PATHTOSHIP

Privacy Policy

Last updated: February 2026

What PathToShip Does

PathToShip is a production readiness scanner for applications built with AI coding tools. When you submit a GitHub repository URL, we fetch the source files, analyze them for security vulnerabilities and production readiness issues, and return a score with findings.

Source Code Handling

We do not store your source code. When you scan a repository:

  • Source files are fetched from the GitHub API into server memory
  • Static analysis runs in memory on our server
  • Source code is discarded immediately after analysis completes
  • We never write your source code to disk, database, or any persistent storage

We store only a one-way hash of the concatenated source (for deduplication) and the total byte size. Neither can be used to reconstruct your code.

Private Repository Scanning

To scan a private repository, you authorize PathToShip via GitHub OAuth. Here is how we handle that access:

  • We request read-only access to your repositories
  • Your OAuth access token is encrypted (AES-256-GCM) and stored only in a short-lived, httpOnly browser cookie — never in our database
  • The token is used for a single scan and then immediately revoked via the GitHub API
  • After revocation, we have no ability to access your repositories
  • You will see a “GitHub access revoked” confirmation on your scan results

We do not store GitHub usernames, repository lists, or any data from the OAuth flow beyond what is needed for the single scan.

What We Do Store

For each scan, we store:

  • PathToShip Score and dimension scores (security, infrastructure, etc.)
  • Detected findings and their severities
  • Infrastructure profile (detected hosting, database, auth providers)
  • Metadata: detected AI tool, framework, language, file count, line count
  • GitHub repository owner and name (for public repos you voluntarily scan)
  • Timestamp, referrer, and user agent
  • Your IP address (for rate limiting and abuse prevention)

Email Addresses

If you provide your email address (to receive a full report), we store it alongside the scan ID. We use your email only to send you scan-related communications. We do not sell or share email addresses with third parties.

Analytics

We use privacy-friendly analytics that do not use cookies and do not track you across websites. We collect aggregate page view data, referrer information, and device type. No personal data is collected by our analytics.

Cookies

PathToShip does not set cookies. We do not use tracking cookies, advertising cookies, or third-party cookies of any kind.

How We Use Aggregate Data

We use aggregate, anonymized scan data to understand vulnerability patterns across AI coding tools and frameworks. This powers our research publications (e.g., “which AI tools produce the most secure code”). Individual scan results are never published without your explicit consent.

Data Retention

Scan results are retained indefinitely to support your ability to view past scans and track improvement. You can request deletion of your scan data by contacting us.

Your Rights (GDPR / CCPA)

If you are in the EU, UK, or California, you have the right to:

  • Access — request a copy of the data we hold about you
  • Deletion — request we delete your scan data and email
  • Correction — request we correct inaccurate data
  • Portability — receive your data in a machine-readable format
  • Objection — object to processing of your data

To exercise any of these rights, contact us at the email below.

Data Security

Scan data is stored in Supabase (hosted on AWS) with encryption at rest and in transit. API endpoints are rate-limited. We use HTTPS exclusively. Access to production databases is restricted to the application owner.

Third-Party Services

  • GitHub API — to fetch public repository contents (governed by GitHub’s privacy policy)
  • Supabase — database hosting (governed by Supabase’s privacy policy)
  • Vercel — application hosting (governed by Vercel’s privacy policy)

Children

PathToShip is not directed at children under 13. We do not knowingly collect data from children.

Changes

We may update this policy. Material changes will be noted on this page with an updated date. Continued use after changes constitutes acceptance.

Contact

For privacy questions or data requests: privacy@pathtoship.com