Privacy Policy — DepAudit
Last updated: 23 March 2026
Data Controller: CeciArt Consulting Ltd
1. Introduction
DepAudit ("we", "us", or "our") operates the dependency auditing service at depaudit.dev ("Service"). This Privacy Policy explains how we collect, use, and protect your information.
2. Information We Collect
2.1 Code and Dependency Files
When you use the scanner, dependency files (package.json, requirements.txt, etc.) and related code are sent for analysis. Code is processed in real-time and not retained beyond processing on the free tier. On paid tiers, scan results (not raw code) may be stored for your history. We never use your code to train AI models.
2.2 Account Information
Email address and profile information. Lawful basis: Performance of contract (Article 6(1)(b) UK GDPR).
2.3 Payment Information
Processed by Stripe. We do not store card details. Lawful basis: Performance of contract.
2.4 Usage Data
Anonymised usage data for service improvement. Lawful basis: Legitimate interests (Article 6(1)(f) UK GDPR).
3. Third-Party Processors
| Processor | Purpose | Data Shared |
|---|---|---|
| Anthropic/OpenAI | AI analysis | Dependency data (transient) |
| Vercel | Hosting | Usage data, IP addresses |
| Supabase | Database | Account data, scan metadata |
| Stripe | Payments | Billing information |
| Microsoft Clarity | Session replay, heatmaps, usage analytics | Anonymised session recordings, scroll/click behaviour |
4. Data Retention
- Submitted code: Not retained beyond processing
- Scan results (free): Browser localStorage only
- Scan results (paid): Duration of subscription + 90 days
- Account data: Until deletion + 30 days
- Server logs: Up to 30 days
5. International Transfers
Data may be processed in the US/EU. Appropriate safeguards (SCCs/adequacy decisions) are in place.
6. Your Rights (UK GDPR)
You have the right to: access, rectification, erasure, restriction, portability, objection, and withdrawal of consent. Contact privacy@ceciart.io. We respond within one month. Complaints may be lodged with the ICO (ico.org.uk).
7. Your Rights (CCPA/CPRA)
California residents: right to know, delete, and opt out. We do not sell personal information. Contact privacy@ceciart.io.
8. Children's Privacy
Not directed to under-16s. We do not knowingly collect data from children.
9. Cookies
Essential cookies for session management. Analytics cookies with consent where required.
10. Security
Industry-standard encryption (TLS), access controls, and regular reviews.
11. Changes
Material changes notified with 30 days' notice via this page.
12. Contact
privacy@ceciart.io — CeciArt Consulting Ltd