Privacy Policy

Last updated: April 2, 2026

Overview

SquireX is designed with a privacy-first architecture. Your source code and Agentforce metadata are analyzed entirely within your local environment and are never sent to our servers. This policy explains what limited data we do collect and how we use it.

1. Information We Collect

Account & Billing Information

When you purchase a Pro or Enterprise subscription, Stripe collects and processes your payment information. We receive from Stripe: your email address, GitHub organization or repository name, and subscription status. We do not store your full card details.

GitHub App Data

When you install the SquireX GitHub App, we receive GitHub webhook events containing: repository name, pull request metadata (PR number, branch names, commit SHAs), and repository visibility (public/private). We use this data solely to determine license eligibility and to post scan results back to your pull request.

Usage Data

We collect anonymized CLI usage telemetry (scan command invocations, rule match counts, error types) to improve the product. This data contains no personally identifiable information and no code content. You may opt out by setting SQUIREX_NO_TELEMETRY=1.

2. What We Do NOT Collect

  • Your source code or Agentforce metadata files
  • Scan results or security findings
  • SARIF output or any code analysis artifacts
  • Credentials, API keys, or secrets in your codebase

All analysis is performed locally by the SquireX CLI engine. Network calls are made only to validate license keys and post results to GitHub via the official GitHub API.

3. How We Use Your Information

  • To provision and enforce license entitlements
  • To process subscription payments through Stripe
  • To post scan results (Check Runs and PR comments) to your GitHub repository via the GitHub API
  • To send transactional emails (license activation, renewal reminders)
  • To improve the Service using aggregated, anonymized usage data

4. Data Sharing

We do not sell your personal data. We share data only with:

  • Stripe — for payment processing
  • GitHub — to post scan results via the GitHub API under your authorization
  • Turso (Chiselstrike) — our license database provider, storing only subscription state
  • Resend — for transactional email delivery

All third-party providers are bound by data processing agreements and handle data in accordance with GDPR and CCPA requirements.

5. Data Retention

License records are retained for the duration of your subscription plus 90 days for billing disputes. Upon cancellation and expiry of this period, your license record is deleted. Anonymized telemetry data is retained for up to 24 months.

6. Your Rights

Depending on your jurisdiction, you may have the right to access, correct, or delete your personal data. To exercise these rights, email us at hello@squirex.dev. We will respond within 30 days.

7. GitHub App Permissions

The SquireX GitHub App requests the following permissions:

  • Pull requests (read/write): To read PR metadata and post scan result comments
  • Checks (write): To create GitHub Check Runs with scan results
  • Contents (read): To clone repository contents for scanning
  • Metadata (read): Required by GitHub for all Apps

8. Security

We use industry-standard security practices including TLS encryption in transit, HMAC signature verification on all webhook calls, and access-controlled database credentials. License keys are stored as UUIDs with no reversible connection to payment data.

9. Contact

Privacy questions or data requests: hello@squirex.dev