Privacy Policy

Last updated: November 24, 2025

This Privacy Policy explains how SecAlly, Inc. (“SecAlly”, “we”, “us”) collects, uses, and shares information when you use:

  • our website at secally.com and any subdomains (the “Website”),
  • our web application and dashboards,
  • our GitHub app and integrations, and
  • any other products and services that link to this Privacy Policy (together, the “Services”).

By accessing or using the Services, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree, you should stop using the Services.

Our Terms of Service explain the rules for using SecAlly and form part of your agreement with us.

1. Information we collect

We collect information in three main ways:

  1. information you give us,
  2. information collected automatically, and
  3. information we receive from third parties.

1.1 Information you provide

When you interact with the Services, you may give us:

  • Account details
    • Name, email address, organization, and similar basic details.
    • GitHub username and associated organization information when you sign in with GitHub.
  • Billing information
    • When you subscribe to a paid plan, our payment processors (such as Stripe) collect billing details like payment card information and billing address.
    • We do not store payment card numbers on our own systems. They are handled by our payment providers.
  • Support and communication
    • Information you share when you contact us for support, complete forms on our Website, or respond to surveys or feedback requests.
  • User contributions
    • Messages, feedback, or other content you choose to send us or post in public channels that we operate.

1.2 Information from your GitHub account and repositories

When you install or authorize the SecAlly GitHub app, we receive certain information from GitHub to provide the Services, for example:

  • GitHub user ID, username, and avatar,
  • organization membership and roles,
  • repository names, metadata, and permissions,
  • pull requests, commits, diffs, issues, comments, and code snippets,
  • configuration files and other repository content where needed for security analysis.

You can control which organizations and repositories SecAlly can access through your GitHub settings.

1.3 Information collected automatically

When you use the Website or app, we and our service providers may automatically collect:

  • Usage data
    • Pages viewed, links clicked, time on page, features used, error messages, and similar information about how you use the Services.
  • Device and log data
    • IP address, browser type and version, operating system, device identifiers, date and time of visits, and referring URLs.

We use this information to operate the Services, keep them secure, and understand how they are used.

1.4 Cookies and similar technologies

We use cookies and similar technologies to:

  • keep you signed in,
  • remember your preferences,
  • measure and improve performance,
  • understand which pages and features are used.

You can usually set your browser to refuse cookies or notify you before they are placed. If you disable cookies, some parts of the Services may not work properly.

1.5 Information from third parties

We may receive information about you from:

  • GitHub and other integrations when you connect your account,
  • analytics providers that help us understand usage and performance,
  • email and marketing tools we use to send product updates or newsletters, if you subscribe.

The information we receive depends on the provider, your settings, and what you choose to share.

2. How we use your information

We use the information we collect for the following purposes:

  1. Provide and maintain the Services
    • Create and manage accounts.
    • Authenticate you and authorize access to GitHub organizations and repositories.
    • Perform code and pull request scans and display security findings.
  2. Operate AI and analysis features
    • Run static analysis and AI models on snippets of your code and related metadata.
    • Generate security findings, explanations, and suggestions.
  3. Improve the Services
    • Analyze usage and performance.
    • Debug, test, and develop new features.
  4. Communicate with you
    • Respond to support requests.
    • Send important notices about your account or the Services.
    • Send product updates, tips, or marketing communications where allowed by law and your preferences.
  5. Billing and account management
    • Process subscription payments.
    • Handle invoices, receipts, and accounting.
  6. Safety, security, and legal compliance
    • Detect and prevent fraud, abuse, and misuse.
    • Protect our rights, property, and users.
    • Comply with legal obligations and respond to legal requests.

Where required by law, we rely on one or more of these legal bases to process personal data:

  • performance of a contract,
  • our legitimate interests in operating and improving the Services,
  • your consent, where we request and rely on it.

3. AI providers and use of code

To provide security analysis, SecAlly may use third party AI and infrastructure providers, for example:

  • AI model providers such as OpenAI or similar,
  • cloud hosting, data storage, and logging providers.

We send only the data needed to operate the feature, such as selected code snippets, configuration details, or context around a pull request.

Our current practice is to configure AI providers so that data sent to them through SecAlly is not used to train their general-purpose models, where such options are available. However, their own terms and technical capabilities may also apply, and we encourage you to review their privacy policies.

We do not use your private repository code to train general-purpose models or to build unrelated products. We may use:

  • public open source repositories,
  • synthetic data, and
  • aggregated, de-identified usage data

to improve our detection rules and systems.

4. How we share information

We do not sell your personal information.

We may share information in these situations:

  1. Service providers
    We work with companies that help us run the Services, for example:
    • cloud hosting and storage,
    • analytics and logging,
    • payment processing,
    • email and customer support tools.
  2. These providers may access your information only to perform tasks for us and are required to handle it appropriately.
  3. Integrations you enable
    When you connect SecAlly to other tools, such as GitHub, your information may be shared as needed to provide that integration. You should review the privacy policies of any services you connect.
  4. Business transfers
    We may share or transfer information in connection with a merger, sale of company assets, financing, or acquisition of all or part of our business.
  5. Legal and safety
    We may share information if we believe in good faith that it is reasonably necessary to:
    • comply with a law, regulation, legal process, or governmental request,
    • protect the rights, property, or safety of SecAlly, our users, or the public,
    • detect, prevent, or address fraud, security, or technical issues.
  6. With your direction or consent
    We may share information when you ask us to, or when you have been clearly notified and choose to proceed.

5. Data retention

We keep personal information only as long as needed for the purposes described in this Privacy Policy, or as required by law.

In deciding how long to retain data, we consider factors such as:

  • how long you maintain an account or use the Services,
  • legal, accounting, or reporting obligations,
  • the need to resolve disputes or enforce our agreements.

We may retain some information in backups and logs for a limited period after it is deleted from active systems.

6. Data security

We use technical and organizational measures that are designed to protect your information against unauthorized access, loss, misuse, or alteration, such as:

  • access controls,
  • encrypted connections where appropriate,
  • logical separation of environments,
  • internal policies and training.

No system or internet transmission is completely secure. You are responsible for helping protect your account, for example by using a strong password for your GitHub account, restricting who can install apps in your organizations, and reviewing access regularly.

7. International transfers

SecAlly may process and store information on servers located in the United States or other countries. If you access the Services from outside these locations, your information may be transferred to, stored, and processed in countries that may have data protection laws that are different from those in your country.

Where required by law, we take steps to put in place appropriate safeguards for such transfers.

8. Your rights and choices

Depending on where you live, you may have certain rights regarding your personal information, for example:

  • access the personal information we hold about you,
  • correct or update inaccurate information,
  • request deletion of your personal information,
  • object to or restrict certain processing,
  • request a copy of your information in a portable format,
  • withdraw consent where processing is based on consent.

You can often do this by:

  • updating your details through your account or GitHub,
  • uninstalling or deauthorizing the SecAlly app in GitHub,
  • contacting us at support@secally.com.

We may need to verify your identity before responding to certain requests and may not always be able to comply with your request fully, for example when we must keep data for legal reasons.

Marketing communications

You can opt out of marketing emails at any time by using the unsubscribe link in those emails. We may still send you important service-related emails, such as security alerts or billing notices.

9. Children’s privacy

The Services are designed for use by organizations and individuals who are at least 13 years old. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, please contact us and we will take steps to delete that information.

10. Third party websites and services

The Services may link to or integrate with websites, apps, and services that are not controlled by SecAlly, such as GitHub or other tools you use. These third parties have their own privacy practices. We are not responsible for the content or privacy policies of third party services and encourage you to review them.

11. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. When we do, we will change the “Last updated” date at the top of the page and may provide additional notice in the product or by email where appropriate.

Your continued use of the Services after a change means you accept the updated Privacy Policy. If you do not agree, you should stop using the Services.

12. Contact

For questions or concerns related to this policy, please contact us at: support@secally.com