Privacy Policy

Your data never leaves your browser. Here's exactly how we protect your privacy.

Last updated: September 9, 2025

🔒

Privacy-First by Design

Your lockfiles never leave your device. All vulnerability scanning happens locally in your browser using JavaScript. We cannot see, store, or access your dependency data.

What We Don't Collect

📄

Your Lockfiles

Your package-lock.json, pnpm-lock.yaml, and yarn.lock files are processed entirely in your browser. They never get uploaded to our servers.

📦

Dependency Lists

We don't see what packages you use, what versions you have, or any information about your project dependencies.

🔍

Scan Results

Vulnerability scan results are generated and displayed locally. We don't track what vulnerabilities are found in your projects.

👤

Personal Information

No accounts, no sign-ups, no personal data collection. You can use our tool completely anonymously.

How Local Processing Works

1

You Upload Your Lockfile

When you drag and drop or select your lockfile, it's read directly by your browser using the File API. The file never leaves your device.

2

Local Parsing

JavaScript in your browser parses the lockfile to extract package names and versions. This happens entirely on your device.

3

Vulnerability Database Lookup

Your browser downloads our public vulnerability database (updated daily) and compares it against your dependencies locally.

4

Results Displayed

Vulnerability results are generated and displayed in your browser. No scan data is transmitted back to our servers.

What We Do Collect

Minimal Technical Data Only

  • Basic Analytics: Page views and general usage statistics (via standard web analytics)
  • Error Logs: Technical errors to help us improve the service (no personal data included)
  • Performance Metrics: Load times and performance data to optimize the experience

Important: None of this data is linked to your lockfiles, scan results, or any personally identifiable information.

Local Data Storage

Browser Cache Only

The only data stored on your device is:

  • Vulnerability Database Cache: To avoid re-downloading the same vulnerability data
  • Application Cache: Standard browser caching for faster loading

You can clear this data anytime through your browser's settings. No sensitive information is stored.

Third-Party Services

External Data Sources

We use these external services to provide vulnerability data:

  • OSV Database (Google): Open source vulnerability database - osv.dev
  • GitHub Security Advisories: Security vulnerability data from GitHub
  • npm Security Advisories: Official npm vulnerability reports

Note: These services only provide vulnerability data to us. They don't receive any information about your scans.

Your Privacy Rights

Complete Control

  • No Data to Delete: Since we don't store your scan data, there's nothing to delete
  • No Tracking to Opt Out Of: We don't track your scanning activity
  • Open Source: Our code is transparent and auditable
  • Offline Capable: The tool works offline after initial load

Security Measures

Technical Safeguards

  • HTTPS Only: All connections are encrypted
  • No Server Processing: Eliminates server-side data breach risks
  • Content Security Policy: Prevents malicious script injection
  • Regular Updates: Vulnerability database updated daily

Questions or Concerns?

If you have any questions about this privacy policy or our data practices, please contact us:

Policy Updates

We may update this privacy policy from time to time. Any changes will be posted on this page with an updated "Last modified" date. Since we don't collect personal data, policy changes typically won't affect you directly.