Privacy Policy

1. Scope and Controller

This Privacy Policy explains how Zero Branch collects, uses, discloses, and protects information when you use our websites, applications, APIs, and related services.

For most processing described in this policy, Zero Branch acts as the data controller. Where we process repository data or other content on behalf of organization customers, we may act as a processor under separate contractual terms.

2. Information We Collect

• Account and profile information, such as name, email address, authentication identifiers, workspace role, and organization membership details.
• Workspace and repository metadata, such as repository names, visibility state (public/private), provider account IDs, installation IDs, and connector settings.
• Repository scan data and security findings, including code snippets, file paths, vulnerability findings, misconfiguration findings, dependency findings, and generated recommendations.
• Usage and operational telemetry, such as feature usage, scan timestamps, queue activity, runtime diagnostics, device/browser metadata, and service logs.
• Billing and transaction data from payment providers, such as plan tier, subscription status, invoice metadata, and billing account identifiers (but not full payment card numbers).
• Communications data, such as support requests, product feedback, and operational notifications.

3. Sources of Information

• Directly from you and your workspace administrators.
• From connected source-control providers (for example, GitHub) that you authorize.
• From authentication and billing service providers used to operate the platform.
• Automatically from your use of the service through logs, telemetry, and security monitoring.

4. How We Use Information

• Provide and secure the service, including authentication, authorization, workspace isolation, connector management, and scan execution.
• Generate visualizations, findings, reports, and analytics for repository security posture workflows.
• Detect abuse, prevent fraud, investigate incidents, enforce plan limits, and maintain platform reliability.
• Operate subscriptions, billing, invoicing, and account lifecycle management.
• Communicate with you about service changes, security events, support matters, and product updates.
• Comply with legal obligations and enforce our contractual and policy terms.

5. Legal Bases for Processing (EEA/UK and Similar Jurisdictions)

Depending on your location and the context, we process personal information based on contract performance, legitimate interests, legal obligations, consent, or other lawful bases permitted by applicable law.

Where consent is required, you may withdraw consent at any time, but this does not affect prior lawful processing.

6. Repository and Code Data Handling

• We process repository content only to provide requested scan, reporting, and platform security functionality.
• You remain responsible for ensuring you have rights to connect and scan each repository.
• Private repository access is limited to authorized connectors and workspace permissions.
• Generated findings may include excerpts, file references, and metadata required for security analysis and reporting.
• We do not take ownership of your repositories or source code.

7. Sharing and Disclosure

We do not sell personal information for monetary consideration. We disclose information only as needed to operate the service, comply with law, or protect rights and security.

• Service providers and subprocessors supporting hosting, storage, authentication, billing, email, observability, and security operations.
• Source-control and integration providers when required for connector and synchronization workflows.
• Professional advisers, auditors, insurers, and legal authorities where required or appropriate.
• Parties involved in mergers, acquisitions, financing, or other corporate transactions, subject to appropriate protections.

8. International Data Transfers

Information may be processed in jurisdictions outside your own. Where legally required, we implement recognized transfer safeguards for cross-border data transfers.

9. Data Retention

We retain information for as long as necessary to provide services, maintain security and auditability, comply with legal obligations, resolve disputes, and enforce agreements.

Retention periods vary by data type, subscription status, legal requirements, and operational needs. When retention is no longer required, we delete or de-identify data where feasible.

10. Security Measures

We apply administrative, technical, and organizational safeguards designed to protect information against unauthorized access, misuse, disclosure, alteration, and destruction.

No method of transmission or storage is perfectly secure. You are responsible for safeguarding your credentials, managing connector access scope, and promptly reporting suspected incidents.

11. Privacy Rights and Choices

Subject to applicable law, you may have rights to access, correct, delete, restrict, object to, or port certain personal information.

You may also have rights related to marketing preferences and certain disclosures under U.S. state privacy laws. We may need to verify your identity before fulfilling requests.

• Account and workspace administrators may manage certain data directly through the product.
• You can request privacy assistance by contacting our privacy team using the contact details below.

12. Children’s Privacy

Our services are not directed to children under 13 (or older age thresholds where required by local law). We do not knowingly collect personal information from children in violation of applicable law.

13. Policy Updates

We may update this Privacy Policy periodically. Material changes will be reflected by updating the effective date and, where appropriate, by providing additional notice.

14. Contact Information

For privacy questions, rights requests, or data protection concerns, contact privacy@zerobranch.io or legal@zerobranch.io.

Jurisdiction reference: Illinois, United States.