

Last updated: 2026-04-22.

We run a security product, so we take privacy seriously. This is the short, readable version. A GDPR-level detailed version is available on request from legal@crossgraph.dev.

What we collect

• GitHub org identifiers — your org ID + login, collected when you install the GitHub App.
• Source code — transiently. When you open a PR, we clone the affected repos into an ephemeral Firecracker VM, analyze them, and destroy the VM. Source is never persisted to our databases.
• Graph metadata — service names, endpoint paths, file + line numbers, taint labels. This is what lives in our Postgres so you can see findings on subsequent PRs.
• OpenTelemetry traces you send us — kept 1-90 days depending on plan, then deleted.
• Billing data — handled by Stripe; we store your Stripe customer ID only.

What we do NOT collect

• Tracking pixels, advertising identifiers, or third-party analytics.
• Keystrokes, screen recordings, or dev-tools telemetry.
• Personal data of end-users of your services (our PII rule flags leakage; we never store the PII itself).

Who we share with

Only our sub-processors listed on the security page. We do not sell data to any third party. Ever.

Your rights

• Export all data about your org via the dashboard's "Export" button.
• Delete all data by uninstalling the GitHub App — we purge within 30 days, sooner on request.
• EU / UK / California residents: your statutory rights apply. Email privacy@crossgraph.dev to exercise them.

Contact

Privacy officer: privacy@crossgraph.dev
Legal: legal@crossgraph.dev