← Back to SquireX

Privacy Policy

Effective Date: April 1, 2026

1. Overview

SquireX ("we," "us," or "our") operates the SquireX Agentforce Capability Scanner GitHub App and related services. This Privacy Policy describes how we collect, use, and protect information when you install and use our Service.

We are committed to minimizing data collection. We do not store your source code.

2. Information We Collect

2.1 Information from GitHub

When you install the SquireX GitHub App, we receive the following from GitHub:

Data	Purpose	Retention
Organization or user account name	Identify the installation	Duration of installation
Installation ID	API authentication	Duration of installation
Repository names (selected repos only)	Route webhook events	Duration of installation
Pull request metadata (PR number, branch names, commit SHA)	Execute scans	Not stored (ephemeral)
Repository contents (cloned during scan)	Run security analysis	Deleted immediately after scan

2.2 Information We Do NOT Collect

• We do not persistently store your source code
• We do not collect personal identifying information (PII) beyond your GitHub username
• We do not use cookies or tracking pixels
• We do not sell or share data with third parties for advertising

3. How We Use Information

• Scan execution: Clone your repository temporarily, run static analysis, and report results
• Service improvement: Aggregate, anonymous scan metrics (e.g., average scan duration, rule hit frequency) to improve the scanner engine
• Communication: Notify you about service updates, security advisories, or billing changes via your GitHub-registered email

4. Data Processing

Your code is processed ephemerally:

• Repository is cloned to a temporary directory on the function runtime
• The SquireX engine scans Agentforce metadata files
• Results (SARIF format) are posted back to your GitHub repository via the GitHub REST API
• The temporary directory and all cloned content are permanently deleted

No code is logged, cached, or transmitted to any system other than the GitHub API for result delivery.

5. Data Storage and Security

• Infrastructure is hosted on Vercel with automatic TLS encryption
• Webhook payloads are verified using HMAC-SHA256 signatures
• GitHub App private keys are stored as encrypted environment variables
• No database is used — only ephemeral processing state exists during active scans

6. Third-Party Services

SquireX integrates with:

• GitHub: For repository access, PR comments, check runs, and SARIF uploads (governed by GitHub's Privacy Statement)
• Vercel: For serverless function hosting (governed by Vercel's Privacy Policy)

We do not share your data with any other third parties.

7. Your Rights

You may at any time:

• Uninstall the GitHub App from your organization or account settings
• Request deletion of any data we hold by emailing hello@squirex.dev
• Modify access by changing which repositories the App can access in your GitHub installation settings

8. Children's Privacy

SquireX is not directed at individuals under 13. We do not knowingly collect information from children.

9. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated through the GitHub App interface or via email. The "Effective Date" at the top of this page reflects the latest revision.

10. Contact

For privacy questions or data requests, contact us at hello@squirex.dev.