Privacy Policy
Last updated: July 1, 2026
The short version: Lumstep scans your repositories for security vulnerabilities. To do that, we temporarily access your code - but we never store it. We collect the minimum data needed to run the service and improve it. We don't sell your data. Ever.
1. What we collect
- Account data: name and email via OAuth (GitHub or GitLab). No password needed.
- Repository metadata: repository names, branch names, commit hashes, language distributions.
- Scan results: vulnerability findings, affected file paths and line numbers, dependency lists, SBOM data. These results belong to you.
- Usage data: pages visited, features used, session duration - to understand how the product is used.
- Billing data: payment processing via Stripe. We receive a customer ID and subscription status only. We never see your card number.
2. What we don't collect
- Your source code. Repository archives are downloaded into an isolated scan environment, scanned, and deleted. We do not persist your source code.
- Unnecessary PII. We store your name and email (from OAuth). Nothing else.
- Your Git credentials. Access tokens are encrypted in HashiCorp Vault and used only during the scan.
3. How we use your data
- Running scans - repository metadata and temporary code access are used solely for security analysis.
- Improving the product - aggregated, anonymized usage data helps us identify what's useful and what's broken.
- Communicating with you - security findings, product updates, and important policy changes. Opt out of non-essential emails at any time.
- Billing - subscription status gates access to paid features.
- We do not use your data to train AI models. We do not sell your data.
4. Data storage and security
- Infrastructure: EU-based servers.
- Encryption: AES-256-GCM via HashiCorp Vault. Each organization has a separate encryption key.
- Database isolation: Row-level security ensures users only access their organization's data.
- Retention: Scan results retained until deletion or account closure. Source code archives deleted immediately after scanning. Access logs: 90-day rolling retention. Audit trail: 90-day retention.
5. Third-party services
We use the following third-party services:
| Service | Purpose |
|---|---|
| GitHub / GitLab | OAuth authentication and repository access |
| Stripe | Payment processing |
| Zitadel | Identity management |
We don't use advertising networks or data brokers.
6. Your rights (GDPR)
You have the right to: access your data, correct inaccuracies, delete your account and all personal data, export your data, object to processing, and lodge a complaint with the CNIL.
To exercise these rights, email privacy@lumstep.fr. We'll respond within 30 days.
7. Contact
Data controller: Lumstep SAS