Privacy Policy

This Privacy Policy explains what data agentlint collects, why we collect it, how we use it, and the choices you have. Operator: Gerardo Perez Manjarrez (sole proprietor, doing business as agentlint). Contact: hello@agentlint.sh.

1. The CLI is local-first

The agentlint command-line tool, distributed under the MIT license, runs entirely on your machine. It does not phone home, transmit telemetry, or send your repository contents to us or to any third party. The only network calls it makes are to a documentation URL you explicitly pass with the --url flag, and even those go through a bounded fetch with a timeout.

If you never use the website or the hosted dashboard, we collect no personal data from you.

2. What we collect when you use the website

The hosted Service collects the following categories of data:

• Account data: when you sign in with GitHub, your name, email address, GitHub user ID, avatar URL, and access token. We use this to authenticate you and to identify your account.
• Subscription data: when you subscribe, our payment processor (Stripe) returns a customer ID, a subscription ID, the plan, the period start and end dates, and the subscription status. We do not store your card number, expiration date, or CVV — those live only at Stripe.
• Scan data: if you submit scan results from the CLI to your account (a future feature), we store the report metadata (repository name, commit SHA, score, and rule outcomes). We do not store your repository's source code.
• Server logs: standard request logs (IP address, user agent, path, status code, timestamp) retained for up to 30 days for debugging and abuse detection.
• Cookies: a session cookie set by the authentication system (better-auth) so we can keep you signed in. We do not use third-party tracking cookies.

3. Why we use it

• To provide the Service you signed up for.
• To process payments and prevent fraud (Stripe handles this).
• To send transactional email (account events, billing receipts, security notices).
• To debug issues and improve reliability and performance.
• To comply with legal obligations.

We do not sell, rent, or trade personal data. We do not use your data to train AI models.

4. Where data lives (sub-processors)

We use a small number of vetted third parties to operate the Service. They process data on our behalf under contract and may not use it for their own purposes:

• Vercel — hosts the website and serverless functions.
• Neon — hosts the Postgres database.
• Stripe — processes payments and stores billing information.
• GitHub — provides authentication via OAuth.
• Cloudflare — provides DNS and email forwarding for our domain.

5. International data transfers

Our infrastructure is hosted in the United States. If you access the Service from outside the U.S., your data will be transferred to and processed in the U.S. By using the Service you consent to that transfer.

6. Retention

We retain account and subscription data for as long as your account exists, and for a reasonable period afterwards as required for tax, accounting, and dispute resolution. Server logs are retained for up to 30 days. You can request deletion at any time (see Section 8).

7. Security

We follow standard practices to protect personal data: encrypted transport (TLS), encrypted secrets at rest, scoped access, and the principle of least privilege. No system is perfectly secure; if we discover a breach affecting you, we will notify you without undue delay. To report a vulnerability, email security@agentlint.sh or use a private GitHub Security Advisory.

8. Your rights

Depending on where you live, you may have rights to access, correct, delete, port, or restrict processing of your personal data, and to object to processing. To exercise any of these rights, email hello@agentlint.sh. We respond within 30 days. We do not discriminate against users who exercise these rights.

If you are in the European Economic Area, the United Kingdom, or Switzerland, you have the right to lodge a complaint with your local data protection authority. Our lawful bases for processing are: (a) performance of the contract we have with you; (b) our legitimate interest in operating and securing the Service; and (c) compliance with legal obligations.

California residents have additional rights under the CCPA/CPRA, including the right to know what personal data is collected, request deletion, and opt out of the sale of personal data. We do not sell personal data.

9. Children

The Service is not directed to children under 13, and we do not knowingly collect personal data from them. If you believe we have, contact us and we will delete it.

10. Changes

We may update this Policy from time to time. Material changes will be communicated by email or through the Service at least fifteen (15) days before they take effect. The "Last updated" date at the top reflects the most recent revision.

11. Contact

Privacy questions? Email hello@agentlint.sh.