Privacy Policy

This policy explains what data Vettd collects, why we collect it, who we share it with, and the choices you have. Plain English wherever possible.

1. What we collect

Different things depending on what you do with Vettd:

• When you scan a URL — the URL itself, the publicly available HTML our scanner downloads, response headers, page screenshots, and the technologies we detect. We never log into your site or access anything behind authentication.
• When you connect a repository (Code Review) — repository metadata via the Vettd GitHub App, plus the code we pull per push. Code is scanned in memory and on temporary disk only; we delete it from our servers after the scan completes. Findings (file paths, line numbers, severity) are kept so you can view past reviews.
• When you create an account — your email, name, and avatar from your OAuth provider (Google or GitHub). We don't store passwords because we don't use them.
• When you pay — Dodo Payments (international) or Cashfree (India) handle your card details. We never see or store full card numbers; we receive a payment ID, the amount, currency, and your billing email.
• When you visit shipvettd.com — basic request metadata (IP, user-agent, referrer) for security and operational logs, plus optional analytics described below in “Cookies & tracking.”

2. Cookies & tracking

We use two categories of cookies and similar storage:

• Strictly necessary — required for sign-in sessions, payment checkout, CSRF protection, and remembering your cookie choice. These can't be turned off because the site won't function without them.
• Analytics (opt-in) — Google Analytics 4 (aggregate page views, traffic sources, basic device data) and Microsoft Clarity (anonymized session recordings and heatmaps that help us see where the product is confusing). The script tags are present on every page so the site is correctly instrumented, but tracking is fully suppressed using Google's Consent Mode v2 (all storage denied) until you explicitly opt in via the cookie banner. You can change your mind at any time via the “Cookie preferences” link in the footer.

We do not use cookies for cross-site advertising, ad retargeting, or selling data to ad networks. There are no third-party advertising pixels on the site.

3. How we use your data

• Run the scans and code reviews you ask for, and show you the results.
• Maintain your account, deliver the features in your plan, and process payments.
• Send transactional emails (receipts, scan completions, security notices). These are not optional while you have an account.
• Improve the product — debugging, performance work, and (if you opted in) analytics.
• Comply with legal obligations and respond to lawful requests.

We do not sell your data. We do not use your scanned content to train third-party AI models.

4. Legal basis (for visitors in the EU/UK)

• Contract — running the scans, code reviews, account, and billing you signed up for.
• Legitimate interests — security logging, abuse prevention, and product debugging, balanced against your interests.
• Consent — analytics cookies (GA, Clarity). You can withdraw consent at any time from the cookie preferences in the footer.
• Legal obligation — tax records, fraud prevention, and lawful disclosure requests.

5. Who else processes your data

We use the following sub-processors. They only receive what they need to do their job.

• Supabase (US, EU regions) — database, authentication, file storage.
• Railway (US) — hosting and request routing.
• Straico — large-language-model API for AI analysis of legal pages, headlines, and code findings. Inputs are sent per-request and not retained for training under our agreement.
• Dodo Payments — international (USD) checkout and card processing.
• Cashfree (India) — Indian-rupee checkout and card processing.
• GitHub — Code Review only, via our official GitHub App, with the scopes you grant at install time.
• Google Analytics (Google LLC, US) — analytics cookies, only if you opted in.
• Microsoft Clarity (Microsoft Corporation, US) — session recordings and heatmaps, only if you opted in.
• Resend — transactional email delivery (receipts, account notices).

6. International transfers

Vettd operates from India and most of our sub-processors are based in the United States. If you're in the EU/UK, your data is transferred outside your home region. We rely on the sub-processors' standard contractual clauses and equivalent safeguards. If you have specific concerns, email us at privacy@shipvettd.com.

7. AI & automated processing

Vettd's scans involve automated analysis and large-language-model output. Specifically: we evaluate your HTML against a fixed rule set, generate suggested fixes, grade your headline/legal pages with AI, and (for Code Review) flag patterns in your source. These outputs are recommendations — not decisions about you that produce legal effects. You always choose what to do with them. If you want a human review of an AI-generated finding, email hello@shipvettd.com.

8. Data retention

• Anonymous Site Scans — cached for 1 hour for the in-memory result, indefinitely in the public scan database unless you ask us to remove a specific scan. Public scans may be indexed by search engines.
• Account-bound scans & fixes — kept while your account is active, deleted within 30 days of account deletion.
• Code Review source code — deleted from our servers immediately after the scan completes. Findings (paths, lines, severity, summary) are retained while the connected repository remains connected.
• Payment records — kept for the period required by tax law (typically 7 years in India) regardless of account deletion.
• Server logs — 30 days.

9. Security

Data is encrypted in transit (HTTPS/TLS). Database storage at our sub-processors is encrypted at rest. Access to production systems is restricted to the founding team and is protected by 2FA. We do not pretend to have SOC 2 or ISO 27001 — we're a small, focused team and we say so honestly. If you discover a security issue, email security@shipvettd.com and we'll respond within 72 hours.

10. Your rights

Depending on where you live, you have the right to:

• Access the personal data we hold about you.
• Correct it if it's wrong.
• Delete your account and associated data (subject to legal retention obligations like tax records).
• Export your data in a portable format.
• Object to or restrict certain processing.
• Withdraw consent for analytics cookies at any time via the footer link.
• Lodge a complaint with your local data protection authority (e.g. ICO in the UK, your national DPA in the EU).

California residents (CCPA/CPRA) — you have the right to know what personal information we collect, delete it, correct it, and opt out of any “sale” or “sharing.” We don't sell or share your personal information for cross-context behavioral advertising.

Email privacy@shipvettd.com to exercise any of these rights. We respond within 30 days.

11. Public scan reports

By default, anonymous Site Scan results are public and may be indexed by search engines (so others searching for that site's name may find the report). If you want a scan removed from the public index, email privacy@shipvettd.com with the URL or scan ID. Code Review results are always private to your account.

12. Children

Vettd is not directed to children under 16. We don't knowingly collect personal data from anyone under 16. If you believe a child has provided us data, email privacy@shipvettd.com and we'll delete it.

13. Changes to this policy

If we make material changes (new sub-processor with new data categories, new tracking technology, expanded data sharing) we'll update the “Last updated” date and, where required, notify active accounts by email. Continued use after the effective date constitutes acceptance.

14. Contact

Privacy questions, data requests, or anything in this policy: privacy@shipvettd.com.

Vettd is operated by Satak Technologies, based in India. We don't currently have an EU representative under GDPR Art. 27; if your inquiry requires one, please email us and we'll work with you directly.