Privacy Policy

Plain-English Summary

Should I Ship is built for developers shipping real products.

We do not store full permanent copies of your repository. We do not use your code, repositories, or scan data to train our own AI models. We process selected files needed to run scans, and we store report data needed to show results, compare scans, and explain findings.

Local CLI scans run on your machine by default. If you choose to create a CLI unlock link, the CLI uploads findings and scan metadata so we can store and unlock the full report. Source code, file contents, environment variables, and ignored files are not uploaded by the CLI unlock flow.

Public reports do not show repo names, repo URLs, GitHub identities, file paths, code snippets, line numbers, or secrets.

When AI summaries are enabled, relevant scan context may be sent to an AI provider to generate plain-English explanations or summaries.

Do not connect repositories containing secrets, credentials, private keys, regulated data, or anything that should never leave your environment.

1. Overview

This Privacy Policy explains how Zero To Build LLC collects, uses, stores, and shares information when you use Should I Ship.

Should I Ship is built to scan code repositories and produce engineering reports. That means the product may process repository metadata, selected code contents, dependency files, scan findings, code snippets, commit metadata, and related technical information.

2. Information We Collect

Account information: name, email address, profile image, GitHub identity, plan, account timestamps, and authentication records.

Repository information: repository name, URL, default branch, connection status, scan history, commit SHA, commit message, change summary, and metadata needed to run and display scans.

Scan information: scores, findings, severity, category, rule IDs, file paths, line numbers, selected code snippets, fix suggestions, dependency findings, scanner coverage, scanner capabilities, and usage counts.

CLI unlock information: when you opt in to create a CLI unlock link, we collect the uploaded CLI findings payload, including scores, severity and category counts, rule IDs, finding descriptions, fix suggestions, file paths referenced by findings, scanner coverage, scanner capabilities, scan duration, CLI version, claim token, payment status, and Stripe checkout identifiers. The CLI unlock payload is designed not to include source code, file contents, environment variables, ignored files, code snippets, or suggested code patches.

Billing information: plan, Stripe customer and subscription identifiers, subscription status, and payment events handled through our payment provider. We do not store full card numbers.

Operational information: logs, IP-derived request metadata, hashed network fingerprints used to limit free-tier abuse, rate-limit counters, error reports, security events, and service diagnostics.

3. How Scans Work

When you start a scan, we request repository data from GitHub using the access you authorized. We inspect the repository tree, select eligible files, fetch selected contents, and run automated checks.

Checks may include custom security heuristics, dependency vulnerability checks, OSV data, Semgrep rules, cost-risk heuristics, architecture heuristics, launch-readiness heuristics, and AI-assisted summaries or suggestions when enabled.

We do not store full permanent copies of your repository. We process selected files to run scans and store the report data needed to show results, compare scans, and explain findings.

Report data may include scores, findings, file paths, line numbers, limited snippets, summaries, scanner metadata, and fix suggestions.

4. Local CLI And Unlock Links

The local CLI can run scans without uploading source code. By default, it writes local report files on your machine.

When the CLI asks whether to upload findings to unlock the full report, choosing yes or using the --unlock-link flag creates a CLI report record on our servers. That record stores findings and scan metadata so we can provide an unlock URL, process payment, and display the unlocked report.

The CLI unlock upload is intended to include finding metadata only, such as rule IDs, severities, categories, descriptions, fix suggestions, file paths referenced by findings, scores, counts, scan duration, scanner coverage, scanner capabilities, and CLI version. It is not intended to include source code, file contents, environment variables, ignored files, code snippets, or suggested code patches.

Because file paths, dependency names, rule IDs, and finding descriptions can reveal information about your project, do not create an unlock link for repositories or projects you are not permitted to process through Should I Ship.

5. How We Use Information

We use information to authenticate you, connect repositories, run scans, show reports, compare scan results, enforce plan limits, process billing, provide support, secure the service, debug failures, improve scanner quality, and operate the product.

We use CLI unlock information to create unlock links, process one-time report payments, display the full CLI report, provide support, prevent abuse, debug failures, understand product usage, and improve scanner quality.

We may use aggregated or de-identified information to understand product performance, scanner coverage, reliability, and feature usage.

6. AI Processing

Should I Ship does not use your code, repositories, or scan data to train our own AI models. When we use AI providers to generate summaries or plain-English explanations, their handling of data is governed by their own terms and policies.

When AI summaries are enabled, we try to send only the context needed to generate plain-English explanations or summaries, such as relevant finding details, limited snippets, or short diff excerpts.

Inline plain-English rewriting is optional and may be disabled to control cost and data exposure. You should not connect repositories containing information you are not permitted to process through the product.

7. Secrets And Sensitive Data

Do not connect repositories containing secrets, credentials, private keys, regulated data, or other information that should never leave your environment.

Should I Ship can help detect exposed secrets, but if a secret has been committed to a repository, you should rotate it, even if Should I Ship flags it.

8. Service Providers

We use service providers to operate Should I Ship, including hosting, database, queueing, authentication, code-host integration, payment processing, security scanning, logging, and AI infrastructure.

Examples may include GitHub, Stripe, Neon, Upstash, Railway, Vercel or similar hosting providers, Anthropic or other AI providers, and security data providers such as OSV.

These providers process information for us according to their own terms, policies, and security practices.

9. What We Do Not Promise

Scan results are not a guarantee that your product is secure, compliant, profitable, reliable, or safe to launch.

Should I Ship is provided as is and as available. We are not responsible for lost revenue, lost profits, business interruption, security incidents, vulnerabilities, deployment failures, cost overruns, reputational harm, or other losses based on results, missing results, findings, forecasts, summaries, prompts, or suggestions from Should I Ship. See our Terms of Service for liability limits.

You are solely responsible for reviewing, testing, validating, and deciding whether to rely on any product output.

10. Security

We use reasonable technical and organizational measures designed to protect information processed by Should I Ship, including access controls, environment variables, rate limits, third-party infrastructure, and operational monitoring.

No online service can guarantee perfect security. You are responsible for protecting your GitHub account, credentials, connected repositories, and deployment environment.

11. Retention And Deletion

We retain account, repository, scan, billing, and operational information for as long as needed to provide the service, comply with legal obligations, resolve disputes, enforce agreements, improve reliability, and maintain business records.

CLI unlock report records may be retained while the unlock link, payment record, support need, abuse-prevention need, or related business record remains useful. You may request deletion through the contact channel made available in the product, subject to legal, billing, security, backup, and operational retention needs.

You may request deletion of your account or connected project data through the contact channel made available in the product. Some information may remain in backups, logs, billing records, or records we are legally permitted or required to keep.

12. Your Choices

You can run the CLI without creating an unlock link, use --no-upload or --local-only to skip CLI upload prompts, disconnect repositories, stop using the product, revoke GitHub access through GitHub, choose not to enable optional AI features, and request deletion where applicable.

If you revoke GitHub access, future scans may stop working, but previous reports and stored findings may remain until deleted according to our retention practices.

13. Changes

We may update this Privacy Policy from time to time. Continued use of Should I Ship after changes become effective means you accept the updated policy.