Legal

Privacy Policy

Last updated: February 19, 2026

Contents

Overview What We Collect How We Use Your Data Source Code Handling Data Storage & Retention Data Sharing Cookies & Analytics Your Rights International Transfers Children's Privacy Changes to This Policy Contact

Overview

Gilchrist Research ("DeepThreat," "we," "us," "our") operates the DeepThreat platform, including the website at deepthreat.ai, CLI tools, GitHub App, and related services. This Privacy Policy explains what data we collect, why we collect it, and how we handle it.

We're a security company. We take data protection seriously, not as a compliance checkbox, but because protecting information is literally what we do. Our default is to collect as little as possible and delete it as soon as practical.

What We Collect

Account Information

When you sign up, we collect:

  • Email address for account creation, authentication, and notifications
  • Name (optional) for display purposes
  • GitHub OAuth data if you connect via GitHub (username, profile URL, organization memberships)
  • Payment information processed by Stripe; we never see or store your full card number

Scan Data

When you run a security scan, we process:

  • Repository URLs and metadata (name, branch, commit hash)
  • Source code temporarily cloned into isolated environments for analysis
  • Scan results including findings, severity ratings, and AI-generated analysis
  • Configuration files (.deepthreat.yml) for scan customization

Usage Data

  • API requests (endpoints called, timestamps, response codes)
  • CLI telemetry (command used, scan duration, scanner versions) — opt-out available
  • Browser analytics (pages visited, referrer, device type) via privacy-friendly analytics

How We Use Your Data

Run security scans
Contract performance
Generate findings and reports
Contract performance
Improve detection accuracy
Legitimate interest
Send scan notifications
Contract performance
Product updates and changelog
Consent
Prevent abuse and fraud
Legitimate interest
Billing and invoicing
Contract performance

We do not sell your data. We do not use your source code to train AI models. Period.

Source Code Handling

This is the section you actually care about. Here's exactly what happens to your code:

1

Clone

Your repository is cloned into an isolated, ephemeral container. Each scan gets its own sandboxed environment with no network access to other customer workloads.

2

Scan

Static analysis tools (Slither, Semgrep, Aderyn) and our AI Reasoner process the code. All processing happens within the isolated container.

3

Extract

Only findings (file paths, line numbers, vulnerability descriptions, severity) are extracted from the container. Relevant code snippets (typically 5-15 lines per finding) are included for context.

4

Delete

The container and all source code are destroyed immediately after scan completion. No full source code is retained. Typical lifecycle: under 10 minutes.

AI Model Training: Your source code is never used to train, fine-tune, or improve any AI or machine learning model. Scan findings (with code snippets removed) may be used in aggregate to improve detection rules, but only in anonymized, non-attributable form.

Data Storage & Retention

Source code
Deleted after scan
Scan findings
Duration of account + 30 days
Account data
Duration of account + 30 days
API logs
90 days
CLI telemetry
90 days, anonymized
Payment records
7 years (legal requirement)
Browser analytics
24 months, anonymized

All data is stored encrypted at rest (AES-256) and in transit (TLS 1.3). Infrastructure runs on isolated compute with no shared tenancy.

Data Sharing

We share data with the following categories of third parties, and only to the extent necessary:

  • Stripe for payment processing
  • Cloud infrastructure providers (GCP) for hosting and compute
  • Email delivery for transactional notifications

We do not share, sell, or provide access to your scan data, source code, or findings to any third party. If we receive a law enforcement request, we will notify you unless legally prohibited from doing so.

Cookies & Analytics

We use minimal cookies:

  • Session cookie (strictly necessary) for authentication
  • Preferences cookie (functional) for theme and display settings
  • Analytics via privacy-friendly provider (no cross-site tracking, no ad networks, no fingerprinting)

We do not use Google Analytics, Meta Pixel, or any advertising trackers. No data is shared with ad networks.

Your Rights

Depending on your jurisdiction, you have the right to:

Access

Request a copy of all data we hold about you

Correction

Fix inaccurate personal data

Deletion

Request deletion of your data and account

Portability

Export your data in a machine-readable format

Objection

Object to processing based on legitimate interest

Restriction

Request limited processing while disputes are resolved

To exercise any of these rights, email privacy@deepthreat.ai. We respond within 30 days.

International Transfers

DeepThreat is operated by Gilchrist Research from the United States. If you are accessing our services from the European Economic Area (EEA), United Kingdom, or other regions with data protection laws, your data may be transferred to and processed in the United States.

We rely on Standard Contractual Clauses (SCCs) approved by the European Commission for transfers of personal data outside the EEA. For UK transfers, we use the International Data Transfer Addendum to the SCCs.

Children's Privacy

DeepThreat is not intended for use by anyone under 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, contact privacy@deepthreat.ai and we will delete it.

Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email to registered users and posted on this page with an updated "Last updated" date. Your continued use of DeepThreat after changes constitutes acceptance of the revised policy.

Contact

Questions about this policy or how we handle your data?

Email: privacy@deepthreat.ai

Mailing Address:
Gilchrist Research
Austin, TX
United States