Privacy Policy
Last updated: June 25, 2026
1. Introduction
Vulnprune ("we", "our", or "us") is committed to protecting your personal information. This Privacy Policy explains what data we collect, how we use it, and your rights regarding that data when you use the Vulnprune GitHub App and our website at vulnprune.com.
By installing the Vulnprune GitHub App or using our website, you agree to the practices described in this policy. If you do not agree, please discontinue use.
2. Data We Collect
We collect only the data necessary to operate the Vulnprune service. This includes:
- Repository data — dependency information and Dependabot alert details from repositories you grant us access to.
- GitHub account information — when you install the app, GitHub provides us with basic account identifiers (such as username) for you and all members of your organisation. We receive this information as part of the GitHub App installation flow but do not store it beyond what is needed to process a given request.
- Contact information — name and email address if you submit our contact form.
3. How We Use Your Data
We use the data we collect solely to operate the service — that is, to analyse your dependencies, manage Dependabot alerts on your behalf, and respond to support requests. We do not use your data for any other purpose.
We do not sell, rent, or share your data with third parties for marketing purposes.
4. Data Retention
Dependency lockfile snapshots and alert processing logs are retained for up to 90 days for debugging purposes, after which they are permanently deleted. The dependency graph derived from those files may be retained for service operation until the related file or repository is deleted, the Vulnprune app is uninstalled, or deletion is requested.
You may request deletion of your data at any time by contacting us at contact@vulnprune.com.
5. Data Security
We take reasonable technical and organisational measures to protect your data against unauthorised access, alteration, disclosure, or destruction. All data in transit is encrypted via TLS. Access to production systems is restricted to authorised personnel only.
No method of transmission over the internet is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee its absolute security.
6. Third-Party Services
Vulnprune integrates exclusively with the GitHub API to read repository data and manage Dependabot alerts. GitHub's own Privacy Statement applies to data held by GitHub.
7. Your Rights
Depending on your jurisdiction, you may have the right to:
- Access the personal data we hold about you.
- Request correction of inaccurate data.
- Request deletion of your data.
- Object to or restrict certain processing activities.
- Lodge a complaint with your local data protection authority.
To exercise any of these rights, contact us at contact@vulnprune.com.
8. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top of this page. We encourage you to review this policy periodically. Continued use of Vulnprune after changes are posted constitutes acceptance of the updated policy.
9. Contact
If you have any questions about this Privacy Policy, please reach out at contact@vulnprune.com or via our contact page.