Privacy Policy

1. Overview

This Privacy Policy explains how Zero To Build LLC collects, uses, stores, and shares information when you use Should I Ship.

Should I Ship is built to scan code repositories and produce engineering reports. That means the product may process repository metadata, selected code contents, dependency files, scan findings, code snippets, commit metadata, and related technical information.

2. Information We Collect

Account information: name, email address, profile image, GitHub identity, plan, account timestamps, and authentication records.

Repository information: repository name, URL, default branch, connection status, scan history, commit SHA, commit message, change summary, and metadata needed to run and display scans.

Scan information: scores, findings, severity, category, rule IDs, file paths, line numbers, selected code snippets, fix suggestions, dependency findings, scanner coverage, scanner capabilities, and usage counts.

Billing information: plan, Stripe customer and subscription identifiers, subscription status, and payment events handled through our payment provider. We do not store full card numbers.

Operational information: logs, IP-derived request metadata, rate-limit counters, error reports, security events, and service diagnostics.

3. How Scans Work

When you start a scan, we request repository data from GitHub using the access you authorized. We inspect the repository tree, select eligible files, fetch selected contents, and run automated checks.

Checks may include custom security heuristics, dependency vulnerability checks, OSV data, Semgrep rules, cost-risk heuristics, architecture heuristics, launch-readiness heuristics, and AI-assisted summaries or suggestions when enabled.

We do not aim to store a full permanent copy of your repository. We may temporarily process selected file contents to run scans, and we may store findings, file paths, code snippets, summaries, metadata, and fix suggestions needed to show your report and compare scans over time.

4. How We Use Information

We use information to authenticate you, connect repositories, run scans, show reports, compare scan results, enforce plan limits, process billing, provide support, secure the service, debug failures, improve scanner quality, and operate the product.

We may use aggregated or de-identified information to understand product performance, scanner coverage, reliability, and feature usage.

5. AI Processing

When AI features are enabled, relevant finding text, metadata, code snippets, summaries, and repository context may be sent to an AI provider to generate plain-English summaries, fix suggestions, or change summaries.

Inline plain-English rewriting is optional and may be disabled to control cost and data exposure. You should not connect repositories containing information you are not permitted to process through the product.

6. Service Providers

We use service providers to operate Should I Ship, including hosting, database, queueing, authentication, code-host integration, payment processing, security scanning, logging, and AI infrastructure.

Examples may include GitHub, Stripe, Neon, Upstash, Railway, Vercel or similar hosting providers, Anthropic or other AI providers, and security data providers such as OSV.

These providers process information for us according to their own terms, policies, and security practices.

7. What We Do Not Promise

Scan results are not a guarantee that your product is secure, compliant, profitable, reliable, or safe to launch.

Should I Ship is provided as is and as available. We are not responsible for lost revenue, lost profits, business interruption, security incidents, vulnerabilities, deployment failures, cost overruns, reputational harm, or other losses based on results, missing results, findings, forecasts, summaries, prompts, or suggestions from Should I Ship. See our Terms of Service for liability limits.

You are solely responsible for reviewing, testing, validating, and deciding whether to rely on any product output.

8. Security

We use reasonable technical and organizational measures designed to protect information processed by Should I Ship, including access controls, environment variables, rate limits, third-party infrastructure, and operational monitoring.

No online service can guarantee perfect security. You are responsible for protecting your GitHub account, credentials, connected repositories, and deployment environment.

9. Retention And Deletion

We retain account, repository, scan, billing, and operational information for as long as needed to provide the service, comply with legal obligations, resolve disputes, enforce agreements, improve reliability, and maintain business records.

You may request deletion of your account or connected project data through the contact channel made available in the product. Some information may remain in backups, logs, billing records, or records we are legally permitted or required to keep.

10. Your Choices

You can disconnect repositories, stop using the product, revoke GitHub access through GitHub, choose not to enable optional AI features, and request deletion where applicable.

If you revoke GitHub access, future scans may stop working, but previous reports and stored findings may remain until deleted according to our retention practices.

11. Changes

We may update this Privacy Policy from time to time. Continued use of Should I Ship after changes become effective means you accept the updated policy.