Stridely

Legal

Privacy Policy

This policy explains how Stridely handles personal data when you use our STRIDE security scanning service. We are based in Denmark and designed this policy with the GDPR and Danish privacy expectations in mind.

Last updated: 5 May 2026

1. Who we are

Stridely is a Denmark-based service for STRIDE threat modeling and security monitoring of GitHub repositories. For privacy questions or requests, contact us at support@stridely.dev.

For GDPR purposes, Stridely is generally the data controller for the account, billing, repository connection, scan result, and support data described in this policy.

2. Data we collect

We collect and process the following categories of data:

  • Account data: email address, name or username when provided by GitHub or email sign-in, account identifiers, session data, and authentication provider details.
  • GitHub data: GitHub App installation identifiers, approved installation permissions, repository owner, repository name, default branch, visibility, webhook status, commit references, and related repository metadata.
  • Scan data: repository file paths, selected source snippets, generated STRIDE threat models, findings, severity, recommendations, scan status, scan progress, and scan errors.
  • Billing data: Stripe customer identifiers, checkout session identifiers, subscription identifiers, plan status, billing period dates, scan usage, payment status, and transaction metadata.
  • Support data: messages you send us, feature requests, bug reports, and related contact details.
  • Technical data: logs, timestamps, IP-derived request metadata, device/browser information, cookies required for authentication, and theme preferences stored in the browser.

3. Repository content and AI analysis

When you connect a repository, Stridely reads only repositories you choose and only with the GitHub permissions you approve. During a scan, repository content is fetched to create the analysis prompt and threat model.

We do not intentionally store full repository source code as a product feature. We do store generated scan results, which may include file paths, limited code evidence snippets, model reasoning, recommendations, and metadata needed to show your findings.

4. Why we use data and legal bases

We process personal data for these purposes and legal bases:

  • Providing the service: to authenticate you, connect repositories, run scans, show results, manage subscriptions, and support account deletion. Legal basis: performance of a contract.
  • Billing and bookkeeping: to process subscriptions, prevent duplicate billing updates, and keep required financial records. Legal basis: contract and legal obligations.
  • Security and abuse prevention: to protect accounts, queues, webhooks, payments, and infrastructure. Legal basis: legitimate interests.
  • Optional repository monitoring: to install and use GitHub webhooks when you enable push-triggered scans. Legal basis: contract and, where required, your consent.
  • Support and product feedback: to respond to support requests and improve the service. Legal basis: contract and legitimate interests.

5. Processors and third-party services

Stridely uses trusted third-party services to operate the product. These may include GitHub for authentication and repository access, Stripe for payments, OpenAI or another configured AI model provider for scan analysis, hosting and infrastructure providers, email providers, and support or feedback tools.

These providers may process data outside Denmark or the EEA. When data is transferred internationally, we rely on appropriate safeguards such as adequacy decisions, standard contractual clauses, or other transfer mechanisms allowed by GDPR.

6. Cookies and local storage

We use cookies and browser storage that are necessary for sign-in, sessions, security, and user preferences such as theme selection. We do not currently describe analytics or advertising cookies as part of the core service. Third-party providers such as GitHub or Stripe may use their own cookies when you interact with their services.

7. Retention

We keep personal data only for as long as needed for the purposes described above. Account, repository, scan, and subscription usage data are kept while your account is active unless deleted earlier. Billing records may be retained longer where required by Danish bookkeeping, tax, or legal obligations.

If you delete your account, we delete or anonymize account-linked data unless retention is required for legal, security, dispute, or financial record reasons.

8. Your rights

If GDPR applies to you, you may have the right to request access, correction, deletion, restriction, portability, or objection to certain processing. Where processing is based on consent, you may withdraw that consent at any time.

You can contact us at support@stridely.dev. You also have the right to lodge a complaint with the Danish Data Protection Agency, Datatilsynet, or your local supervisory authority.

9. Security

We use technical and organizational measures intended to protect your data, including scoped GitHub App permissions, database-backed sessions, access controls, and operational monitoring. No online service can guarantee absolute security.

10. Changes to this policy

We may update this Privacy Policy as the product, law, or operational practices change. The updated version will be posted here with a new effective date. Material changes may be communicated in-product or by email where appropriate.

Our Terms of Service explain the rules for using Stridely.