ShipSafe is an AI-powered security scanner that finds vulnerabilities in code built with tools like Cursor, Lovable, Bolt, and v0. Paste a GitHub URL and get a plain-English security report in minutes.

How does ShipSafe work?

ShipSafe analyzes your GitHub repository using 30+ security checks including SQL injection, XSS, leaked API keys, and OWASP Top 10 vulnerabilities. It produces a plain-English report with fix recommendations.

Yes, ShipSafe offers a free plan that includes security scans with no credit card required. Paid plans start at $9/month for CLI access with unlimited scans.

What vulnerabilities does ShipSafe detect?

ShipSafe detects SQL injection, cross-site scripting (XSS), leaked secrets and API keys, insecure authentication, CSRF vulnerabilities, and more across the OWASP Top 10 categories.

Does ShipSafe work with vibe-coded apps?

Yes, ShipSafe is specifically designed for apps built with AI coding tools like Cursor, Lovable, Bolt, v0, and Replit. These tools can introduce security vulnerabilities that ShipSafe catches before deployment.

Legal

Privacy Policy

Last updated: March 2026

1. Introduction

ShipSafe ("we," "us," or "our") operates the ship-safe.co website and related services. ShipSafe is a SaaS security scanner designed for applications built with AI-assisted coding tools such as Cursor, Lovable, Bolt, and v0. You paste a GitHub repository URL, and ShipSafe scans your code to generate a plain-English security report.

This Privacy Policy explains what data we collect, how we use it, and the choices you have. By using ShipSafe, you agree to the practices described in this policy.

2. Information We Collect

Account Information

When you sign up via GitHub OAuth (powered by Clerk), we receive your name, email address, and GitHub profile information. We do not collect or store your GitHub password.

Repository Data

When you initiate a scan, we access the source code of the specified GitHub repository through the GitHub API. Source code is processed during the scan and is not stored permanently. Only the resulting security report and metadata (e.g., repository name, scan timestamp, findings) are retained.

Usage Data

We collect standard usage information such as pages visited, scan frequency, feature usage, browser type, and device information to improve the service.

Payment Information

Payments are processed by Polar. We do not store your credit card number, CVC, or full card details on our servers. Our payment processor provides us with limited information such as the last four digits of your card, card brand, and billing address for record-keeping purposes.

3. How We Use Your Information

Provide and operate the service — running security scans, generating reports, and managing your account.
Improve the service — analyzing usage patterns to enhance scan accuracy, performance, and user experience.
Send notifications — transactional emails (scan results, billing receipts) and occasional product updates. You can opt out of non-essential communications at any time.
Enforce terms and prevent abuse — detecting and preventing misuse of the platform.

4. Data Retention

Source code is accessed only during the active scan and is not permanently stored. Code snippets may be temporarily held in memory during AI analysis, but are discarded once the scan report is generated.

Specific retention periods for other data categories:

Account data — retained while your account is active, deleted within 30 days of account deletion.
Scan reports and findings — retained while your account is active.
Usage events — retained for 12 months.
CLI tokens — automatically purged when expired (daily cleanup).
Error monitoring data (Sentry) — 30 days (per Sentry's retention policy).

5. Third-Party Services

We use the following third-party services to operate ShipSafe. Each has its own privacy policy governing how they handle data:

Service	Purpose
Clerk	Authentication and user management (GitHub OAuth)
Convex	Database — stores scan reports, account data, and application state
Polar	Checkout, subscription management, and payment processing
Resend	Transactional email delivery
Vercel	Hosting and content delivery
GitHub API	Repository access for code scanning
Anthropic	AI-powered code analysis — code snippets are sent for security analysis during scans

Code snippets sent to Anthropic are used solely for generating your security report. We use API configurations designed to prevent your code from being used for model training, consistent with our agreement with Anthropic. See Anthropic's usage policy for details.

Sub-Processors

The following table details our sub-processors, the data they process, and their locations:

Provider	Purpose	Data Processed	Location
Clerk	Authentication	Email, name, profile	United States
Convex	Database	Account data, scan results	United States
Polar	Billing & subscriptions	Payment info, billing, subscription data	United States
Resend	Transactional email	Email addresses, notification content	United States
Vercel	Hosting	Application data, access logs	United States
Anthropic	AI code analysis	Code snippets (not stored)	United States
GitHub	Repository access	Repository contents	United States
Sentry	Error monitoring & session replay	Error logs, performance data, IP addresses, session replays on errors	United States

Session Replay

When an error occurs while using ShipSafe, Sentry may capture a session replay — a reconstruction of user interactions (clicks, navigation, page content) leading up to the error. Session replays are used solely for debugging and are automatically deleted after 30 days. Sensitive form inputs (passwords, payment details) are masked and never recorded. Session replays are only captured when an error occurs and are not used for analytics, marketing, or user profiling.

6. Data Security

We take reasonable measures to protect your data, including:

Encryption of data in transit (TLS) and at rest.
Access controls limiting who can view or modify production data.
Regular review of third-party service configurations and permissions.
Minimal data collection — we only collect what is necessary to provide the service.

No method of transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

7. Your Rights

You have the right to:

Access your personal data and scan history.
Delete your account and associated data.
Export your scan reports and account information.
Opt out of non-essential communications.

To exercise any of these rights, contact us at support@ship-safe.co.

8. Cookies

ShipSafe uses minimal cookies, primarily for authentication and session management (provided by Clerk). We do not use advertising or tracking cookies. Essential cookies are required for the service to function and cannot be disabled.

Type	Purpose	Required
Essential	Authentication (Clerk), session management. Always active.	Yes
Error Monitoring	Sentry error tracking and session replays. Requires consent.	No

You can manage your cookie preferences at any time by contacting us. We do not use advertising, analytics, or marketing cookies.

9. Children's Privacy

ShipSafe is not intended for use by anyone under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected data from a child under 16, we will take steps to delete it promptly.

10. International Users & GDPR

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, the following additional provisions apply to you.

Legal Bases for Processing (GDPR Article 6)

We process your personal data under the following Article 6(1) legal bases:

Art. 6(1)(b) — Contract performance — processing necessary to provide the ShipSafe service you have signed up for, including running security scans, generating reports, managing your account, and processing payments.
Art. 6(1)(f) — Legitimate interest — improving the service, ensuring security, preventing abuse, and sending transactional communications. Our legitimate interests do not override your fundamental rights and freedoms.
Art. 6(1)(a) — Consent — error monitoring via Sentry (including session replays), which you can withdraw at any time through cookie settings without affecting the lawfulness of prior processing.
Art. 6(1)(c) — Legal obligation — processing required to comply with applicable laws, such as tax and accounting requirements for paid subscriptions.

International Data Transfers

Your data is processed in the United States. For users in the EEA, UK, or Switzerland, transfers rely on Standard Contractual Clauses (SCCs) executed with our sub-processors to ensure an adequate level of data protection.

Your Data Subject Rights

Under the GDPR, you have the following rights regarding your personal data:

Access — obtain confirmation and a copy of the personal data we hold about you.
Rectification — request correction of inaccurate or incomplete data.
Erasure — request deletion of your personal data ("right to be forgotten").
Restriction — request that we limit the processing of your data in certain circumstances.
Portability — receive your data in a structured, machine-readable format and transmit it to another controller.
Objection — object to processing based on legitimate interests or for direct marketing purposes.
Withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at support@ship-safe.co. We will respond within 30 days.

Right to Lodge a Complaint

You have the right to lodge a complaint with your local data protection supervisory authority if you believe your data is being processed in violation of applicable data protection law.

Automated Decision-Making

ShipSafe's AI-powered scanning involves automated analysis of source code to identify potential security vulnerabilities. This analysis produces informational reports only. No decisions with legal effects or similarly significant effects are made solely by automated means.

11. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA).

Categories of Personal Information Collected

Identifiers — name, email address, GitHub username.
Commercial information — subscription plan, billing history.
Internet or electronic network activity — usage data, pages visited, scan history.
Professional or employment-related information — GitHub profile data, repository information.

Your California Privacy Rights

Right to know — request disclosure of the personal information we collect, use, and share about you.
Right to delete — request deletion of your personal information.
Right to correct — request correction of inaccurate personal information.
Right to opt-out — opt out of the sale or sharing of your personal information.

We do not sell or share personal information for cross-context behavioral advertising as defined by the CCPA/CPRA.

Non-discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.

To submit a request, contact us at support@ship-safe.co.

12. Data Breach Notification

In the event of a data breach affecting your personal information, we will notify affected users and relevant authorities in accordance with applicable law.

For users in the EEA, UK, or Switzerland, we will notify the relevant supervisory authority within 72 hours of becoming aware of a qualifying breach, as required by GDPR Article 33.

Breach notifications will include:

The nature of the personal data breach.
The likely consequences of the breach.
The measures taken or proposed to address and mitigate the breach.

13. Israeli Privacy Protection Law

ShipSafe is operated by a founder based in Israel. Accordingly, the Israeli Protection of Privacy Law, 5741-1981 and the Privacy Protection Regulations (Data Security), 5777-2017 may apply to our processing of personal data.

Your Rights Under Israeli Law

If Israeli privacy law applies to you, you have the following rights regarding your personal data:

Right of access — you may request to review personal data held about you in our databases.
Right to correction — you may request that we correct or delete inaccurate data.
Right to object — you may object to the use of your personal data for direct marketing purposes and request its removal from marketing databases.
Right to deletion — you may request that we delete your personal data, subject to applicable legal retention requirements.

Data Security

We maintain technical and organizational security measures in compliance with the Privacy Protection Regulations (Data Security), 5777-2017, including access controls, encryption, and incident response procedures appropriate to the classification level of the data we process.

Cross-Border Data Transfers

Personal data may be transferred and processed outside of Israel, primarily in the United States. Such transfers are conducted in accordance with the Israeli Protection of Privacy Law, and we ensure that adequate safeguards are in place to protect your data in the receiving jurisdiction.

To exercise any of these rights, contact us at support@ship-safe.co. We will respond within 30 days.

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by updating the "Last updated" date at the top of this page and, where appropriate, through in-app notifications or email.

15. Contact

ShipSafe is operated by Tomer Goldstein, a sole proprietor doing business as ShipSafe. The data controller for the purposes of GDPR and applicable data protection law is Tomer Goldstein.

Data Controller & Legal Contact

Tomer Goldstein d/b/a ShipSafe

Reut 12B, Hod HaSharon 4529614, Israel

Email: support@ship-safe.co