Privacy Policy
This Privacy Policy explains how Literal Security ("we," "us," or "our") collects, uses, stores, and discloses personal data when you use our security scanning services, including our MCP server, VS Code extension, JetBrains plugin, command-line tool, git hooks, dashboard, and post-deploy probes (collectively, the "Service"). We are committed to handling your data with the care you'd expect from a security product.
This policy complies with the Indian Digital Personal Data Protection Act, 2023 ("DPDP Act"), the EU/UK General Data Protection Regulation ("GDPR"), and the California Consumer Privacy Act ("CCPA"), as applicable to you based on your residence.
1. Who we are
Literal Security is a software-as-a-service business operated from India. For privacy questions or data subject requests, contact us at @literalsec on X · hello@literalsec.com. We act as the data fiduciary (DPDP Act) / data controller (GDPR) for your account data and as a data processor for the source code you scan through the Service.
2. Data we collect
2.1 Account data
- Email address (required for authentication)
- Name (if provided via OAuth)
- OAuth provider identifier (Google, GitHub)
- Billing information (handled by our payment processor — see §6)
- Account creation date, subscription tier, billing status
2.2 Service data (your code, the things you scan)
- Source code you submit for scanning — passed through our scanner; we do not persist file contents after the scan completes. Findings (the security issues we identified) are stored against your account for audit and dashboard display.
- Probe target URLs — the deployed-site URL(s) you register for post-deploy probes.
- Probe credentials (Startup tier and above, opt-in) — stored encrypted at rest using AES-256-GCM, keyed off a server-side secret. Decrypted only at the moment a probe runs.
- Scan + probe metadata — timestamps, file names, decision outcomes, finding identifiers, severity counts.
2.3 Technical data
- IP address, user-agent, timestamps (for security monitoring, abuse prevention, and rate limiting)
- Bearer-token usage logs (which token made which request)
- Aggregated, anonymized usage analytics via Google Analytics 4 (page views, navigation patterns)
2.4 What we do NOT collect
- We do not train AI models on your code.
- We do not sell your data to anyone, ever.
- We do not persist file contents past the scan transaction.
- We do not collect biometric, health, or financial data beyond what's necessary for billing (handled by the payment processor).
3. How we use your data
- To deliver the Service — running scans, probes, and surfacing findings.
- To authenticate you — verifying your bearer token / session.
- To bill you — only on paid tiers, only after we surface a real (medium or above) vulnerability in your code.
- To improve the Service — aggregated usage metrics, never tied to specific code content.
- To send transactional emails — magic-link login, billing receipts, security alerts. We don't send marketing emails without explicit opt-in.
- To comply with legal obligations — court orders, audits, fraud prevention.
4. Legal basis for processing
- Contract: Most processing is necessary to provide you the Service you signed up for.
- Consent: For probe credentials (you explicitly enable this), analytics cookies, and any marketing emails.
- Legitimate interest: Security monitoring, fraud prevention, abuse mitigation.
- Legal obligation: Tax records, court orders.
5. Data retention
| Data type | Retention |
|---|---|
| Source code submitted to the scanner | Not persisted past the scan transaction (zero retention). |
| Scan findings + decisions | Lifetime of your account; deleted on account deletion. |
| Audit log of probe runs | 24 months, then purged. |
| Account data (email, name, OAuth sub) | Until account deletion + 30 days for accidental-recovery. |
| Billing records | 7 years (required by Indian tax law). |
| Probe credentials (encrypted) | Until you delete them or rotate the encryption key. |
| Server logs (IP, user-agent) | 30 days then aggregated. |
6. Subprocessors
We rely on the following service providers to operate the Service. Each has been vetted for data protection compliance. By using the Service you consent to their processing of your data for the purposes listed.
| Subprocessor | Purpose | Region |
|---|---|---|
| Neon (Postgres) | Account + finding storage | EU (Frankfurt) / US |
| Anthropic | AI-driven code review (Claude subprocess) | US |
| Resend | Transactional email | US |
| Dodo Payments | Subscription billing | India |
| Cloudflare | DNS, edge caching, DDoS protection | Global |
| Contabo (VPS hosting) | Application hosting | EU (Germany) |
| Google Analytics 4 | Anonymized usage metrics | Global |
| Google / GitHub OAuth | Account authentication | Global |
We update this list within 30 days of adding a new subprocessor. Contact us if you'd like to subscribe to subprocessor change notifications.
7. International transfers
Your data may be transferred to and processed in countries other than India. We use Standard Contractual Clauses (or equivalent safeguards) for transfers outside India. If you are in the EEA/UK, your data may be transferred to the US under appropriate safeguards.
8. Your rights
Subject to applicable law, you have the right to:
- Access the personal data we hold about you.
- Correct inaccurate or incomplete data.
- Delete your account and associated data (the "right to be forgotten" under GDPR / "right to erasure" under DPDP).
- Restrict or object to processing of your data.
- Port your data to another service.
- Withdraw consent for any consent-based processing (this will not affect lawful processing already done).
- Lodge a complaint with the Data Protection Board of India, the EU/UK ICO, or your local data protection authority.
To exercise any of these rights, email @literalsec on X · hello@literalsec.com from the email address associated with your account. We respond within 30 days.
9. Security
- All traffic is encrypted in transit with TLS 1.2+.
- Bearer tokens are stored as bcrypt-hashed values; we never log the plaintext.
- Probe credentials are encrypted at rest with AES-256-GCM.
- Database connections use TLS-encrypted Postgres.
- Production access is restricted to the founder, gated by SSH keys + 2FA.
- We follow least-privilege principles for service accounts.
- Source code submitted for scanning is processed in a stateless, ephemeral subprocess and never persisted.
No system is perfectly secure. If you suspect a security issue, please email @literalsec on X · hello@literalsec.com with the subject line "SECURITY". We follow coordinated disclosure.
10. Cookies and similar technologies
We use the following cookies:
- Session cookie (essential) — keeps you logged into your dashboard.
- Google Analytics 4 (analytics) — anonymized page-view tracking. You can opt out via your browser's "Do Not Track" setting or by using a tracker-blocker.
We do not use cookies for advertising, profiling, or third-party sharing.
11. Children
The Service is not directed at individuals under the age of 18. We do not knowingly collect data from minors. If you believe we have collected data from a minor, contact us and we will delete it.
12. Changes to this policy
We may update this policy from time to time. Material changes will be announced via email to your account address at least 14 days before they take effect. The "Last updated" date at the top of this policy reflects the most recent change.
13. Contact us
For any privacy question, data subject request, or complaint:
- Email: @literalsec on X · hello@literalsec.com
- Subject line for DSR requests:
DSR · <your account email>
You also have the right to lodge a complaint with the Data Protection Board of India or your local supervisory authority.