Proxilion

Privacy Policy

Last updated: March 2026

What We Collect

When you install Proxilion, we collect the following data:

  • Your GitHub/GitLab username and organization name
  • Repository names connected to Proxilion
  • Pull request metadata (PR number, commit SHA, author, title)
  • Scan findings (vulnerability type, severity, file path, line number, description)
  • Usage data (scan counts, timestamps)

What We Do NOT Collect

  • We do not store your source code. Code diffs are read in memory during scanning and discarded immediately after.
  • We do not store code snippets. Evidence in findings is masked (e.g., API keys are truncated).
  • We do not access branches, issues, comments, or any data beyond PR diffs.
  • We do not share or sell any data to third parties.

AI Processing

When AI-powered reviews are enabled, PR diffs are sent to the Anthropic API (Claude) for analysis. Anthropic does not use API inputs for model training. The diff content is processed and the response is returned to Proxilion. No code is stored by Anthropic.

Third-Party Services

Proxilion uses the following third-party services to operate:

  • Stripe — payment processing. Receives your email address and payment information. We do not store credit card numbers. See Stripe’s Privacy Policy.
  • Anthropic — AI-powered code review. Receives PR diff content for analysis. Anthropic does not train on API data. See Anthropic’s Privacy Policy.
  • Railway — infrastructure (compute and hosting). All services are deployed on Railway’s managed platform. See Railway’s Privacy Policy.
  • Slack — notification delivery. When configured, scan finding summaries are sent to your Slack workspace via incoming webhook. Only finding metadata (severity, type, file path) is transmitted — no source code. See Slack’s Privacy Policy.
  • Resend — email delivery. Weekly summary emails and scan digest notifications are sent via Resend. Resend receives your email address and the email content (finding summaries, no source code). See Resend’s Privacy Policy.

Data Storage

Scan findings and account data are stored in a managed database on Railway’s infrastructure. Railway is SOC 2 Type II certified. All data is encrypted at rest and in transit.

Data Retention

Scan findings are retained for the duration of your subscription. Upon cancellation, data is archived after 90 days and permanently deleted after 180 days. You may request immediate deletion at any time by contacting us.

Your Rights

You have the right to:

  • Access the data we hold about your organization
  • Request correction of inaccurate data
  • Request deletion of your data at any time
  • Export your scan findings and audit logs

To exercise any of these rights, contact us at our contact form.

International Users

Proxilion processes data on Railway’s US-based infrastructure. We do not currently offer region-specific data residency. If you require data to remain within a specific jurisdiction, please contact us before signing up.

Cookies

We use a session cookie for authentication (next-auth). The live demo uses a separate signed session cookie that expires after one hour. We do not use tracking cookies, analytics pixels, or any third-party tracking.

Contact

Privacy questions? Contact us at our contact form.