selvo is operated by Cope Labs LLC ("we", "us"). This policy describes what data we collect and how we use it.
Account data: Organization name, email address, and API keys you create. We store API keys as SHA-256 hashes — the plaintext is shown once at creation and never stored.
Scan data: When you submit a scan, we receive your installed package names and versions. We use this data solely to perform the vulnerability analysis you requested. Scan results are stored per-organization for dashboard viewing and trend tracking.
Usage data: API request counts and timestamps for rate limiting. No IP addresses are stored beyond the in-memory rate limiter (cleared on restart).
Scan snapshots are retained for trend tracking (last 10 per ecosystem per org). You can request deletion of your org and all associated data by emailing seth@selvo.dev.
We use Stripe for payment processing. Stripe's privacy policy applies to payment data. We use Fly.io for hosting. Scan data is processed on Fly.io infrastructure in the US (IAD region).