Privacy Policy

Last updated: March 18, 2026

1. Who We Are

Unpatched.ai ("we", "us", "our") operates the Unpatched.ai platform, an automated security assessment service for software repositories. If you have questions about this policy, contact us at privacy@contact.unpatched.ai.

2. Information We Collect

2.1 Account Information

When you create an account, we collect your email address and, for team plans, your name, team name, and billing address. We may also collect your job title or role if you provide it.

2.2 Payment Information

Payment is processed by Stripe. We do not store your full credit card number. Stripe provides us with a tokenized payment method, your billing name, billing address, and the last four digits of your card. See Stripe's Privacy Policy for how they handle your payment data.

2.3 Repository and Assessment Data

When you submit a repository for assessment, we store the repository URL, branch, and the structured vulnerability findings generated by the analysis. Your source code is cloned into ephemeral, sandboxed virtual machines for the duration of the assessment and is deleted when the virtual machines are destroyed. We do not retain a copy of your source code after the assessment completes.

2.4 GitHub Data

If you connect a GitHub account, we request read-only access to your repositories. We store your GitHub installation ID and use short-lived installation tokens to clone repositories on your behalf. We do not access repositories outside of assessments you initiate.

2.5 Automatically Collected Data

When you use our service, we automatically collect:

  • IP address
  • Approximate geolocation (country, region, city) as provided by our infrastructure provider
  • Browser user agent string
  • Timestamps of login events and actions

This information is used for security (rate limiting, fraud prevention, region verification), session management, and to operate the service reliably.

2.6 Consent Records

When you sign up, we record timestamps of your acceptance of our Terms of Service, Privacy Policy, Vulnerability Discovery and Disclosure Policy, region attestation, and experimental platform acknowledgment.

3. How We Use Your Information

We use your information to:

  • Authenticate you via sign-in links and manage your sessions
  • Perform security assessments on repositories you submit
  • Display assessment results and vulnerability findings to you and your team
  • Process payments and manage your subscription and credit balance
  • Send transactional emails (sign-in links, account activation, subscription updates)
  • Enforce rate limits and detect abuse
  • Verify your region eligibility
  • Maintain audit logs for security purposes

We do not use your information for advertising, profiling, or automated decision-making unrelated to the security assessment service.

4. AI Processing and Model Training

Our assessments may use third-party AI models to analyze your code. During an assessment, your source code may be sent to the AI provider.

Team plans: We do not use any of your data to train AI models.

The AI providers we use are contractually prohibited from using inputs for model training.

5. Third-Party Service Providers

We share data with the following categories of service providers, solely as necessary to operate the platform:

  • AI providers — Source code may be sent for help with analysis during assessments
  • Payment processing — Stripe processes payments and stores billing information
  • Email delivery — Transactional emails may be sent via AWS, Mailgun, or Twilio
  • Infrastructure — Our platform may use AWS, Cloudflare, and Google Cloud for compute, hosting, and storage
  • Source control — GitHub provides repository access via their API

We do not sell, rent, or share your personal information with third parties for their own marketing purposes.

6. Data Storage and Security

Account and product use data are stored in our systems. Source code is only present in temporary environments during active assessments and is not persisted after the assessment completes.

We implement industry-standard security measures to protect your data, including encryption in transit, access controls, and rate limiting.

7. Data Retention

We retain your account data for as long as your account is active. Assessment results and findings are retained for as long as your organization exists. Session records are retained for security auditing purposes and expire automatically.

If you delete your account, we will delete or anonymize your personal data within 30 days, except where we are required to retain it for legal or compliance reasons.

8. International Data Transfers

Our services are operated from the United States. If you access the service from outside the United States, your data may be transferred to and processed in the United States or other countries where our infrastructure providers operate. By using the service, you consent to this transfer.

9. Cookies

We use strictly necessary cookies to keep you logged in and to provide security protections. We do not use tracking cookies or third-party analytics. For full details, see our Cookie Policy.

10. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

  • Access — Request a copy of the personal data we hold about you
  • Correction — Request correction of inaccurate data
  • Deletion — Request deletion of your personal data
  • Portability — Request a machine-readable export of your data
  • Objection — Object to certain processing of your data
  • Restriction — Request that we limit processing of your data

To exercise any of these rights, contact us at privacy@contact.unpatched.ai.

11. Children's Privacy

Our service is not directed to individuals under 18. We do not knowingly collect personal information from children. If you believe we have collected data from a child, please contact us and we will delete it.

12. Changes to This Policy

We may update this policy from time to time. If we make material changes, we will notify you by email or by posting a notice on the service prior to the change becoming effective. Continued use of the service after changes constitutes acceptance of the updated policy. The "Last updated" date at the top of this page indicates when the policy was last revised.