What we store. For how long. Who sees it.

Waitlist signups.When you join the waitlist we store: your email address, the referral token (if any), the time you signed up. That's it. We use it to send you Breach Watch + product updates. We don't share or sell it.

Scanned code. When the paid tier ships, Hardenator will clone your repo into an isolated container to run scans, then delete the clone within 5 minutes. We never persist your source code to our databases. We persist only findings (file path + line number + rule ID + severity), never the surrounding code.

Telemetry. The CLI sends anonymous, opt-in-only events to PostHog: command name, exit code, no payload. Disable it with HARDENATOR_TELEMETRY=off in your env.

Email service.Resend (ap-northeast-1) sends our transactional mail. They see your email address (to deliver to it) but don't store payload content beyond Resend's standard operational logs.

Analytics. PostHog on the marketing site — page views, click events, no PII. You can opt out via standard Do-Not-Track headers.

Data subject rights (GDPR). Email hello@hardenator.com and we'll action access / export / deletion requests within 30 days.

Changes. Material changes get emailed to waitlist members 14 days before taking effect.