Privacy Policy

Last updated: May 2026

Summary: We collect only what we need to run the service. We never sell your data. Findings and tokens are encrypted at rest. You can delete your account and all associated data at any time.

This Privacy Policy describes how CredWatch ("we", "us", or "our") collects, uses, and protects information when you use our credential-monitoring service (the "Service").

1. Information We Collect

Account information

Email address (used as your login username and for alert notifications)
Company or organisation name
Password (stored as a bcrypt hash — we cannot read it)

Configuration data

GitHub Personal Access Token (stored encrypted using AES-256 Fernet encryption)
GitHub organisation and user handles you choose to monitor
Domain names you choose to monitor
Slack webhook URLs (stored in plaintext; treat as a secret)
Detection patterns you create

Scan results

File paths, repository names, and commit SHAs where potential credentials were found
A masked/truncated version of the matched text (e.g. sk-1234****abcd) — we never store the full credential value
Scan metadata: timestamps, status, finding counts

Usage and security logs

Login events (timestamp, IP address, success/failure)
Security-relevant actions (password changes, token additions, scan triggers)
Logs are retained for up to 365 days for security and compliance purposes

2. How We Use Your Information

To provide, operate, and improve the Service
To send scan results, finding alerts, and account notifications to your registered email(s)
To enforce usage limits and plan entitlements
To investigate security incidents and respond to support requests
To comply with legal obligations

We do not use your data for advertising, sell it to third parties, or share it with analytics providers.

3. How We Protect Your Data

Encryption in transit: All communication uses TLS 1.2+.
Encryption at rest: GitHub tokens are encrypted with AES-256 (Fernet). Passwords are hashed with bcrypt (cost factor 12).
Credential masking: Matched credential values are never stored in full — only a masked representation is retained.
Access controls: Each customer's data is isolated; no customer can access another's findings, tokens, or configuration.
Audit logging: All security-relevant actions are logged with timestamps and IP addresses.
MFA: Time-based one-time password (TOTP) 2FA is available and strongly recommended.

4. Data Retention

We retain your data for as long as your account is active. Free accounts that are inactive for 90 days receive a warning email; accounts inactive for 180 days may be archived and data deleted. Paid accounts are exempt while an active subscription exists.

Security and audit logs are retained for 365 days in accordance with our compliance obligations (SOC 2 / ISO 27001).

5. Your Rights

You have the right to:

Access — request a copy of the data we hold about you
Correction — update inaccurate information via the portal Settings page
Deletion — delete your account and all associated data by contacting [email protected]
Portability — request an export of your findings in JSON or CSV format
Objection — object to specific processing of your data

To exercise these rights, email [email protected]. We will respond within 30 days.

6. GitHub API Usage

When you provide a GitHub Personal Access Token, we use it solely to enumerate and scan repositories and users you have configured. We do not cache repository contents beyond what is needed to check patterns; we do not store raw file contents. All GitHub API calls are made on your behalf using your token.

7. Cookies and Session Storage

We use a single session cookie (cw_session) to maintain your login state. This cookie is HTTP-only, SameSite=Lax, and signed with a server-side secret. We do not use tracking cookies, advertising cookies, or any third-party analytics.

8. Third-Party Services

The Service uses the following third-party services:

GitHub API — to scan repositories you authorise (GitHub's own privacy policy applies to data transmitted via their API)
crt.sh / URLScan.io — for subdomain enumeration during web scrape scans (no account data is sent; only domain names you configure)
SMTP provider — to send alert and notification emails

We do not integrate with advertising platforms, social media trackers, or data brokers.

9. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email at least 14 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision.

10. Contact

For privacy-related questions or data requests, contact us at [email protected].
For security concerns, contact [email protected].