Privacy Policy

Effective · Last updated

This Privacy Policy explains how Guillermo Guerini (“DepVitals,” “we,” “us,” or “our”) collects, uses, and protects information when you use our service at depvitals.com (the “Service”). This policy is a notice about our privacy practices and should be read together with our Terms of Service. If you are located in the European Economic Area (EEA), United Kingdom, or another region with data protection rights, please also see Section 9 for additional rights and disclosures.

1. What Information We Collect

1.1 Account Information

When you register for an account, we collect:

  • Email address
  • Password (stored as a secure, one-way hash — we never store your plain-text password)
  • Name, account name, or team name, if you provide one
  • Time zone (used to display dates correctly)

1.2 Uploaded Files and Scan Data

The Service allows you to upload dependency manifest and lock files from your software projects. These files are intended to contain software dependency names, version numbers, and package metadata, not application source code, business logic, credentials, or personal data about your end users. You should not upload files that contain secrets or personal data beyond what is necessary to use the Service. We store the files you provide and the analysis results associated with your account, including dependency records, direct or transitive dependency status, version comparisons, public vulnerability and deprecation signals, grades, grade reasons, scan timestamps, branch names, commit SHAs, and pull request numbers where applicable.

1.3 Version Control Integration Data

If you connect a version control account, we collect information needed to operate that integration, such as the platform installation identifier, account login, account type, avatar URL, repository names, repository URLs, repository visibility, branch names, commit SHAs, pull request numbers, and dependency manifest and lock files read from repositories you explicitly authorize. For GitHub App integrations, repository access tokens are short-lived installation tokens generated as needed; we do not store your GitHub password or a long-lived personal access token.

We request only the minimum permissions necessary. We do not intentionally read your source code, issues, or repository content beyond dependency manifest and lock files, except for repository metadata and pull request file lists needed to determine whether a scan should run. Where you have enabled pull request integration, we receive webhook notifications when repository or pull request events occur, and we may post or update automated comments on pull requests with dependency health summaries. You can revoke our access at any time from your version control platform’s account settings.

1.4 Payment Information

Payment processing is handled entirely by Stripe, Inc. We do not receive, store, or process your raw payment card details. We do receive and store non-sensitive billing information from Stripe, including subscription status, plan type, and the last four digits of your card for display purposes. Please review Stripe’s Privacy Policy for details on how Stripe handles your payment data.

1.5 Usage Data

We automatically collect technical information when you use the Service, including browser type and version, IP address, pages visited and actions taken within the Service, and date and time of access. We may also collect server logs, security events, request identifiers, error reports, and application performance data. This information is used to operate, maintain, secure, and improve the Service.

1.6 Communications and Support

If you contact us, we collect the information you provide in your message and any contact details needed to respond.

1.7 Information from Third-Party Sources

To provide dependency health reports, we may obtain package version, release, deprecation, license, and public vulnerability information from package registries, vulnerability databases, and version control platforms. This data is used to calculate and explain scan results.

2. Legal Basis for Processing (EEA and UK Users)

If you are located in the EEA or UK, we process your personal data on the following legal bases:

  • Contract performance: We process account information, uploaded or synced files, version control integration data, scan results, and billing information to provide the Service you requested.
  • Legitimate interests: We process usage data, technical logs, security events, diagnostics, support communications, and limited aggregate analytics to operate, secure, debug, improve, and protect the Service. Our legitimate interests do not override your rights.
  • Legal obligation: We process billing, tax, accounting, compliance, and legal request data where required by law.
  • Consent: We rely on your consent for analytics cookies and any optional communications that legally require consent. You may withdraw consent at any time without affecting prior processing.

3. How We Use Your Information

We use the information we collect to:

  • Create and manage your account
  • Analyze dependency files and return health grades
  • Process payments and manage your subscription
  • Send transactional emails (account confirmation, password resets, scan notifications)
  • Respond to support requests
  • Detect and prevent fraud or abuse
  • Secure, debug, and monitor the performance of the Service
  • Improve and develop the Service
  • Comply with legal, tax, accounting, and contractual obligations

We do not sell your personal information. We do not share your uploaded files, GitHub data, or scan results with any third parties except as described in Section 4.

We may create aggregate or de-identified statistics about dependency health trends, product usage, or system performance. We do not use these statistics to identify you or disclose your private repository data.

4. Data Sharing

4.1 Service Providers

We share information with the following categories of service providers to operate the Service. Each provider is contractually obligated to use your data only to provide services to us:

  • Payment processing (currently Stripe, Inc.) — for billing and subscription management
  • Transactional email delivery (currently Resend, Inc.) — for account notifications, password resets, and scan alerts
  • Cloud infrastructure and hosting (currently Hetzner Online GmbH, Germany) — stores all Service data on our behalf
  • Application performance monitoring (currently Scout APM) — receives anonymized request timing and error data; no personal project data is transmitted
  • Web analytics, with your consent (currently Google Analytics by Google LLC) — aggregate usage data, collected only after you accept our cookie consent banner
  • Package registries and public advisory sources — receive dependency names and versions as needed to retrieve version, deprecation, and vulnerability information

We may add or change service providers over time. We will update this policy when we do and notify you of material changes as described in Section 7.

4.2 Version Control Platforms

When you connect a version control account, data flows between our Service and the respective platform under the permissions you grant. We do not share your data with those platforms beyond what is required for the integration to function, such as requesting repository file lists, reading manifest files, receiving webhook events, and posting pull request comments you have enabled.

4.3 Legal Requirements

We may disclose your information if required by law or in response to valid requests from public authorities (e.g., a court or government agency).

4.4 Business Transfers

If we are involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email before your information becomes subject to a different privacy policy.

5. International Data Transfers

Our servers are currently located in Germany (European Economic Area). We, as data controller, are based in the United States (Massachusetts). When we access or process data stored on our servers, or when US-based service providers such as Stripe, Resend, Google Analytics, GitHub, or Scout APM process data for us, that processing may involve a transfer to the United States or another country outside the EEA or UK.

Where required, we rely on adequacy decisions, Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum or equivalent safeguards, and related contractual and technical measures for transfers of personal data out of the EEA or UK. You may request information about the applicable transfer safeguards by contacting us at [email protected].

6. Data Retention

  • Account and project data: retained while your account is active, then deleted within 30 days of account deletion.
  • Dependency manifest and lock files: purged once the associated scan completes. The raw file is no longer needed after parsing.
  • Scan results and analysis data (grades, dependency records, version comparisons, public vulnerability and deprecation signals): retained while your account is active, then deleted within 30 days of account deletion.
  • Processed webhook events: retained for up to 30 days for reliability, abuse prevention, and debugging. Unprocessed events may be retained longer until reviewed or resolved.
  • Security, diagnostic, and application logs: retained only as long as reasonably needed for security, debugging, and operations, unless a longer period is required to investigate abuse, resolve disputes, or comply with law.
  • Billing records: retained for up to 7 years as required by financial and tax regulations.
  • Analytics data: governed by Google Analytics’ retention settings (currently 14 months by default).

7. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the “Last updated” date above and, for material changes, notify you by email at least 14 days before they take effect. Continued use of the Service after changes take effect constitutes acceptance.

In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours where required by law, and notify affected users without undue delay where the breach is likely to result in a high risk to their rights and freedoms.

8. Data Security

We implement reasonable technical and organizational measures to protect your information, including TLS encryption in transit, secure password hashing, encrypted storage for sensitive fields where appropriate, parameter filtering for secrets, access controls, and limited retention of operational logs. No method of transmission over the internet is 100% secure, and we cannot guarantee absolute security.

9. Your Rights

Regardless of location, you may:

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Request that we correct inaccurate or incomplete information.
  • Deletion: Request that we delete your account and associated data.
  • Portability: Request an export of your data in a machine-readable format.

If you are located in the EEA or UK, you additionally have the right to:

  • Restriction of processing: Ask us to restrict processing in certain circumstances (e.g., while you contest accuracy).
  • Object: Object to processing based on legitimate interests. We will stop unless we have compelling grounds.
  • Withdraw consent: Withdraw consent at any time where we rely on it, without affecting prior processing.
  • No solely automated legal decisions: We do not use automated decision-making that produces legal or similarly significant effects about you.
  • Lodge a complaint: Lodge a complaint with your local data protection authority. In the EU: edpb.europa.eu. In the UK: ico.org.uk.

To exercise any of these rights, email [email protected]. We will respond within 30 days. In complex cases we may extend by a further two months, in which case we will inform you.

We have not appointed a Data Protection Officer. If applicable law requires us to appoint an EU or UK representative or similar contact, we will update this policy with those details.

10. Children’s Privacy

The Service is intended for users aged 16 and over, as set out in our Terms of Service. We do not knowingly collect personal information from anyone under 16, and the Service is not directed to children. In particular, we do not knowingly collect data from children under 13 as defined by the US Children’s Online Privacy Protection Act (COPPA), and we do not offer the Service for use by schools or parents on behalf of children. If you believe we have inadvertently collected information from a minor under 16, contact us at [email protected] and we will delete it promptly.

11. Cookie Policy

Cookies are small text files stored in your browser. We use them for the following purposes:

Essential cookies (always active)

These cookies are required for the Service to function and cannot be disabled.

Cookie Purpose Duration
_session Keeps you logged in to your account Session / timeout
cookie_consent Stores your cookie consent preference 1 year

Analytics cookies (with your consent)

These cookies are only set after you click “Accept” on our cookie consent banner.

Cookie Set by Purpose Duration
_ga Google Analytics Distinguishes users 2 years
_gid Google Analytics Distinguishes users 24 hours
_ga_* Google Analytics Persists session state 2 years

You can withdraw consent at any time by clearing cookies for depvitals.com in your browser settings, which will cause the consent banner to reappear on your next visit. You can also opt out of Google Analytics tracking across all sites using Google’s opt-out browser add-on.

12. Contact Us

Questions or concerns about this Privacy Policy? Contact us at:

Guillermo Guerini

Email: [email protected]

Website: depvitals.com

We use cookies for session management and analytics. See our Privacy Policy for details.