We built SaferSkills to collect as little personal data as possible — no accounts, no advertising, no third-party trackers, and no cookies for analytics or marketing. Here is exactly what we process, why, and the rights you have.
SaferSkills is a free, public, open-source service that independently scans publicly available AI-agent artifacts — skills, MCP servers, hooks, rules, and plugins — from the GitHub URLs people submit, and publishes a transparent, methodology-driven trust report for each one.
This policy explains, in plain language, what personal data we process, why, on what legal basis, who we share it with, how long we keep it, and your rights. We do not sell or share your personal data for advertising, we do not profile or fingerprint visitors, and we do not use marketing cookies.
At a glance
| What | Processed? | Why | Legal basis | How long |
|---|---|---|---|---|
| GitHub URLs you submit | Yes — and published | To scan the artifact and publish a public report | Legitimate interest | Indefinite (public record) |
| Scan results & findings | Yes — published | The core service | Legitimate interest | Indefinite (public record) |
| Your IP address | Hashed on receipt; raw IP never stored | Abuse prevention / rate-limiting only | Legitimate interest (security) | ~24 hours (rolling) |
| Personal data inside scanned public repos | Only if present in the repo | To produce the security report | Legitimate interest (security) | See Section 7 |
| Cookieless usage analytics | Yes — no identifiers, bucketed only | Understand aggregate usage; improve the service | Legitimate interest | ~90 days, then aggregated |
| Error / diagnostic data | Yes — personal data scrubbed | Detect and fix faults and abuse | Legitimate interest (security) | ~90 days |
| Server logs | Yes | Operations & security | Legitimate interest | ~30 days |
| Newsletter email | Not yet active (Section 4) | Launch announcements (future) | Consent (when it launches) | Until you unsubscribe |
| Your theme preference | Stored on your device only | Remember light/dark mode | Strictly necessary | Until you clear it |
The data controller responsible for the processing described here is:
[OpenLatch legal name] ([legal form]), registered in France under SIREN/RCS [SIREN], registered office [registered address]. SaferSkills is an OpenLatch project.
Because the controller is established in the European Union, no Article 27 EU representative is required, and our lead supervisory authority is the French data protection authority, the CNIL (Commission Nationale de l'Informatique et des Libertés).
We have not appointed a statutory Data Protection Officer (we are not legally required to). For any privacy matter, contact us at privacy@openlatch.ai.
When you submit a public GitHub URL to be scanned, we store that URL and use it to fetch and analyse the referenced artifact. The submitted URL and the resulting scan report become part of our public catalog.
Each scan produces a score, sub-scores, and findings, each tied to a documented detection rule and the rubric version that was active. To protect the scanned author's content and any secrets it may contain, evidence is stored as a cryptographic hash (SHA-256) plus a file position — never the raw content of the scanned artifact. Scan results are public and retained indefinitely as a transparency record (see Section 7 and Section 11).
Instead of a GitHub URL, you can upload an artifact file (a single
capability file or a .zip) to scan it directly. You choose its visibility:
.zip). Treat a public upload as a permanent public record.
/scans/r/<token>). Its uploaded bytes are stored privately and
auto-deleted after 90 days. You can delete it sooner, or promote it to
public, using that link.
The capability link is unguessable and unlisted — it is not access-controlled.
Anyone who has the link can view, delete, or publish the report. We mark the page
noindex and send no referrer, which reduces (but cannot guarantee) the chance
of it being indexed or leaked. If you lose the link there is no recovery, and
sharing the link shares full control. For abuse prevention we apply the same hashed-IP,
rolling-window rate limiting (Section 3.3) to capability-link lookups.
Promoting a private result to public is one-way and cannot be undone — once published, it becomes a permanent public record like any other public scan. A private result you can delete yourself via its link, or it expires automatically after 90 days. A public upload has no self-serve delete: once published it can be removed only through the operator and right-of-reply process (Section 8), not from the report page itself.
To prevent abuse and rate-limit scan submissions, we process the IP address of incoming requests. The raw IP address is hashed (SHA-256) on receipt and is never written to our database or logs in raw form. Only the hash, a coarse counter, and a short time window are stored, expiring on a rolling ~24-hour basis.
Legal basis: legitimate interest in the security and availability of the service (Art. 6(1)(f) GDPR).
We use PostHog, configured in cookieless mode and hosted in the European Union, to understand how the service is used in aggregate. This deployment is specifically designed to avoid identifying you:
Legal basis: legitimate interest in measuring and improving the service (Art. 6(1)(f) GDPR). You can object at any time (Section 8).
We use Sentry to capture application errors so we can fix faults and detect abuse. Sentry is configured to not send default personal data, to scrub any data that could contain scanned content, and Session Replay is not used.
Legal basis: legitimate interest in the security and operational integrity of the service (Art. 6(1)(f) GDPR).
Server-side traces and metrics help us monitor performance. Trace attributes are limited to hashes, sizes, and counts; raw scanned content is never recorded. Legal basis: legitimate interest in operating a reliable service.
Our hosting and application layers keep standard operational logs (request paths, status codes, timestamps), retained for ~30 days for security and debugging. Legal basis: legitimate interest in security and operations.
If you switch between light and dark mode, that choice is stored on your
own device (localStorage, key ss-theme). It
never leaves your browser and is not sent to us. See the
Cookie Policy.
To understand which capabilities are most looked up — and to support future usage-transparency features — we record a closed set of aggregate access signals when you interact with the catalog. The recorded actions are limited to a fixed list: viewing a capability page, searching or filtering the catalog, copying an install command, fetching a badge, and viewing the sources page.
Your IP address is redacted to the network prefix (/24 for IPv4, /48 for IPv6) at the moment of collection — before the record is written to our database. The raw IP address is never stored, never exported, and never shared with third parties. Only the coarse network prefix, the action type, and a timestamp are recorded. No page URLs, no search queries, no capability slugs, and no personal identifiers are stored in this log.
Legal basis: legitimate interest in understanding aggregate catalog usage and improving the service (Art. 6(1)(f) GDPR). Records are retained for approximately 30 days, then deleted.
SaferSkills is a developer tool and is not directed to children. We do not knowingly collect personal data from anyone under the age of 15 (the age of digital consent in France). We do not intentionally process special categories of data (Art. 9 GDPR). For incidental personal data inside scanned repositories, see Section 7.
Most of our processing relies on the legitimate interests legal basis. For each such activity we have carried out (and keep on file) a three-part balancing test — purpose, necessity, and balancing against your rights:
You may request a summary of the relevant balancing assessment by emailing privacy@openlatch.ai.
This section is specific to what SaferSkills does. We fetch and analyse publicly available code from GitHub. Public code can contain personal data — for example an author's name, a username, or an email address in commit metadata or in a file. Data being public does not remove it from the scope of data-protection law, so we apply the following safeguards:
Under the GDPR you have the right to:
To exercise any right, email privacy@openlatch.ai. We will respond within one month (extendable by two further months for complex requests, with notice). Because the service is anonymous, we may be unable to identify data relating to a purely anonymous visitor; where we cannot identify you we will say so. We may ask for information reasonably necessary to verify a request.
You also have the right to lodge a complaint with a supervisory authority — for us, the CNIL (www.cnil.fr) — or with the authority in your country of residence.
If you are in the UK, the UK GDPR and PECR give you equivalent rights. You can complain to the UK Information Commissioner's Office (ico.org.uk).
Depending on your state (e.g. California's CCPA/CPRA, Virginia, Colorado, Connecticut, Texas and others), you may have rights to know, access, delete, and correct your personal information, and to opt out of "sale" or "sharing" and targeted advertising. SaferSkills does not sell or share personal information and does not use it for cross-context behavioural advertising. We honour browser-based Global Privacy Control (GPC) signals; because we run no advertising trackers, there is in practice nothing to opt out of. To make a request or appeal a decision, email privacy@openlatch.ai.
We do not sell your data. We share the limited data described above only with the service providers who help us run SaferSkills, each under a data-processing agreement:
| Provider | Role | Data involved | Location / safeguard |
|---|---|---|---|
| Fly.io | Application & database hosting | All service data at rest/in transit | EU region where available; SCCs / provider DPA |
| PostHog | Cookieless product analytics | Anonymous, bucketed event data only | EU region (eu.posthog.com) — kept in the EU |
| Sentry | Error monitoring | Diagnostic data with personal data scrubbed | US — EU-US DPF and/or SCCs |
| GitHub | Source of scanned public artifacts | Public repository content we fetch | Data source; we send only public resources we fetch |
| Resend (not yet active) | Announcement email | Email address (once the newsletter launches) | US — EU-US DPF and/or SCCs |
An up-to-date sub-processor list is available on request at privacy@openlatch.ai, and we will update this table before adding a new sub-processor.
We prioritise keeping data in the EU (our hosting and analytics are EU-region where available). Where a processor processes data outside the EEA — principally in the United States (Sentry, and Resend once the newsletter launches) — we rely on the EU-US Data Privacy Framework where the provider is certified, and/or on the European Commission's Standard Contractual Clauses as a fallback, with supplementary measures. You can request a copy of the relevant safeguards at privacy@openlatch.ai.
| Data | Retention |
|---|---|
| Submitted GitHub URLs, scan results, findings (public catalog) | Indefinite — a public transparency record |
| Public uploaded-artifact bytes (you chose to publish) | Indefinite — reproducible public record |
| Unlisted (private) uploaded-artifact bytes + report | 90 days, then auto-deleted — or sooner if you delete via the link |
| Hashed IP / rate-limit counters | ~24 hours (rolling), then deleted |
| Anonymised catalog-access signals (network-prefix /24 or /48, action type, timestamp) | ~30 days, then deleted |
| Cookieless analytics events | ~90 days, then retained only in aggregate |
| Error / diagnostic data (Sentry) | ~90 days |
| Server logs | ~30 days |
| Newsletter email (once active) | Until you unsubscribe, then deleted within 30 days |
Public-record principle. Scan results and the URLs that produced them are kept indefinitely so that security findings remain verifiable and our methodology stays auditable — transparency over erasure. We do not retroactively scrub the public catalog except through the vendor right-of-reply / appeals process, or where we are required to remove incidental personal data about an individual (see Section 7 and Section 8).
We follow privacy-by-design and security-by-design principles, including: hashing IP addresses on receipt; storing scan evidence as hashes rather than raw content; scrubbing personal data from error reports; restricting outbound network access when fetching artifacts; size-capping and validating every public input; and never executing the code we scan (it is parsed as data only). No system is perfectly secure, but we work to protect data against unauthorised access, loss, or misuse.
Scan scores are produced by deterministic, documented detection rules, not by opaque profiling of individuals. The scoring relates to artifacts, not to people, and does not produce legal or similarly significant effects on you within the meaning of Article 22 GDPR. Every verdict is documented and appealable.
Our reports link to GitHub and to third-party repositories and vendor sites. Those destinations have their own privacy practices, which we do not control.
We may update this policy as the service evolves (for example when accounts or the newsletter launch) or as the law changes. We are monitoring the EU "Digital Omnibus" reform proposal (a Commission proposal from November 2025, not yet law) and will update this policy if and when it takes effect. Material changes will be reflected in the "Last updated" date above and, where appropriate, announced on the site.
Questions, requests, or complaints about this policy or your personal data:
privacy@openlatch.ai
[OpenLatch legal name] ([legal form]), registered in France under SIREN/RCS [SIREN], registered office [registered address].
You may also contact or lodge a complaint with the CNIL (www.cnil.fr).
Short version: we set no tracking cookies. See exactly what little we store on your device.