← Back to login

Privacy Policy

Effective Date: March 24, 2026

1. Introduction

Hijack Security, Inc. ("Hijack Security," "we," "us," or "our") operates Intercept, a supply chain security platform. This Privacy Policy explains what personal data we collect, how we use it, and your rights regarding that data.

2. Data Controller

Hijack Security, Inc. is the data controller for information collected through Intercept. For privacy inquiries, contact us at privacy@hijacksecurity.com.

3. Data We Collect

Account Data

Email address, full name, and password (stored as a bcrypt hash, never in plaintext).

GitHub OAuth Data

GitHub username, avatar URL, and GitHub user ID. OAuth tokens are not stored by Intercept.

Platform Credentials

GitHub and Azure DevOps personal access tokens, encrypted at rest with Fernet (AES) encryption.

Repository Metadata

Repository names, URLs, star counts, fork counts, and primary language. Source code is not stored permanently.

Scan Findings

Vulnerabilities, misconfigurations, and redacted secret patterns. Raw secret values are never stored.

Posture Agent Data

Machine metadata, installed tool inventory, and security posture scores. The agent never reads file contents, credentials, or personal documents.

Alert Preferences

Notification channel configuration and email addresses for alerting.

Usage Data

Authentication cookies (httpOnly, no tracking purpose) and a theme preference stored in localStorage.

4. How We Use Your Data

  • Performing security scans on your connected repositories
  • Detecting vulnerabilities, secrets, misconfigurations, and supply chain risks
  • Delivering alerts and notifications based on your preferences
  • AI-powered code analysis (opt-in only) to provide deeper security insights
  • Authenticating your identity and maintaining session security
  • Improving the platform based on aggregated, non-identifying usage patterns

5. Data We Do NOT Collect

We are committed to minimal data collection. We do not collect:

  • Analytics or behavioral tracking data
  • Tracking cookies or marketing pixels
  • Third-party advertising cookies
  • Browsing behavior outside of Intercept
  • Source code (repositories are cloned temporarily for scanning and immediately deleted)

6. Third-Party Data Sharing

We share data with the following third parties only as necessary to provide the service:

  • GitHub API / Azure DevOps API -- repository access during scans, using your credentials
  • Anthropic / OpenAI -- code excerpts for AI analysis (opt-in only; their data policies apply)
  • AWS SES -- transactional email delivery (e.g., verification emails, alerts)
  • OSV, NVD, CISA KEV -- vulnerability data feeds (no user data is sent to these services)

We do not sell, rent, or share personal data for advertising or marketing purposes.

7. Cookies

Intercept uses a minimal set of cookies for authentication only:

  • intercept_access_token -- httpOnly, Secure, SameSite=Lax
  • intercept_refresh_token -- httpOnly, Secure, SameSite=Lax
  • intercept_auth -- client-side login state flag

One localStorage key (theme) stores your dark/light mode preference. We use no third-party cookies, no tracking cookies, and no analytics cookies.

8. Data Security

We implement multiple layers of security to protect your data:

  • Passwords hashed with bcrypt
  • Platform credentials encrypted with Fernet (AES) at rest
  • All communications over HTTPS (TLS)
  • JWT-based authentication with short-lived access tokens
  • PostgreSQL Row-Level Security (RLS) for tenant data isolation
  • Strict tenant isolation across all services

9. Data Retention

Scan findings are retained until a new scan replaces them or you delete your account. Threat intelligence data is retained for 90 days. We do not automatically purge user accounts. You may delete your account at any time, which triggers permanent deletion of all associated data.

10. Your Rights (GDPR)

If you are located in the European Economic Area, you have the following rights:

  • Right to access -- request a copy of your data via our API
  • Right to rectification -- update your profile information at any time
  • Right to erasure -- delete your account, which triggers cascading deletion of all data across all services
  • Right to restrict processing -- disable scanning on a per-account basis
  • Right to data portability -- access all your data through our API in standard formats
  • Right to object -- contact us to object to specific processing activities

To exercise any of these rights, contact privacy@hijacksecurity.com.

11. International Data Transfers

Your data is processed and stored in the United States (AWS us-east-1 region). For data subjects in the European Economic Area, standard contractual clauses apply to ensure adequate protection for international data transfers.

12. Children

Intercept is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected data from a person under 18, we will delete that information promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or through an in-app notification. The "Effective Date" at the top of this page indicates when the policy was last revised.

14. Contact

For questions about this Privacy Policy or your personal data, contact us at privacy@hijacksecurity.com.