Legal Document
Privacy Policy
Section 1
Introduction and Scope
Frogeye, Inc. ("Frogeye," "we," "us," or "our") operates the AI-powered security code scanning platform available at frogeye.ai and mcp.frogeye.ai (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and protect information about you when you use the Service.
This Privacy Policy applies to:
- Visitors who browse frogeye.ai without creating an account
- Registered users on any subscription tier — Tadpole (Free), Frog ($15/mo), or Apex ($29/mo)
- Anonymous users who invoke Frogeye through an AI assistant's MCP integration without an account
- API users accessing the Service programmatically via API key
By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our data practices, please discontinue use of the Service.
This Privacy Policy is incorporated by reference into our Terms of Service.
Section 2
Data Controller Identity
For the purposes of the General Data Protection Regulation (GDPR) and applicable data protection laws, the data controller is:
Frogeye, Inc.
Legal address: 1209 Orange Street, Wilmington, Delaware 19801, United States
Email: privacy@frogeye.ai
Website: frogeye.ai
Frogeye does not currently meet the thresholds requiring a mandatory Data Protection Officer (DPO) under GDPR Article 37. We have designated privacy@frogeye.ai as the point of contact for all privacy-related inquiries, data subject requests, and regulatory correspondence.
For users in the European Economic Area (EEA), United Kingdom, or Switzerland, Frogeye acts as the data controller for account data and as a data processor for any vulnerability pattern data processed on your behalf.
Section 3
What Data We Collect
We collect only the minimum data necessary to provide the Service. The categories below describe what we collect, from whom, and why.
3.1 Identity and Account Data
When you authenticate via GitHub or Google OAuth, we receive and store the following data elements:
| Data Element | Source | Example |
|---|---|---|
| Full name | GitHub / Google OAuth | Jane Smith |
| Email address | GitHub / Google OAuth | jane@example.com |
| Profile avatar URL | GitHub / Google OAuth | avatars.githubusercontent.com/… |
| GitHub username | GitHub OAuth | janesmith |
| Public repository list | GitHub OAuth (public scope only) | Names of public repos; no private repo data |
| Google sub (OpenID Connect ID) | Google OAuth | Pseudonymous numeric identifier |
| Account tier | Frogeye internal | free / frog / apex |
| Account creation timestamp | Frogeye internal | 2026-05-01T12:00:00Z |
We do not store passwords. Authentication is handled exclusively through OAuth 2.0. We do not request access to private repositories. The OAuth scopes requested are the minimum necessary to identify you and display your profile.
3.2 Usage and Telemetry Data
We collect operational telemetry to maintain service health, enforce quotas, and improve detection quality:
| Data Element | Purpose | Notes |
|---|---|---|
| Scan timestamps | Rate limiting, quota enforcement | Stored as UTC timestamps |
| Daily query count | Tier quota management | Aggregate count per user per day |
| IP address | Security monitoring, fraud detection | Stored ephemerally in Redis; expires within 24 hours |
| MCP tool invocation names | Feature usage analytics | Which tools called (e.g., frogeye_search); no code content |
| Browser/client user-agent | Compatibility, security | Logged in server access logs; not linked to account |
| API key prefix | Key management, display | First 16 characters only; full key is hashed with SHA-256 |
3.3 Vulnerability Pattern Data
This is the core data Frogeye processes to provide security scanning. We are explicit about the distinction between what is and is not transmitted:
What is NOT transmitted: Your raw source code files, file paths, repository names, commit history, author information, or any personally identifying information from within your codebase.
Embedding vectors are dense numerical representations of code semantics. They enable similarity search without exposing the underlying code text. For Apex tier users, vector generation occurs locally within your MCP client environment.
Anonymized pattern snippets submitted to frogeye_learn are reviewed for quality and retained indefinitely as non-personal training data. These snippets are stripped of file paths and contextual identifiers before storage.
3.4 Billing Data
Payment processing is handled exclusively by Stripe, Inc. (PCI DSS Level 1 certified). Frogeye stores only:
- Stripe Customer ID — a pseudonymous reference token (e.g.,
cus_XXXXXXXXXXXXXXXXXX) - Subscription status — active, canceled, past_due
- Plan identifier — frog or apex
- Billing period — current period start and end dates
We do not store raw credit card numbers, CVV codes, bank account details, or any other payment instrument data. All payment data is governed by Stripe's Privacy Policy.
3.5 Communications Data
If you contact us via email or submit a support request, we collect:
- Your name and email address
- The content of your message
- Any attachments you choose to include
- Metadata such as timestamps and message threading identifiers
This data is used solely to respond to your inquiry and, where relevant, to improve the Service. Communications data is retained for three (3) years from the date of last interaction.
3.6 What We Retain From Scans
frogeye_scan or frogeye_search, your raw code is processed in memory and discarded after each request — it is never written to persistent storage.
We do not store the raw code you submit when using frogeye_scan or frogeye_search. We store only:
- Anonymized vulnerability patterns — only if you explicitly submit them via
frogeye_learn. These are stripped of file paths, variable names, and all identifying context before storage, and become part of the shared vulnerability knowledge graph. - Scan metadata — for users who have enabled badge or verify functionality: repository owner/name, scan timestamp, and aggregate findings count (e.g., "3 high severity findings"). This metadata does not contain code content.
Raw code snippets submitted to frogeye_scan or frogeye_search are processed in memory and discarded after each request. They are never written to persistent storage, never logged in identifiable form, and never used to train AI or machine learning models.
Paid local SDK users (Apex tier): Code never leaves your machine. No code data — not even embedding vectors of your code — is transmitted to Frogeye servers. Your local MCP client performs all analysis within your environment.
Section 4
How We Collect Data
We collect data through the following mechanisms:
- OAuth authentication flows. When you sign in with GitHub or Google, those providers return profile data to us per the scopes you authorize. You may review and revoke these authorizations at any time in your GitHub or Google account settings.
- MCP protocol invocations. When your AI assistant calls a Frogeye MCP tool (e.g.,
frogeye_search,frogeye_learn), we receive the tool parameters as specified. These parameters contain embedding vectors or anonymized snippets — not raw code, per our architectural design. - Session cookies. We use two session-related cookies: a signed session token (
next-auth.session-token) and a CSRF protection token (csrf-token). A third cookie stores your cookie consent preference. We do not use third-party advertising cookies or cross-site tracking pixels. - Server logs. Standard web server logs capture IP address, request path, HTTP status code, response size, and timestamp. These logs are retained for 90 days for security and debugging purposes.
- Direct communications. Data you provide when you email privacy@frogeye.ai or support@frogeye.ai.
Section 5
Why We Collect Data — Lawful Basis
For users in the EEA, UK, and Switzerland, GDPR requires that we identify a lawful basis for each processing activity. The table below maps each data category to its processing purpose, GDPR lawful basis, and CCPA category.
| Data Category | Processing Purpose | GDPR Lawful Basis | CCPA Category |
|---|---|---|---|
| Identity & account data (name, email, GitHub username) |
Create and manage user accounts; authenticate users; display profile | Performance of a contract (Art. 6(1)(b)) | Identifiers |
| Usage telemetry (scan counts, timestamps) |
Enforce tier quotas; detect abuse; capacity planning | Legitimate interests (Art. 6(1)(f)) — quota integrity and service security | Internet/network activity |
| IP addresses | Security monitoring; rate limiting; fraud prevention | Legitimate interests (Art. 6(1)(f)) — protecting users and service integrity | Internet/network activity |
| Vulnerability pattern embeddings | Power AI security detection; improve pattern knowledge graph | Performance of a contract (Art. 6(1)(b)); Legitimate interests for quality improvement (Art. 6(1)(f)) | Non-personal (anonymized technical data) |
| Billing data (Stripe Customer ID, subscription status) |
Process payments; manage subscriptions; tax compliance | Performance of a contract (Art. 6(1)(b)); Legal obligation for tax records (Art. 6(1)(c)) | Commercial information |
| Communications data (support emails) |
Respond to inquiries; resolve disputes | Legitimate interests (Art. 6(1)(f)) — maintaining customer relationships | Identifiers; Customer records |
| Cookies (session, CSRF) | Authentication state; security | Performance of a contract (Art. 6(1)(b)); strictly necessary | Internet/network activity |
| Server logs | Security monitoring; debugging; audit trail | Legitimate interests (Art. 6(1)(f)) — operational security | Internet/network activity |
We do not process special category data (GDPR Article 9) and do not use automated decision-making or profiling in a manner that produces legal or similarly significant effects on data subjects.
Section 6
How Long We Keep Your Data
We retain data only for as long as necessary to fulfill the purposes described in this Privacy Policy or as required by law.
| Data Category | Retention Period | Notes |
|---|---|---|
| Session tokens | 30 days | Auto-expires; revoked immediately on sign-out |
| Account data (name, email, avatar, tier) |
Duration of active account + 90 days post-deletion | 90-day grace period allows account recovery; then permanently deleted |
| IP addresses | ≤ 24 hours | Stored in ephemeral Redis; automatic expiry; not written to persistent storage |
| Scan logs & telemetry | 90 days rolling | Older records are automatically purged; no archive copies |
| Billing records | 7 years from transaction date | Required by US federal tax law (26 U.S.C. § 6501) and applicable state laws |
| Vulnerability patterns & embeddings | Indefinite | Anonymized non-personal technical data; no deletion obligation under GDPR |
| Support communications | 3 years from last interaction | Necessary for dispute resolution and service improvement |
| Server access logs | 90 days | Rotated automatically; used for security monitoring only |
Upon verified account deletion request, we will delete or anonymize your personal data within 30 days, subject to legal retention obligations (e.g., billing records) and technical constraints (e.g., backup rotation cycles of up to 7 days).
Section 7
Who We Share Data With — Subprocessors
We do not sell, rent, or trade your personal data. We share data only with the subprocessors listed below, solely to the extent necessary to provide the Service.
| Subprocessor | Purpose | Data Shared | Location | Privacy Reference |
|---|---|---|---|---|
| Neon, Inc. | PostgreSQL database hosting (users, API keys, patterns) | Account data, scan metadata, embedding vectors | United States (us-east-1) | neon.tech/privacy |
| Upstash, Inc. | Redis — rate limiting and ephemeral session state | IP addresses (≤24h), rate-limit counters only; no personal profile data | United States | upstash.com/privacy |
| Google Cloud Platform | Cloud Run (MCP server compute), Secret Manager, Artifact Registry | Processed requests, encrypted secrets (not in plaintext) | United States (us-central1) | cloud.google.com/privacy |
| Vercel, Inc. | Frontend hosting and edge CDN (frogeye.ai) | Web request data (IP, headers); no persistent personal data | Global edge network | vercel.com/legal/privacy-policy |
| Stripe, Inc. | Payment processing and subscription management | Billing contact info, payment method (handled entirely by Stripe) | United States | stripe.com/privacy |
| GitHub, Inc. | OAuth authentication provider | OAuth token exchange; we receive name, email, avatar, public repos | United States | GitHub Privacy Statement |
| Google LLC | OAuth authentication provider (OpenID Connect) | OAuth token exchange; we receive name, email, Google sub ID | United States | policies.google.com/privacy |
We may also disclose personal data to:
- Law enforcement or regulators when legally required by valid court order, subpoena, or applicable law
- Successors in interest in the event of a merger, acquisition, or asset sale — in which case we will provide advance notice and the acquiring entity will be bound by this Privacy Policy
- Legal counsel to the extent necessary for litigation, regulatory compliance, or obtaining legal advice
Section 8
International Data Transfers
Frogeye is based in the United States and our primary infrastructure operates in US data centers. If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, your personal data will be transferred to and processed in the United States, which may not provide the same level of data protection as your home jurisdiction.
We rely on the following transfer mechanisms to ensure adequate protection:
- Standard Contractual Clauses (SCCs). For transfers from the EEA, we use the European Commission's Standard Contractual Clauses (Module 2: Controller to Processor, June 2021 version) as the legal basis for data transfers to our subprocessors.
- UK International Data Transfer Agreement (IDTA). For transfers from the United Kingdom, we rely on the UK IDTA (or the UK Addendum to the EU SCCs) as approved by the UK Information Commissioner's Office.
- Swiss Federal Act on Data Protection (nFADP). For transfers from Switzerland, we rely on SCCs adapted for Swiss law requirements, as recognized by the Swiss Federal Data Protection and Information Commissioner (FDPIC).
You may request a copy of the applicable transfer mechanisms by contacting us at privacy@frogeye.ai.
Section 9
Your Rights
9.1 GDPR Rights (EEA, UK, Switzerland)
If you are located in the EEA, UK, or Switzerland, you have the following rights under the GDPR and equivalent national laws:
| Right | Description | How to Exercise |
|---|---|---|
| Access (Art. 15) | Obtain a copy of your personal data we hold and information about how we process it | Email privacy@frogeye.ai |
| Rectification (Art. 16) | Correct inaccurate or incomplete personal data | Update in account settings or email us |
| Erasure (Art. 17) | Request deletion of your personal data where there is no overriding legal basis for continued processing | Email privacy@frogeye.ai |
| Restriction (Art. 18) | Request that we restrict processing of your data while a dispute is pending | Email privacy@frogeye.ai |
| Portability (Art. 20) | Receive your personal data in a structured, commonly used, machine-readable format | Email privacy@frogeye.ai |
| Object (Art. 21) | Object to processing based on legitimate interests; we will cease unless we demonstrate compelling legitimate grounds | Email privacy@frogeye.ai |
| Withdraw consent (Art. 7(3)) | Where processing relies on consent, withdraw it at any time without affecting prior lawfulness | Contact us; note we do not rely on consent as primary lawful basis |
| Lodge a complaint (Art. 77) | File a complaint with your local supervisory authority if you believe we have violated your rights | Contact your national data protection authority (e.g., DPA, ICO, FDPIC) |
We will respond to verified data subject requests within 30 days. Complex requests may require up to 90 days with notice. Requests from third parties without adequate proof of authorization may be declined.
9.2 California Privacy Rights (CCPA / CPRA)
California residents have rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):
| Right | Description |
|---|---|
| Right to Know | Request disclosure of the categories and specific pieces of personal information we have collected about you, the sources, purposes, and third parties with whom we share it |
| Right to Delete | Request deletion of personal information we have collected, subject to legal exceptions |
| Right to Correct | Request correction of inaccurate personal information |
| Right to Opt-Out of Sale / Sharing | We do not sell or share personal information for cross-context behavioral advertising. No opt-out required. |
| Right to Limit Sensitive PI Use | We do not use sensitive personal information beyond what is necessary to provide the Service |
| Right to Non-Discrimination | We will not discriminate against you for exercising your CCPA rights |
To exercise your CCPA rights, contact us at privacy@frogeye.ai with "CCPA Request" in the subject line. We will verify your identity before fulfilling any request. We will respond within 45 days (extendable to 90 days with notice).
CCPA Personal Information Categories We Collect
| CCPA Category | Examples We Collect | Collected? |
|---|---|---|
| Identifiers | Name, email address, GitHub username, IP address | Yes |
| Customer records | Account tier, subscription status | Yes |
| Commercial information | Stripe Customer ID, billing period, plan type | Yes |
| Internet / network activity | MCP tool invocations, scan timestamps, server logs | Yes |
| Professional / employment information | — | No |
| Sensitive personal information | — | No |
| Biometric data | — | No |
| Geolocation data | — | No (only ephemeral IP for rate limiting) |
Section 10
Cookies and Tracking Technologies
We use a minimal set of cookies. We do not use advertising cookies, third-party tracking pixels, or cross-site behavioral tracking.
| Cookie Name | Type | Purpose | Duration |
|---|---|---|---|
next-auth.session-token |
Strictly necessary | Maintains your authenticated session; contains a signed JWT with user identity and tier. HttpOnly, Secure, SameSite=Lax. | 30 days (refreshed on activity) |
next-auth.csrf-token |
Strictly necessary | CSRF protection for authentication state changes. Prevents cross-site request forgery. | Session (cleared on browser close) |
frogeye-consent |
Functional | Stores your cookie consent preference to avoid showing the banner on every visit. | 1 year |
No analytics cookies. We do not use Google Analytics, Mixpanel, Hotjar, or similar analytics platforms that set third-party cookies or track you across websites.
No advertising cookies. We do not participate in any advertising networks. No retargeting pixels or behavioral advertising cookies are set.
The two next-auth cookies are strictly necessary for the Service to function and do not require consent under the ePrivacy Directive. The consent preference cookie is functional and set only after you make a consent choice.
You may clear cookies via your browser settings at any time. Clearing the session token cookie will sign you out.
Section 11
Security Measures
We implement technical and organizational measures designed to protect your personal data against unauthorized access, disclosure, alteration, or destruction. Key measures include:
- Encryption in transit. All data transmitted between your browser, the Frogeye frontend, and our backend services uses TLS 1.2 or higher. TLS is enforced on all endpoints — no plaintext HTTP connections are accepted.
- Encryption at rest. Database data is encrypted at rest using AES-256. GCP Secret Manager provides KMS-backed encryption for all secrets and credentials.
- API key security. API keys are hashed using SHA-256 before storage. Only the first 16 characters (key prefix) are stored in plaintext for display purposes. Full raw keys are returned once upon generation or rotation and never stored in recoverable form.
- No password storage. We rely exclusively on OAuth 2.0. Frogeye never stores, handles, or transmits user passwords.
- Access controls. Production systems operate on least-privilege principles. Access is restricted to personnel with a specific operational need. All access is logged and audited. Employee credentials are revoked within 24 hours of offboarding.
- Container security. Cloud Run containers run as non-root UID 1000, use immutable image digests, and are deployed with VPC-native networking.
- Breach notification. In the event of a personal data breach meeting the GDPR notification threshold, we will notify the relevant supervisory authority within 72 hours of becoming aware, and notify affected users without undue delay where the breach is likely to result in a high risk to their rights and freedoms.
No security measure is 100% effective. We encourage you to use a strong authentication method with your GitHub or Google account (e.g., hardware security key or authenticator app) and to rotate your Frogeye API keys periodically. See our Security Policy for the complete technical architecture.
Section 12
Children's Privacy
The Service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children under 16. Our Terms of Service require users to be at least 16 years old to create an account (or the minimum digital consent age in their jurisdiction, whichever is higher).
Anonymous MCP usage (without an account) by individuals under 16 is also not permitted. AI assistants integrating Frogeye are responsible for complying with applicable laws regarding minor users.
If we discover that we have inadvertently collected personal data from a user under 16, we will delete that data promptly. If you believe we have collected data from a minor, please contact us at privacy@frogeye.ai.
Section 13
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our data practices, applicable law, or the Service. The "Last Updated" date at the top of this page indicates when the most recent changes were made.
For material changes — changes that significantly affect how we collect, use, or share your data — we will:
- Provide at least 30 days' advance notice via email to the address associated with your account
- Post a prominent notice on frogeye.ai
- For changes requiring fresh consent under applicable law, obtain your explicit agreement before the change takes effect
For non-material changes (e.g., clarifications, formatting, updated subprocessor contact details), we may update this Policy without prior notice, though we will update the "Last Updated" date.
Your continued use of the Service after the effective date of a revised Privacy Policy constitutes your acceptance of the changes. If you do not agree to the revised Policy, you must discontinue use of the Service.
Section 14
Contact Us
For privacy-related inquiries, data subject requests (access, deletion, portability, objection), or to report a potential data breach involving your account, please contact us:
Privacy Contact
Email: privacy@frogeye.ai
Subject line for data subject requests: "Privacy Request — [Your Request Type]"
Mailing Address
Frogeye, Inc.
Attn: Privacy
1209 Orange Street
Wilmington, Delaware 19801
United States
We aim to acknowledge all privacy requests within 48 hours and to respond substantively within 30 days. If your request is particularly complex, we will inform you within 30 days and may take up to 90 days in total to respond.
If you are an EEA resident and are not satisfied with our response, you have the right to lodge a complaint with your national data protection authority. A list of EEA supervisory authorities is available at edpb.europa.eu. UK residents may contact the Information Commissioner's Office at ico.org.uk.
GDPR Lawful Bases — Full Reference
This appendix provides a comprehensive reference of all processing activities and their corresponding GDPR lawful bases under Article 6 for EEA, UK, and Swiss users.
| Processing Activity | Lawful Basis | Art. Reference |
|---|---|---|
| Creating and managing a user account | Performance of a contract | Art. 6(1)(b) |
| Authenticating via GitHub / Google OAuth | Performance of a contract | Art. 6(1)(b) |
| Enforcing tier-based scan quotas | Performance of a contract | Art. 6(1)(b) |
| Processing payments via Stripe | Performance of a contract | Art. 6(1)(b) |
| Maintaining billing records (7 years) | Legal obligation (US tax law) | Art. 6(1)(c) |
| 72-hour GDPR breach notification | Legal obligation | Art. 6(1)(c), Art. 33 |
| Ephemeral IP logging for rate limiting | Legitimate interests — service security and abuse prevention | Art. 6(1)(f) |
| Scan telemetry for capacity planning | Legitimate interests — operational efficiency | Art. 6(1)(f) |
| Server access logs for security monitoring | Legitimate interests — protecting user data and service integrity | Art. 6(1)(f) |
| Support communications | Legitimate interests — maintaining customer relationships | Art. 6(1)(f) |
| Improving the vulnerability pattern knowledge graph | Legitimate interests — service improvement using anonymized data; no personal data involved | Art. 6(1)(f); data is anonymized and not subject to GDPR once anonymized |
| MCP tool invocation analytics (aggregate) | Legitimate interests — feature development | Art. 6(1)(f) |
Balancing test for legitimate interests: For each processing activity based on legitimate interests (Art. 6(1)(f)), Frogeye has conducted a balancing test weighing our interests against data subjects' rights and freedoms. The minimal, proportionate, and security-focused nature of our data collection supports the conclusion that our interests do not override data subject interests in these contexts. A copy of our balancing test documentation is available upon request to privacy@frogeye.ai.
Data Retention Schedule — Quick Reference
This appendix provides a consolidated retention schedule for reference. See Section 6 for full details and notes on each category.
| Data | Retention |
|---|---|
Session tokens (next-auth.session-token) |
30 days; immediately revoked on sign-out |
| Account data (name, email, avatar, tier, GitHub username) | Active account lifetime + 90 days post-deletion request |
| IP addresses (Redis ephemeral) | ≤ 24 hours; auto-expires; not persisted to database |
| Scan logs and quota counters | 90 days rolling; automatic purge |
| Server access logs | 90 days; rotated automatically |
| Billing records (Stripe Customer ID, subscription history) | 7 years from transaction date (US tax law) |
| Vulnerability patterns and embeddings (anonymized) | Indefinite — non-personal data; GDPR erasure does not apply |
| Support communications | 3 years from last interaction date |
| Cookie consent preference | 1 year from last set date |
| CSRF tokens | Session only (browser session) |
| API keys (SHA-256 hash) | Until rotated or account deleted + 90 days |
| Database backups | 7-day rotation cycle; then permanently destroyed |
All retention periods are maximum periods. Data is deleted earlier wherever technically and operationally feasible. Personal data subject to a pending data subject access or deletion request is placed on legal hold until the request is resolved.