Legal Effective June 25, 2026

Privacy Policy

DeepSweep, Inc. is committed to protecting your privacy with the same rigor we bring to protecting your code.

Last Updated: June 25, 2026

1. Introduction

DeepSweep, Inc. ("DeepSweep," "we," "our," or "us") operates a local-first runtime governance platform for AI coding agents, including a web application accessible at deepsweep.ai, the Local Runtime, the Agent Environment Review, and Visual Studio Code and Cursor extensions (collectively, the "Services"). Because the platform is local-first, enforcement and the Agent Environment Review run inside your own development environment, and our cloud receives only the metadata described below. This Privacy Policy describes how we collect, use, disclose, and protect information obtained from users of our Services ("you" or "your").

By accessing or using our Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with the practices described herein, you must discontinue use of our Services immediately.

This Privacy Policy applies to all users of our Services, including visitors to our website, registered account holders, users of our VS Code and Cursor extensions, API consumers, and enterprise customers. It does not apply to third-party websites, applications, or services that may be linked from our Services. This Privacy Policy should be read together with our Terms of Service, which govern your use of the Services.

2. Information We Collect

2.1 Information You Provide Directly

  • Account Information. When you create a DeepSweep account, we collect your name, email address, and password. Passwords are cryptographically hashed using industry-standard algorithms and are never stored in plaintext.
  • Profile Information. You may optionally provide additional profile details such as your organization name, job title, and communication preferences.
  • Payment Information. When you purchase a subscription or one-time engagement, your payment card details are processed directly by Stripe, Inc., our PCI DSS Level 1 certified payment processor. DeepSweep does not receive, transmit, or store your full credit card number, CVV, or other sensitive payment credentials. We retain only a tokenized reference, card brand, last four digits, and billing address for record-keeping purposes.
  • Communications. When you contact our support team, submit a bug report, or otherwise communicate with us, we retain the content of those communications along with associated metadata (such as timestamps) to provide support and improve our Services.
  • Configuration and Review Metadata. Policy settings, plan and team configuration, and the metadata your Agent Environment Review produces (such as the Repository Capability Profile, grade, and deploy-risk signals). This is capability and configuration metadata; it does not include your source code or secrets, which remain local by default.

2.2 Information Collected Automatically

  • Usage Data. We collect information about how you interact with our Services, including pages visited, features used, actions taken, timestamps, session duration, and referring URLs.
  • Device and Browser Information. We collect device type, operating system, browser type and version, screen resolution, language preferences, and time zone.
  • Log Data. Our servers automatically record information including your IP address, access times, request URLs, HTTP status codes, and response sizes. This information is used for security monitoring, debugging, and infrastructure management.

2.3 Information from Third-Party Sources

  • Authentication Providers. If you sign in using a third-party identity provider (such as GitHub or Google), we receive your name, email address, and profile identifier as authorized by your provider settings. We do not receive your password from these providers.
  • Payment Processor. Stripe provides us with transaction confirmations, subscription status updates, and limited billing information necessary to manage your account.

3. VS Code Extension Telemetry

Our VS Code and Cursor extensions collect limited, anonymous telemetry to improve detection accuracy and product quality. Consistent with our local-first, metadata-only design, the extensions transmit capability and event metadata only. We are committed to full transparency about what they transmit.

What We Collect

  • -- Anonymized client identifier (randomly generated, not linked to your identity)
  • -- Event type (e.g., extension installed, review completed, finding detected)
  • -- Finding pattern hashes (cryptographic fingerprints, not actual file contents)
  • -- Severity classifications (CRITICAL, WARNING, INFO)
  • -- Affected configuration file types (e.g., .cursorrules, .windsurfrules)
  • -- Timestamps of events for trend analysis
  • -- Platform metadata (VS Code version, OS type)

What We Never Collect

  • -- Source code, file contents, or code snippets
  • -- File names, file paths, or directory structures
  • -- Project names, repository URLs, or Git remotes
  • -- Personally identifiable information (names, email addresses, IP addresses)
  • -- Credentials, API keys, secrets, or environment variables

All telemetry data is transmitted over encrypted connections (TLS 1.2+) and is stored in aggregate form. Individual telemetry records cannot be traced back to any specific user or organization. You may disable telemetry collection at any time through the extension settings.

4. How We Use Your Information

We use the information we collect for the following purposes:

  • Service Delivery. To operate, maintain, and provide the features and functionality of our Services, including coordinating the Agent Environment Review, publishing policy bundles, orchestrating approvals, indexing audit metadata, managing your account, and delivering subscription benefits.
  • Detection Improvement. To improve our detection patterns, policy bundles, and the accuracy of the Agent Environment Review. Telemetry data is used exclusively in anonymized, aggregated form for this purpose. We never sell your data to third parties.
  • Billing and Payments. To process transactions, manage subscriptions, send invoices, and handle billing inquiries through our payment processor, Stripe.
  • Communication. To send you service-related notifications (such as security alerts, account updates, and billing confirmations), and with your consent, product updates and educational content about AI security.
  • Analytics and Product Development. To understand usage patterns, identify areas for improvement, develop new features, and optimize the user experience. Analytics are conducted using aggregated or pseudonymized data wherever possible.
  • Security and Fraud Prevention. To detect, investigate, and prevent security incidents, unauthorized access, fraudulent activity, and abuse of our Services.
  • Legal Compliance. To comply with applicable laws, regulations, legal processes, and enforceable governmental requests.

Our Commitment: We do not sell, rent, or trade your personal information to third parties for their marketing purposes. We do not use your data to build advertising profiles. Your security data exists to protect you, and we treat it accordingly.

5. How We Share Your Information

We disclose your information only in the following limited circumstances:

  • Service Providers. We share information with third-party vendors who perform services on our behalf, including cloud infrastructure hosting (Amazon Web Services), payment processing (Stripe), and analytics (Google Analytics). These providers are contractually obligated to use your information only as necessary to provide their services to us and are bound by data protection agreements.
  • With Your Consent. We may share your information with third parties when you have explicitly authorized us to do so, such as when you enable an integration with an external service.
  • Legal Obligations. We may disclose information if required by law, subpoena, court order, or other legal process, or if we reasonably believe that disclosure is necessary to protect the rights, property, or safety of DeepSweep, our users, or the public.
  • Business Transfers. In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify affected users via email and/or prominent notice on our website of any change in ownership or uses of your personal information.
  • Aggregated and De-Identified Data. We may share aggregated, anonymized, or de-identified data that cannot reasonably be used to identify you. This includes anonymized, aggregated detection metadata derived from extension telemetry, which is used to improve detection accuracy for all users.

6. Data Storage and Security

We take the security of your information seriously and implement technical, administrative, and physical safeguards designed to protect it.

Infrastructure

Cloud-coordination data is stored on Amazon Web Services (AWS) infrastructure located in the United States (us-east-1 region). Enforcement and the Agent Environment Review run locally and do not store your source code on our infrastructure by default. AWS maintains SOC 2 Type II, ISO 27001, and FedRAMP certifications, among other compliance standards.

Encryption

  • All data in transit is encrypted using TLS 1.2 or higher. Our CDN layer (Cloudflare) provides additional post-quantum cryptographic protection.
  • All data at rest is encrypted using AES-256 encryption via AWS-managed keys (AWS KMS).
  • Database backups are encrypted using the same standards and stored in geographically separate locations.

Access Controls

Access to user data is restricted to authorized personnel who require it to perform their job functions. We enforce the principle of least privilege, require multi-factor authentication for all administrative access, and maintain audit logs of data access events. API keys, secrets, and credentials are managed through AWS Secrets Manager and are never stored in source code or environment variables.

Incident Response

We maintain a documented incident response plan. In the event of a data breach that affects your personal information, we will notify you and any applicable regulatory authorities within the timeframes required by applicable law, and in no event later than 72 hours after becoming aware of the breach.

Important: While we implement commercially reasonable security measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security, and you use our Services at your own risk.

7. Third-Party Services

We use the following third-party sub-processors to operate our platform. Each provider has been evaluated for their data protection practices:

Service Provider Purpose
Payment Processing Stripe, Inc. Subscription billing, one-time purchases, invoice management. PCI DSS Level 1 certified.
Product Analytics Google LLC (Google Analytics 4) Usage analytics, feature adoption tracking, funnel analysis. Consent Mode v2; cookieless until consent.
Cloud Infrastructure Amazon Web Services Compute, storage, database, and networking. SOC 2 Type II certified.
Authentication Amazon Cognito User authentication, session management, identity federation.
CDN / DNS Cloudflare, Inc. Content delivery, DNS resolution, DDoS protection, post-quantum cryptography.
Email Amazon SES Transactional email delivery (account confirmations, security alerts, billing notices).

Each third-party service provider is bound by a data processing agreement that limits their use of your information to the purposes described above. We regularly review our providers' security practices and compliance certifications.

8. Data Retention

We retain your information only for as long as necessary to fulfill the purposes for which it was collected, as described in this Privacy Policy, unless a longer retention period is required or permitted by law.

Data Type Retention Period Rationale
Account Data Duration of account + 30 days Active service delivery and grace period for account recovery.
Billing Records 7 years after transaction Tax and accounting compliance obligations.
Agent Environment Review Metadata 90 days (default) Repository Capability Profile, grade, and deploy-risk signals retained for historical comparison and trend analysis. Source code and secrets remain local and are not stored. Team and enterprise customers may configure longer retention.
Extension Telemetry 26 months (anonymized) Detection-pattern analysis and review accuracy improvement.
Server Logs 90 days Security monitoring, debugging, and incident investigation.
Support Communications 2 years after resolution Service quality and dispute resolution.

When data reaches the end of its retention period, it is securely deleted or irreversibly anonymized. Anonymized data that cannot be used to identify any individual may be retained indefinitely for statistical and research purposes.

9. Your Rights

Depending on your jurisdiction, you may have some or all of the following rights with respect to your personal information:

  • Right of Access. You may request a copy of the personal information we hold about you, including the categories of data collected, the purposes for processing, and any third parties with whom it has been shared.
  • Right to Rectification. You may request that we correct inaccurate or incomplete personal information.
  • Right to Deletion. You may request that we delete your personal information, subject to certain legal exceptions (such as compliance with legal obligations or the establishment, exercise, or defense of legal claims).
  • Right to Data Portability. You may request a copy of your data in a structured, commonly used, machine-readable format (such as JSON or CSV).
  • Right to Restrict Processing. You may request that we limit processing of your personal information in certain circumstances, such as when you contest its accuracy.
  • Right to Object. You may object to the processing of your personal information based on legitimate interests or for direct marketing purposes.
  • Right to Withdraw Consent. Where processing is based on your consent, you may withdraw that consent at any time without affecting the lawfulness of processing conducted prior to withdrawal.

To exercise any of these rights, please contact us at privacy@deepsweep.ai. We will verify your identity before processing your request and will respond within 30 days (or within any shorter period required by applicable law). If we need additional time, we will notify you of the extension and the reasons for the delay.

California Residents (CCPA/CPRA)

If you are a California resident, you have the right to know what personal information we collect, use, and disclose; the right to request deletion; the right to opt out of the sale or sharing of personal information (we do not sell your data); and the right to non-discrimination for exercising your privacy rights. You may also designate an authorized agent to submit requests on your behalf.

European Economic Area, UK, and Switzerland (GDPR)

If you are located in the EEA, UK, or Switzerland, we process your personal data under the following legal bases: (a) performance of a contract with you; (b) our legitimate interests in operating and improving our Services, provided those interests are not overridden by your rights; (c) compliance with legal obligations; and (d) your consent, where applicable. You have the right to lodge a complaint with your local data protection supervisory authority.

10. Cookies and Tracking Technologies

We use cookies and similar technologies on our website for the following purposes:

  • Essential Cookies. Required for core functionality such as authentication, session management, and security. These cannot be disabled without impairing the operation of our Services.
  • Analytics Cookies. Used to understand how visitors interact with our website, including page views, session duration, and feature usage. These are processed by Google Analytics and are used only with your consent where required by applicable law.
  • Preference Cookies. Used to remember your settings and preferences (such as language, theme, or notification preferences) across sessions.

We do not use third-party advertising cookies. You may manage your cookie preferences through your browser settings. Please note that blocking essential cookies may prevent you from using certain features of our Services.

11. Children's Privacy

Our Services are not directed to, and we do not knowingly collect personal information from, individuals under the age of 16 (or such higher age as may be required by applicable law in your jurisdiction). If we become aware that we have collected personal information from a child under the applicable minimum age without verifiable parental consent, we will take steps to delete that information promptly.

If you are a parent or guardian and believe that your child has provided personal information to us, please contact us at privacy@deepsweep.ai so that we can take appropriate action.

12. International Data Transfers

DeepSweep, Inc. is headquartered in the United States. If you access our Services from outside the United States, your information will be transferred to, stored, and processed in the United States and potentially other countries where our service providers operate.

For transfers of personal data from the European Economic Area (EEA), United Kingdom, or Switzerland to the United States, we intend to rely on:

  • Standard Contractual Clauses (SCCs) as approved by the European Commission
  • Data Processing Agreements with supplementary technical and organizational measures
  • Your explicit consent, where applicable and required

We ensure that all international transfers of personal data are conducted in compliance with applicable data protection laws and that appropriate safeguards are in place to protect your information.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other legitimate business reasons. When we make material changes, we will:

  • Send an email notification to all registered users at the email address associated with their account
  • Post a prominent notice on our website for at least 30 days
  • Update the "Last Updated" date at the top of this policy

We encourage you to review this Privacy Policy periodically. Your continued use of our Services after any changes become effective constitutes your acceptance of the updated Privacy Policy. If you do not agree to the revised policy, you must discontinue use of our Services.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

DeepSweep, Inc.
Privacy Team
Privacy Inquiries: privacy@deepsweep.ai
Security Issues: security@deepsweep.ai
General Inquiries: hello@deepsweep.ai

We aim to respond to all privacy inquiries within 30 days of receipt. If we require additional time, we will inform you of the reason for the delay and the expected response date.

This Privacy Policy is effective as of June 25, 2026 and was last updated on June 25, 2026.

DeepSweep, Inc. All rights reserved.