Privacy policy

GoForLaunch is operated by the team behind goforlaunch.dev. For privacy questions write to privacy@goforlaunch.dev. Postal inquiries can be sent to the address shown on the contact form.

• Account: email, display name, hashed password (bcrypt), and OAuth account links if you sign in via GitHub.
• Workspace: workspace name, slug, the list of repositories you connect, and the role each member holds.
• Scan metadata: branch, commit SHA, started/completed timestamps, severity counts, the score, and which user triggered the scan.
• Findings: as fingerprints, the file path, the line number, and a short snippet of the matching code. Never the full source.
• Audit log: scan starts, repo connects, billing changes, PR attempts, and admin actions. Visible to your workspace owners.
• Billing: Stripe customer ID and subscription state. Card data lives at Stripe — we never see it.

• The full source code of your repositories. We download the archive into memory, scan, then drop it.
• Card, bank or any payment instrument details. Stripe handles the entire payment flow.
• Plaintext credentials. Passwords are hashed with bcrypt (cost factor 12); API tokens are SHA-256-hashed before storage.
• Browser fingerprints, ad identifiers, or third-party tracking cookies. We do not embed Google Analytics or Meta Pixel.

• Run scans, store the resulting findings, and surface them in your dashboard and reports.
• Authenticate API requests via Bearer tokens that you create and can revoke at any time.
• Send transactional emails (welcome, password reset, critical-finding alert). No marketing emails without an opt-in.
• Bill subscriptions through Stripe (the subprocessor list below).
• Detect abuse via in-process rate limiting and audit-log inspection. No third-party analytics or behavioural profiling.

We use the following processors. Each holds a current DPA with us and is listed for transparency.

• Scan findings: default 180 days. Older completed and failed scans are removed by the scheduled retention cleanup.
• Audit log: 365 days, then removed by the scheduled retention cleanup.
• One-time scan reports: 30 days from purchase, then removed by the scheduled retention cleanup.
• Account: kept while you have an active workspace. You can delete your account yourself at any time from Dashboard → Profile → Your data; deletion is immediate, except records we must keep for legal duties (e.g. tax).
• Stripe invoices and tax records: kept as required by EU/US tax law (typically 10 years).

You can export or permanently delete your data yourself from Dashboard → Profile → Your data, without contacting us. For correction, restriction, or any other request you can email privacy@goforlaunch.dev. We respond inside 30 days. You may also lodge a complaint with your local data protection authority.

We rely on Article 6(1)(b) GDPR (contract) for service delivery, 6(1)(f) (legitimate interest) for abuse-prevention logs, and your explicit consent where requested. We do not engage in automated decision-making with legal effect.

GoForLaunch is a professional developer tool and is not directed to children. You must be at least 16 years old to create an account — the digital-consent age under Article 8 GDPR, which also covers the US COPPA threshold (under 13). We confirm this at sign-up and do not knowingly collect or store personal data from anyone under 16. No date of birth is collected; only the age confirmation is recorded. If you believe a minor has provided us data, email privacy@goforlaunch.dev and we will delete it promptly.

Data may be processed in the US by the subprocessors listed above. EU↔US transfers rely on the EU-US Data Privacy Framework and, where DPF coverage is not yet adequate, Standard Contractual Clauses.

Implementation specifics — encryption, secrets, scope of access — are documented on the security page.

We notify customers by email and post a changelog entry on this page when material privacy changes take effect. Continued use after notice constitutes acceptance.