GuardLaneGuardLane

Privacy Policy

Last Updated: March 22, 2026

Last Updated: March 22, 2026

SMK SOFTWARE LLC ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use the GuardLane platform and services (the "Service").

This Privacy Policy complies with the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other applicable data protection laws.

1. Information We Collect

1.1 Information You Provide Directly

Account Information:

  • Email address (required)
  • Full name
  • Password (encrypted, not stored in plain text)
  • Profile picture (optional)
  • Organization name (for business accounts)
  • Two-factor authentication preferences

Project Information:

  • Project names and descriptions
  • Repository URLs and metadata
  • Team member invitations and roles
  • Project settings and preferences

Payment Information:

  • Payment information is collected and processed by Paddle (our payment processor)
  • We do not store credit card numbers or sensitive payment data
  • We receive transaction IDs, subscription status, and billing history from Paddle

Communications:

  • Support tickets and correspondence
  • Feedback and survey responses
  • Email preferences and notification settings

1.2 Information Collected Automatically

Usage Data:

  • Pages visited and features used
  • Time spent on platform
  • Audit execution frequency and duration
  • Feature interaction patterns
  • Error logs and debugging information

Device and Browser Information:

  • IP address
  • Browser type and version
  • Operating system
  • Device type (desktop, mobile, tablet)
  • Screen resolution
  • Language preferences

Cookies and Tracking Technologies:

  • Session cookies (essential for authentication)
  • Preference cookies (remember your settings)
  • Analytics cookies (if applicable in the future)
  • See our Cookie Policy for detailed information

1.3 Code Repository Data

What We Process:

  • Repository metadata (names, URLs, commit history)
  • Code files submitted for security auditing
  • Dependency manifests and lock files
  • Configuration files relevant to security analysis

How We Process It: When you trigger an audit or PR review, your source code and repository metadata are transmitted to GuardLane's servers and processed by AI analysis services (see Sub-Processors list). Code is retained on our servers for the duration of your subscription and deleted upon account deletion or plan expiry.

  • Source code is uploaded to GuardLane servers for analysis
  • Source code and repository metadata are sent to AI sub-processors for security analysis (see Section 4.2)
  • Audit results, findings, and metadata are stored in our database
  • Code snippets may be included in audit reports (stored securely)

What We Do NOT Collect:

  • Credentials, API keys, or secrets (we scan for these but do not store them)

1.4 Audit Results and Analysis

Data Stored:

  • Security findings and vulnerability reports
  • Severity ratings and risk scores
  • Remediation recommendations
  • Code quality metrics
  • Dependency vulnerability data
  • Compliance check results
  • AI-generated analysis and insights

Embeddings:

  • We generate vector embeddings of audit findings for semantic search
  • Embeddings are mathematical representations, not readable text
  • Stored in PostgreSQL with pgvector extension

1.5 AI Discussion Data

Chat History:

  • Questions asked to the AI assistant
  • AI responses and recommendations
  • Tool usage and query patterns
  • Feedback on AI responses (thumbs up/down)

Purpose:

  • To provide intelligent assistance with audit results
  • To improve AI model performance
  • To maintain conversation context

2. How We Use Your Information

2.1 To Provide and Improve the Service

  • Account Management: Create and maintain your account, authenticate you, manage subscriptions
  • Audit Execution: Process security audits, generate reports, provide AI-powered analysis
  • Service Features: Enable project management, team collaboration, notification delivery
  • Customer Support: Respond to inquiries, troubleshoot issues, provide technical assistance
  • Service Improvement: Analyze usage patterns, identify bugs, develop new features
  • Security: Detect and prevent fraud, abuse, and unauthorized access

2.2 To Communicate with You

  • Transactional Emails: Account verification, password resets, audit completion notifications
  • Service Updates: Feature announcements, maintenance notifications, security alerts
  • Marketing (with consent): Product updates, tips, educational content
  • Surveys and Feedback: Solicit feedback to improve the Service

You can opt out of marketing emails at any time via unsubscribe links or account settings.

2.3 For Analytics and Research

  • Aggregated Analytics: Understand how users interact with the Service
  • Performance Metrics: Monitor system performance and reliability
  • Security Research: Identify emerging vulnerability patterns (anonymized)
  • Product Development: Prioritize features based on usage data

Analytics data is anonymized and aggregated whenever possible.

2.4 Legal and Compliance

  • Legal Obligations: Comply with applicable laws, regulations, and legal processes
  • Enforce Terms: Investigate violations of our Terms of Service
  • Protect Rights: Defend against legal claims, protect our intellectual property
  • Safety: Prevent harm to users, our systems, or the public

3. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), UK, and Switzerland, we process personal data based on:

  • Contractual Necessity: To fulfill our contract with you (provide the Service)
  • Legitimate Interests: To improve the Service, prevent fraud, ensure security
  • Consent: For marketing communications, non-essential cookies, optional features
  • Legal Obligation: To comply with laws, regulations, and valid legal requests

You have the right to withdraw consent at any time without affecting prior processing.

4. How We Share Your Information

4.1 We DO NOT Sell Your Data

We do not sell, rent, or trade your personal data to third parties for marketing purposes.

4.2 Service Providers and Partners

We share data with trusted third parties who help us operate the Service:

Firebase Authentication (Google):

  • Purpose: User authentication, email verification, two-factor authentication
  • Data Shared: Email, name, authentication tokens
  • Location: Global (with EU data residency options)
  • Privacy Policy: https://firebase.google.com/support/privacy

Paddle (Payment Processing):

Anthropic (AI Analysis):

  • Purpose: AI model inference for security audit analysis (Claude Opus 4.6, Claude Sonnet 4.6)
  • Data Shared: Source code submitted for audit, repository metadata
  • Location: San Francisco, United States
  • Privacy Policy: https://www.anthropic.com/legal/privacy

OpenAI (AI Analysis):

  • Purpose: AI model inference for security audit analysis (GPT via GitHub Copilot/Codex)
  • Data Shared: Source code submitted for audit, repository metadata
  • Location: San Francisco, United States
  • Privacy Policy: https://openai.com/policies/privacy-policy

Google Gemini (AI Analysis):

  • Purpose: AI model inference for security audit analysis (Gemini 3.1 Pro via Copilot)
  • Data Shared: Source code submitted for audit, repository metadata
  • Location: Mountain View, United States
  • Privacy Policy: https://policies.google.com/privacy

Zhipu AI / z.ai (AI Analysis):

  • Purpose: AI model inference for security audit analysis (GLM-5)
  • Data Shared: Source code submitted for audit, repository metadata
  • Location: Beijing, People's Republic of China
  • Privacy Policy: https://www.zhipuai.cn/en/privacy

Important: Zhipu AI is based in the People's Republic of China. China does not have an EU adequacy decision. Data transfers occur under Standard Contractual Clauses. EU customers should be aware their code may be processed in China.

All AI sub-processors receive source code and repository metadata solely for the purpose of security analysis. Data is not used for training purposes under our agreements.

Cloud Infrastructure Providers:

  • Purpose: Hosting, database, file storage
  • Data Shared: All Service data (encrypted in transit and at rest)
  • Provider: Railway (Brex Inc., San Francisco, USA)
  • Location: United States

Resend (Email Delivery):

  • Purpose: Transactional and notification emails
  • Data Shared: Email address, notification content
  • Provider: Resend Inc. (San Francisco, USA)
  • Privacy Policy: https://resend.com/legal/privacy-policy

Analytics: We do not currently use third-party analytics services. We may add analytics in the future and will update this policy accordingly.

All service providers are contractually required to:

  • Process data only for specified purposes
  • Implement appropriate security measures
  • Comply with GDPR and data protection laws
  • Delete or return data upon termination

4.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity. We will notify you and provide choices before any transfer occurs.

4.4 Legal Requirements

We may disclose data when required by law, court order, or government request, or to:

  • Comply with legal processes (subpoenas, warrants)
  • Enforce our Terms of Service
  • Protect our rights, property, or safety
  • Prevent fraud or security threats
  • Protect the rights and safety of users or the public

We will notify you of legal requests unless prohibited by law.

4.5 With Your Consent

We may share data with third parties when you explicitly consent, such as:

  • Integrations you authorize (GitHub, GitLab, Bitbucket)
  • Export of audit reports to third-party tools
  • Sharing project access with team members

4A. Google User Data Disclosure

This section specifically addresses how GuardLane handles data obtained through Google APIs, in compliance with the Google API Services User Data Policy.

4A.1 Google Data Accessed

GuardLane uses Google Sign-In (via Firebase Authentication) to authenticate users. When you sign in with Google, we access the following data from your Google account:

  • Email address — Used as your account identifier
  • Display name — Used as your default profile name
  • Profile photo URL — Used as your account avatar
  • Google user ID — Used internally to link your Google account to your GuardLane account

We request the email and profile OAuth scopes only. We do not access your Google Drive, Contacts, Calendar, Gmail, or any other Google services.

4A.2 How Google User Data Is Used

Your Google user data is used exclusively for the following purposes:

  • Authentication: To verify your identity and securely sign you in to GuardLane
  • Account creation: To pre-populate your profile with your name and photo during registration
  • Account linking: To allow you to sign in using Google on subsequent visits
  • Communication: To send you transactional emails (audit results, security notifications) at the email address associated with your Google account

We do not use Google user data for:

  • Advertising or ad targeting
  • Selling or sharing with third parties for their independent use
  • Training AI or machine learning models
  • Building user profiles for purposes unrelated to the GuardLane service

4A.3 Google Data Sharing

Your Google user data is shared with the following service providers, solely for the purposes described:

ProviderData SharedPurpose
Firebase (Google)Email, name, auth tokensAuthentication and email verification
Resend (email service)Email addressSending transactional notifications
Railway (hosting)Encrypted in databaseHosting the application database

We do not share Google user data with AI model providers (Anthropic, OpenAI, etc.). Source code submitted for audits is handled separately from Google account data.

4A.4 Google Data Storage and Protection

Google user data is stored securely with the following protections:

  • Encryption at rest: All data is encrypted using AES-256 in our PostgreSQL database
  • Encryption in transit: All data transmission uses TLS 1.2+ (HTTPS)
  • Access controls: Database access is restricted to authenticated application services only
  • No plain-text passwords: Authentication is delegated to Firebase/Google — we never receive or store your Google password
  • Infrastructure: Hosted on Railway (Google Cloud infrastructure) with SOC 2 Type II compliant hosting

4A.5 Google Data Retention and Deletion

  • Active accounts: Google user data (email, name, photo URL) is retained for the duration of your active account
  • Account deletion: When you delete your GuardLane account, all Google user data is permanently deleted within 90 days
  • Immediate deletion: You can request immediate deletion of your data by contacting support@guardlane.io
  • Data export: You can export your account data at any time from Settings or by contacting support@guardlane.io
  • Revoking access: You can revoke GuardLane's access to your Google account at any time via Google Account Permissions. This will prevent future Google Sign-In but will not delete existing account data — use account deletion for that.

4A.6 Compliance

GuardLane's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

5. Data Retention

5.1 Retention Periods

  • Active Accounts: Data retained for as long as your account is active
  • Closed Accounts: Data deleted within 90 days of account closure (unless legal retention applies)
  • Audit Reports: Retained for 3 years or as required by your subscription plan
  • Backups: Data in backups deleted within 90 days of account closure
  • Legal Holds: Data subject to legal proceedings retained until resolution

5.2 Data Minimization

  • We retain only the data necessary to provide the Service
  • Older audit reports may be archived or summarized
  • Logs and analytics data are retained for 12-24 months

5.3 Account Deletion

When you delete your account:

  • Personal data is deleted within 90 days
  • Audit reports and findings are permanently deleted
  • Anonymized analytics data may be retained
  • Financial records retained as required by law (typically 7 years)

You can request immediate data deletion by contacting support@guardlane.io.

6. Your Rights Under GDPR

If you are located in the EEA, UK, or Switzerland, you have the following rights:

6.1 Right to Access

  • Request a copy of your personal data
  • Receive data in a structured, machine-readable format (JSON, CSV)
  • Available via "Export Data" in account settings or by contacting support@guardlane.io

6.2 Right to Rectification

  • Correct inaccurate or incomplete personal data
  • Update information directly in account settings
  • Request corrections via support@guardlane.io

6.3 Right to Erasure ("Right to be Forgotten")

  • Request deletion of your personal data
  • Applies unless we have legal obligations to retain data
  • Submit requests via account deletion or support@guardlane.io

6.4 Right to Restrict Processing

  • Request temporary suspension of data processing
  • Applies during disputes or verification of accuracy
  • Contact support@guardlane.io to request restriction

6.5 Right to Data Portability

  • Receive your data in a portable format
  • Transfer data to another service provider
  • Export available via account settings or support@guardlane.io

6.6 Right to Object

  • Object to processing based on legitimate interests
  • Object to direct marketing (opt-out anytime)
  • Contact support@guardlane.io to exercise this right

6.7 Right to Withdraw Consent

  • Withdraw consent for processing based on consent
  • Does not affect lawfulness of prior processing
  • Manage consent via account settings or support@guardlane.io

6.8 Right to Lodge a Complaint

  • File a complaint with your local data protection authority
  • EU residents: Contact your national Data Protection Authority
  • UK residents: Information Commissioner's Office (ICO)

To exercise any of these rights, contact: Data Protection Officer (Mikhail Kuznetsov): support@guardlane.io Response time: Within 30 days of request

7. Data Security

7.1 Security Measures

We implement industry-standard security practices:

Technical Safeguards:

  • Encryption in transit (TLS 1.3)
  • Encryption at rest (AES-256)
  • Secure password hashing (bcrypt)
  • Multi-factor authentication (2FA/TOTP)
  • Role-based access control (RBAC)
  • Regular security audits and penetration testing

Organizational Safeguards:

  • Employee background checks
  • Confidentiality agreements
  • Security training programs
  • Incident response procedures
  • Data minimization practices

Infrastructure Security:

  • Firewalls and intrusion detection
  • DDoS protection
  • Regular security patches
  • Isolated environments (dev, staging, production)
  • Automated vulnerability scanning

7.2 Data Breach Notification

In the event of a data breach affecting your personal data:

  • We will notify you within 72 hours of discovery (GDPR requirement)
  • Notification will include nature of breach, affected data, and mitigation steps
  • We will notify relevant data protection authorities as required
  • We maintain a breach response plan and incident log

7.3 Your Responsibilities

  • Use strong, unique passwords
  • Enable two-factor authentication
  • Keep account credentials confidential
  • Report suspicious activity immediately
  • Log out of shared devices

No system is 100% secure. While we implement robust security measures, we cannot guarantee absolute security. You use the Service at your own risk.

8. International Data Transfers

8.1 Data Storage Locations

Your data may be processed and stored in:

  • European Union, Armenia, United States, and China
  • Data centers: United States and China (for Zhipu AI processing only)

We transfer data to service providers in the United States and China. For transfers outside the EEA, we rely on Standard Contractual Clauses.

Specifically, source code and repository metadata submitted for security audits are processed by AI sub-processors located in the United States (Anthropic, OpenAI, Google) and China (Zhipu AI). See Section 4.2 for the full list of AI sub-processors.

8.2 Transfer Safeguards

For transfers outside the EEA, we rely on:

  • Standard Contractual Clauses (SCCs): EU-approved data transfer mechanisms for transfers to the United States and China
  • Adequacy Decisions: Transfers to countries deemed adequate by the EU Commission
  • Data Processing Agreements: With all service providers handling EU data
  • Note on China: China does not have an EU adequacy decision. Transfers to Zhipu AI occur under Standard Contractual Clauses. EU customers should be aware their source code may be processed in China.

8.3 User Control

EU users may request that data be stored only in EU data centers (may affect Service availability or pricing).

9. Children's Privacy

GuardLane is not intended for users under 18 years of age (or the age of majority in your jurisdiction). We do not knowingly collect data from children.

If we discover we have collected data from a child:

  • We will delete the data immediately
  • We will terminate the account
  • We will notify the child's parent/guardian if possible

If you believe a child has provided data to us, contact support@guardlane.io immediately.

10. Third-Party Links and Services

The Service may contain links to third-party websites, integrations, or services:

  • We are not responsible for third-party privacy practices
  • Third-party services have their own privacy policies
  • Review privacy policies before sharing data with third parties

Third-Party Integrations:

  • GitHub/GitLab/Bitbucket: Repository access (subject to their privacy policies)
  • Firebase: Authentication (Google Privacy Policy applies)
  • Paddle: Payment processing (Paddle Privacy Policy applies)

11. Cookie Policy

See our separate Cookie Policy for detailed information on:

  • Types of cookies we use (essential, analytics, marketing)
  • How to manage cookie preferences
  • Third-party cookies and tracking

In summary:

  • Essential Cookies: Required for authentication and security (cannot be disabled)
  • Analytics Cookies: Help us understand usage (can be disabled)
  • Marketing Cookies: Track marketing campaign effectiveness (can be disabled)

Manage cookies via your account settings or browser settings.

12. California Privacy Rights (CCPA)

California residents have additional rights:

12.1 Right to Know

  • Request disclosure of personal data collected in the past 12 months
  • Includes categories, sources, purposes, and third parties shared with

12.2 Right to Delete

  • Request deletion of personal data (subject to exceptions)

12.3 Right to Opt-Out of Sale

  • We do not sell personal data, so opt-out is not applicable

12.4 Right to Non-Discrimination

  • We will not discriminate for exercising CCPA rights
  • Same service quality regardless of privacy choices

To exercise CCPA rights:

  • Email: support@guardlane.io
  • Include: Name, email, description of request
  • Verification: We may request additional information to verify identity

12.5 "Shine the Light" Law

California residents may request information about data shared with third parties for direct marketing (once per year, free of charge).

13. Changes to This Privacy Policy

13.1 Modifications

We may update this Privacy Policy to reflect:

  • Changes in legal requirements
  • New features or services
  • Improved data practices
  • User feedback

13.2 Notification of Changes

  • Material Changes: Notified via email and in-app notification (30 days' notice)
  • Non-Material Changes: Posted on website with updated "Last Updated" date
  • Continued Use: Constitutes acceptance of changes
  • Objection: Stop using the Service if you disagree

13.3 Version History

Previous versions available upon request to support@guardlane.io.

14. Contact Us

14.1 Privacy Questions

For questions about this Privacy Policy or our data practices:

Data Protection Officer (Mikhail Kuznetsov): Email: support@guardlane.io Response Time: Within 7 business days

General Inquiries: Email: support@guardlane.io Support: Available through your account dashboard

14.2 Legal Notices

For legal notices or formal requests: SMK SOFTWARE LLC 38 Shengavit Street, Apartment 8, Shengavit District, 0050 Yerevan, Armenia

14.3 Data Protection Authority

EU/UK residents may also contact your local data protection authority:

15. Acknowledgment

By using GuardLane, you acknowledge that:

  • You have read and understood this Privacy Policy
  • You consent to the collection, use, and sharing of data as described
  • You understand your rights and how to exercise them
  • You agree to receive essential service communications

Last Updated: March 7, 2026

Previous Versions: Available upon request to support@guardlane.io

Data Protection Officer: Mikhail Kuznetsov (contact: support@guardlane.io)

Data Protection Registration: Not applicable