Privacy Policy

Last updated: 16 June 2026

1. Data Controller

GreenSecOps ("we", "us", "our") is the data controller responsible for personal data processed through the GreenSecOps service, available at greensecops.io and its subdomains. For the purposes of the General Data Protection Regulation (GDPR) and applicable French data-protection law, our registered address is in France.

If you have any questions regarding this Privacy Policy or our data-processing practices, please contact us at privacy@greensecops.io.

2. What Data We Collect

We collect the minimum data necessary to provide our service. Depending on how you interact with GreenSecOps, we may process the following categories of personal data:

Account and identity data

  • Your GitHub username, display name, and public profile URL, obtained via GitHub OAuth authentication.
  • Your GitHub-verified primary email address, used for transactional emails and account identification.
  • A GitHub OAuth access token, which we store encrypted and use solely to read workflow files and repository metadata on your behalf via the GitHub Apps API.

Repository and workflow data

  • Repository names, owner names, and branch names for repositories where you have installed the GreenSecOps GitHub App.
  • The content of workflow files located at .github/workflows/*.yml within those repositories, fetched at the time of a push or pull-request event. Workflow file content is processed transiently in memory and is not stored as raw text; only the analysis result and a content hash are persisted.
  • Git commit SHAs and push timestamps, used to associate analyses with specific code states.

Usage and analytics data

  • Interaction logs: pages visited within the application, features used, and timestamps of actions.
  • IP addresses and browser user-agent strings, collected in server access logs for security, abuse prevention, and debugging.
  • Error and performance telemetry (stack traces, response times), which may include contextual metadata such as the URL or API endpoint that produced the error.

Billing data

  • Subscription tier and renewal dates.
  • Payment transactions are processed exclusively by Stripe, Inc. We receive from Stripe a tokenised representation (Stripe customer ID and last four digits of card) sufficient to display billing status, but we never have access to your raw card number, CVV, or full card details.

3. How We Use Your Data

We use the data we collect only for the following purposes, each with a lawful basis under Article 6 GDPR:

  • Service delivery (contract performance, Article 6(1)(b)): authenticating you, fetching workflow files, running analyses, generating grades and fix suggestions, and displaying results in the dashboard.
  • Billing (contract performance, Article 6(1)(b)): managing your subscription, processing payments via Stripe, and sending invoices and renewal notifications.
  • Security and abuse prevention (legitimate interests, Article 6(1)(f)): detecting and preventing fraudulent, abusive, or unauthorised use of the service.
  • Service improvement (legitimate interests, Article 6(1)(f)): aggregated, de-identified analysis of usage patterns to improve the accuracy of our grading engine and the quality of AI-generated fix suggestions.
  • Legal compliance (legal obligation, Article 6(1)(c)): retaining transaction records as required by French commercial and tax law.

We do not sell your personal data to third parties. We do not use your data for behavioural advertising.

4. Data Retention

We retain personal data only for as long as necessary to fulfil the purpose for which it was collected, or as required by law:

  • Account data (GitHub identity, email, encrypted OAuth token): retained for the lifetime of your account. Deleted within 30 days of account deletion.
  • Analysis records (grades, issue lists, metadata): retained for the lifetime of your account and deleted within 30 days of account deletion.
  • Server access logs: retained for a maximum of 90 days, then automatically purged.
  • Database backups: retained for a maximum of 30 days on a rolling basis; backups older than 30 days are deleted automatically.
  • Billing records (transaction IDs, amounts, dates): retained for 10 years as required by French accounting law (Code de commerce, Article L.123-22).

5. Third-Party Service Providers

We share personal data with the following categories of processor only to the extent necessary to operate the service:

  • GitHub, Inc. — We interact with the GitHub API to read workflow file content and repository metadata. GitHub's Privacy Policy governs the data held on their platform: docs.github.com/en/site-policy/privacy-policies.
  • Stripe, Inc. — Payment processing. Stripe is PCI-DSS Level 1 certified. Data processed by Stripe is governed by Stripe's Privacy Policy: stripe.com/privacy.
  • Cloud infrastructure provider — Our servers and databases are hosted with a European cloud provider. Server locations are within the European Economic Area (EEA). Data processing agreements (DPAs) are in place with all infrastructure providers.
  • Error monitoring — We use an error-monitoring service (such as Sentry) to capture application exceptions. Error payloads may include request metadata but are configured to exclude workflow file content.

All sub-processors are bound by contractual commitments to process data only on our instructions and to implement appropriate technical and organisational security measures. We do not transfer personal data to countries outside the EEA without appropriate safeguards (such as Standard Contractual Clauses).

6. Your Rights Under GDPR

If you are located in the European Economic Area, you have the following rights with respect to your personal data:

  • Right of access (Article 15): You may request a copy of the personal data we hold about you.
  • Right to rectification (Article 16): You may request that we correct inaccurate or incomplete personal data.
  • Right to erasure (Article 17): You may request deletion of your personal data where there is no overriding legitimate interest or legal obligation for us to retain it. Deleting your account triggers erasure of most data within 30 days.
  • Right to data portability (Article 20): You may request your analysis history and account data in a structured, machine-readable format (JSON).
  • Right to object (Article 21): You may object to processing based on legitimate interests, including processing for direct marketing or service-improvement purposes.
  • Right to restriction (Article 18): You may request that we restrict processing while a request to rectify or erase is pending.
  • Right to withdraw consent: Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at privacy@greensecops.io. We will respond within 30 days. You also have the right to lodge a complaint with the French supervisory authority, the Commission Nationale de l'Informatique et des Libertés (CNIL), at cnil.fr.

7. Cookies and Similar Technologies

We use a minimal, strictly necessary set of cookies:

  • Session cookie: A single encrypted session cookie is set upon authentication. It is required for the service to function and expires when you close your browser or after a configurable idle timeout. This cookie does not track you across third-party sites.
  • CSRF token cookie: A short-lived token cookie used to protect against cross-site request forgery attacks. It is not used for analytics or identification.

We do not use advertising cookies, third-party tracking pixels, or analytics platforms (such as Google Analytics) that set persistent tracking cookies. You do not need to accept a cookie banner to use the service because we do not use non-essential cookies.

8. Security Measures

We implement the following technical and organisational measures to protect personal data:

  • All data in transit is encrypted using TLS 1.2 or higher.
  • All data at rest is encrypted using AES-256 at the storage layer.
  • GitHub OAuth tokens are stored encrypted in our database with keys managed separately from the data they protect.
  • Access to production systems is restricted to authorised personnel via multi-factor authentication and audit-logged SSH or VPN access only.
  • We maintain a vulnerability disclosure programme and perform periodic security reviews of the codebase.
  • Database backups are encrypted and stored in a separate access-controlled environment.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the CNIL within 72 hours as required by Article 33 GDPR, and affected individuals without undue delay where the risk is high.

9. Contact

For privacy-related enquiries, requests to exercise your rights, or to report a security concern related to personal data, please contact:

GreenSecOps — Data Privacy
Email: privacy@greensecops.io

We aim to acknowledge all requests within 5 business days and respond substantively within 30 calendar days.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. When we make material changes, we will notify you by email (using the address associated with your account) and update the "Last updated" date at the top of this page. Your continued use of the service after any changes take effect constitutes acceptance of the revised policy.