Sayversayver.

// legal · privacy policy

Privacy Policy

Last updated: June 18, 2026

This Privacy Policy explains how Sayver (“Sayver,” “we,” “us,” or “our”) collects, uses, shares, and protects personal information when you use our website, dashboard, scanners, and monitoring services (the “Service”). It applies alongside our Terms of Service.

1. Who we are

Sayver provides security scanning and monitoring for applications, including those built with AI coding tools. For the purposes of data-protection law, Sayver is the controller of the personal information described in this policy. You can reach us at contact@sayver.co.

2. Information we collect

We collect the following categories of information:

Account information

When you sign up, our authentication provider collects your email address and name, and manages your login and (where enabled) your organization and team membership. We receive your user identifier and basic profile from that provider.

Scan inputs

  • URLs and domains you submit for scanning, and the responses, headers, metadata, and publicly observable content we retrieve from them;
  • Connected source code — if you connect a repository, we access repository metadata and read code (read-only) to perform static analysis. We process this to produce findings and do not use your private code to train third-party models.

Runtime telemetry (monitoring script)

If you install our monitoring script on your application, it sends us telemetry so we can detect errors and live threats. This may include:

  • A hashed, salted IP address — we do not store raw IP addresses from this telemetry;
  • Request metadata such as path, method, and status code;
  • JavaScript error messages and stack traces;
  • Markers that indicate AI prompt/response activity used for threat detection;
  • Device and browser signals (for example user agent, screen size, language, timezone) and automated-/bot-detection signals.

You are responsible for disclosing this monitoring to your own users where required and for having a lawful basis to deploy it on your application.

Billing information

If you subscribe to a paid plan, our payment processor collects and processes your payment details. Sayver does not receive or store full payment card numbers. We retain limited billing records such as plan, subscription status, and transaction history.

Support & communications

When you contact us (for example via our contact form or email), we receive your name, email, and message so we can respond.

Cookies & local storage

We use cookies and similar technologies that are necessary to operate the Service, such as keeping you signed in, and local storage for preferences such as your currently selected project. We do not use advertising cookies.

3. How we use information

  • Provide, operate, and maintain the Service, including running scans and monitoring;
  • Generate findings, scores, alerts, suggested fixes, and reports;
  • Detect and respond to live threats, abuse, and security incidents;
  • Process payments and manage subscriptions;
  • Respond to your support requests and communicate with you about the Service;
  • Improve and develop the Service, including through aggregated or de-identified analytics; and
  • Comply with legal obligations and enforce our Terms.

4. Legal bases (GDPR/UK GDPR)

Where the EU or UK GDPR applies, we rely on the following legal bases: performance of a contract (to provide the Service you request); legitimate interests (to secure, maintain, and improve the Service and prevent abuse, balanced against your rights); consent (where required, which you may withdraw); and legal obligation (to comply with applicable law).

5. Sharing & subprocessors

We do not sellyour personal information. We share it only with service providers (“subprocessors”) that help us run the Service, under contracts that require them to protect it, and with authorities where required by law or to protect rights and safety. Our key subprocessors are:

  • Clerk — authentication and user/organization management;
  • Supabase — database and backend hosting for your account and scan data;
  • Vercel — application hosting and delivery;
  • Anthropic — AI processing to generate explanations and suggested fixes; relevant finding context may be sent to generate this output;
  • Stripe — payment processing for subscriptions;
  • Resend — sending transactional and alert emails;
  • GitHub — read access to repositories you connect for code scanning;
  • Google Safe Browsing — checking URL reputation during scans.

We may also share information in connection with a merger, acquisition, or sale of assets, subject to this policy.

6. Data retention

We keep personal information for as long as your account is active and as needed to provide the Service, then retain it only as long as necessary for legitimate business or legal purposes. Scan results and findings are retained so you can track your security over time; runtime telemetry is retained for a limited operational window for threat detection and troubleshooting. When you delete your account, we delete or de-identify your personal information within a reasonable period, except where we must retain it to comply with law, resolve disputes, or enforce our agreements.

7. Security

We take reasonable technical and organizational measures to protect your information, including hashing IP addresses in telemetry, row-level access controls on stored data, a strict content-security policy, encryption in transit, and least-privilege access. No method of transmission or storage is completely secure, however, and we cannot guarantee absolute security.

8. Your privacy rights

Depending on where you live, you may have some or all of the following rights. To exercise them, email contact@sayver.co; we may need to verify your identity and will respond as required by law.

California (CCPA/CPRA)

  • The right to know what personal information we collect, use, and disclose;
  • The right to request deletion or correction of your personal information;
  • The right to opt out of “sale” or “sharing” of personal information — we do not sell or share your personal information as those terms are defined; and
  • The right not to receive discriminatory treatment for exercising your rights.

EU/UK/EEA (GDPR)

  • The right to access, correct, or erase your personal information;
  • The right to restrict or object to certain processing;
  • The right to data portability;
  • The right to withdraw consent where processing is based on consent; and
  • The right to lodge a complaint with your local data-protection supervisory authority.

9. International transfers

We and our subprocessors may process information in the United States and other countries whose data-protection laws may differ from yours. Where required, we rely on appropriate safeguards (such as standard contractual clauses) for international transfers of personal information.

10. Children

The Service is not intended for children under 18, and we do not knowingly collect personal information from children under 13. If you believe a child has provided us personal information, contact us and we will delete it.

11. Changes & contact

We may update this Privacy Policy from time to time. We will update the “Last updated” date above and, for material changes, provide additional notice where appropriate. Questions or requests? Email contact@sayver.co.