Privacy Policy.

• Email address. Captured when you unlock a public scan report at /scan, and when you sign up for coaching. That’s the only identifier we actively ask for.
• IP address.We SHA-256 hash it and use the hash for rate limiting. We do not store raw IP addresses in the database. Server logs (Vercel) may briefly hold raw IPs for standard request logging; those logs age out on Vercel’s retention schedule.
• User agent string.What browser/OS you’re using. Used for debugging and abuse detection.
• Uploaded code. The zip you upload or the public GitHub URL we clone on your behalf.
• Scan findings. The output of running Sentinel against your code: file paths, line numbers, severity, and the finding description.

• Uploaded code. Purged within 7 days of upload. Earlier if you email us and ask. We keep it just long enough for the scan to run and for you to re-download a report.
• Scan findings.7 days, then deleted. Aggregate counts (“how many scans ran this week”) are kept for product analytics. No content, no finding text, no file paths.
• Emails.Retained until you unsubscribe. Every marketing email has one-click unsubscribe at the bottom. Click it and you’re out.
• Unlock tokens.24-hour TTL from the moment they are generated. After 24 hours the token is dead and you’d need a new unlock email.
• Public shared reports. Kept as long as you want them public. You can revoke the share at any time from the report page, and we remove it from our servers within 24 hours.

We use four third-party processors. None of them get more than they need.

• Resend. Transactional email (unlock links, login magic links) and marketing email (cohort launches). They see your email address and the contents of emails we send you.
• Supabase. Database and storage. Your uploaded code and findings live here while they exist.
• Vercel. Hosting. Handles request routing, edge functions, and static asset delivery.
• Anthropic.Only used on coaching members’ scans when they opt into the AI coaching layer. Public/scan scans do NOT hit Anthropic. Coaching members get a separate consent flow before any code is sent to an LLM.

We do not sell your data. We do not share your email list. We do not run ads on ShipSafe.

• No tracking pixels in emails.
• No ad networks. No Google Ads, no Facebook pixel, no LinkedIn Insight Tag.
• No reselling of email lists to anyone, ever.
• No humans reading your uploaded code unless you explicitly book a coaching session where you ask us to. Automated scans are fully automated.

• Delete my data. Email twells@gtsbahamas.com . We aim to process within 7 days.
• Export my data.Same address. We’ll send you a JSON dump of what we have on you.
• Unsubscribe from marketing.One click at the bottom of any marketing email. Transactional emails (login links, scan unlock codes) are not marketing and don’t have unsubscribe because you need them to use the product.
• Correct my data.Email us and we’ll update what’s wrong.

If you’re in the EU, UK, or another region with strong privacy law, you have the rights granted by that law (GDPR access, rectification, erasure, portability, objection). We honor them.

We set the minimum number of cookies to make the site work.

• public_scan_unlock_<id>— remembers that you’ve unlocked a specific public scan report. Session-scoped. No tracking across sites.
• Supabase auth cookies.Only set if you’re a logged-in coaching member. Used to keep you logged in.
• No third-party analytics cookies. No Google Analytics. No Segment. No Hotjar.

We run encrypted in transit (TLS everywhere) and encrypted at rest (Supabase defaults). Supabase Row Level Security enforces access control at the database layer. Secrets are in Vercel’s encrypted environment variables.

We’re a security coaching product. If we ship a vulnerability, we fix it fast and tell affected users. If you find one, email twells@gtsbahamas.com . We’ll respond.

Material changes get 30 days’ notice by email, banner, or a post in the Early AI-dopters community. Minor cleanups (clarifications, fixing a typo) happen without notice. The “Last updated” date at the top of this page is the truth.

ShipSafe is operated by Frank Labs in The Bahamas. This policy is governed by Bahamian law. Where GDPR or other regional privacy law applies to you, we respect it as written.

Privacy and data requests: twells@gtsbahamas.com .

For general terms questions, see the Terms of Service.