PRIVACY POLICY

Effective Date: September 10, 2025

1. INTRODUCTION AND SCOPE

This Privacy Policy (“Policy”) describes the information practices of Verabit Labs Ltd, a Delaware Corporation (“Company,” “we,” “us,” or “our”), in connection with our AI-powered code vulnerability scanning service and any related services, software, applications, or platforms (collectively, the “Service”). This Policy applies to all information collected by the Company through the Service, including information collected from users who access, browse, or use the Service in any manner.

By accessing, browsing, or using our Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. This Privacy Policy is incorporated into and forms an integral part of our Terms of Service. If you do not agree with the practices described in this Privacy Policy, you should not access or use our Service.

The Company reserves the right to modify, update, or amend this Privacy Policy at any time and in our sole discretion. Any changes to this Privacy Policy will become effective immediately upon posting the revised Policy on our website or platform. Your continued use of the Service following the posting of any changes constitutes your acceptance of such changes.

2. DEFINITIONS

For purposes of this Privacy Policy, the following definitions apply:

“Personal Information” means any information that identifies, relates to, describes, references, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household.

“Processing” means any operation or set of operations performed on Personal Information or sets of Personal Information, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, or destruction.

“Repository Data” means all data, information, source code, files, metadata, and other content contained within or associated with software repositories connected to our Service.

“Third-Party Service Providers” means external companies, organizations, or service providers that process information on our behalf or provide services integral to the operation of our Service.

3. CATEGORIES OF INFORMATION COLLECTED

3.1 Account and Authentication Information

When you create an account with our Service through Google OAuth authentication, we collect and process the following categories of information:

Google Account Information: Your email address, Google account identifier, profile name, and any other profile information made available through the Google OAuth authentication process that you have authorized us to access.

Github Account Information: Your Github account identifier, profile name, and any other profile information made available through the Github OAuth authentication process that you have authorized us to access.

Account Management Data: Account creation date and time, last login date and time, account status, authentication tokens and refresh tokens, and account preference settings.

Authentication Logs: Records of login attempts, successful authentications, authentication failures, and security-related events associated with your account access.

3.2 Payment and Billing Information

In connection with our credit-based billing system and payment processing through Stripe, Inc., we collect and process:

Billing Contact Information: Full legal name, billing address, email address for billing communications, and any other contact information you provide for billing purposes.

Payment Method Information: While we do not directly store payment card information, we receive and store payment method identifiers, payment status information, and transaction confirmations from our payment processor, Stripe, Inc.

Transaction Records: Complete transaction history including credit purchases, credit consumption, payment amounts, transaction dates and times, payment method used, and any refund or chargeback information.

Tax and Accounting Information: Information necessary for tax reporting and compliance, including tax identification numbers where applicable and required by law.

3.3 Source Code and Repository Information

When you authorize our Service to access your GitHub repositories or other code repositories, we collect, download, and process:

Complete Repository Contents: All source code files, documentation files, configuration files, and any other files contained within the authorized repositories, regardless of file type or format.

Repository Metadata: Repository names, descriptions, creation dates, modification dates, commit history and metadata, branch information, contributor information, file and directory structures, and repository settings.

Version Control Information: Git history, commit messages, author information, timestamps, merge information, and any other version control system data associated with the repositories.

Dependency and Configuration Data: Package manager files, dependency declarations, build configuration files, deployment scripts, environment configuration files, and any other technical configuration information.

3.4 Technical and Usage Information

We automatically collect certain technical and usage information when you access or use our Service:

Device and Browser Information: Internet Protocol (IP) addresses, browser type and version, operating system and version, device type and model, screen resolution, and other device characteristics.

Usage Analytics: Pages visited, features used, time spent on different sections of the Service, click-through rates, user interface interactions, and navigation patterns.

Performance Data: Service response times, error rates, system performance metrics, API usage statistics, and technical diagnostic information.

Communication Logs: Records of communications between you and our Service, including support tickets, feedback submissions, and other user-initiated communications.

3.5 Scan Results and Analytical Data

Through our vulnerability scanning and analysis processes, we generate and store:

Vulnerability Scan Results: Detailed reports identifying potential security vulnerabilities, coding errors, compliance issues, and other technical findings within your source code.

Risk Assessments: Security risk ratings, vulnerability severity classifications, impact assessments, and prioritization recommendations.

Historical Analysis Data: Trends in vulnerability detection over time, remediation tracking, comparative analysis between different scans, and progress monitoring information.

Aggregate Statistical Data: Anonymized and aggregated data derived from scan results for the purpose of improving our Service and developing industry insights.

4. METHODS OF INFORMATION COLLECTION

4.1 Direct Collection

We collect information directly from you when you:

4.2 Automatic Collection

We automatically collect information through:

4.3 Third-Party Collection

We may receive information about you from:

5. PURPOSES FOR INFORMATION PROCESSING

5.1 Primary Service Provision

We process your information for the following primary purposes related to providing our Service:

Vulnerability Scanning and Analysis: Processing your source code through artificial intelligence and machine learning algorithms to identify potential security vulnerabilities, coding errors, compliance issues, and other technical problems.

Report Generation: Creating detailed vulnerability reports, risk assessments, remediation recommendations, and other analytical outputs based on our scanning and analysis of your source code.

Account Management: Creating, maintaining, and managing your user account, including authentication, authorization, and account security measures.

Payment Processing: Managing your credit balance, processing payments, maintaining billing records, and handling any payment-related issues or disputes.

5.2 Service Improvement and Development

We process your information to improve and develop our Service, including:

Algorithm Enhancement: Using scan results and user feedback to improve the accuracy, efficiency, and effectiveness of our vulnerability detection algorithms and AI models.

Feature Development: Analyzing usage patterns and user needs to develop new features, capabilities, and improvements to our Service.

Performance Optimization: Monitoring and analyzing Service performance to identify and resolve technical issues, optimize system performance, and enhance user experience.

Quality Assurance: Testing and validating our Service functionality, accuracy of scan results, and overall Service quality.

5.3 Business Operations and Administration

We process your information for legitimate business operations, including:

Customer Support: Providing technical support, responding to inquiries, resolving issues, and maintaining customer relationships.

Security and Fraud Prevention: Detecting, preventing, and responding to security threats, fraudulent activities, abuse of our Service, and violations of our Terms of Service.

Legal Compliance: Complying with applicable laws, regulations, legal processes, and governmental requests.

Business Analytics: Analyzing business performance, user engagement, market trends, and other business intelligence to inform strategic decision-making.

5.4 Communication and Marketing

We may process your information to:

6. INFORMATION SHARING AND DISCLOSURE

6.1 Third-Party Artificial Intelligence Service Providers

Mandatory Processing Disclosure: You acknowledge and expressly consent that your source code, repository data, and related information will be transmitted to, processed by, and potentially stored by third-party artificial intelligence service providers. This processing is essential for our Service to perform vulnerability analysis and is conducted pursuant to the following terms:

Identified Third-Party AI Providers: Your information will be processed by artificial intelligence service providers including, but not limited to:

Scope of Third-Party Processing: Third-party AI service providers may process your complete source code, repository metadata, file contents, and any other information necessary for vulnerability analysis and report generation.

Third-Party Data Handling: Each third-party AI service provider operates under its own privacy policy, terms of service, and data handling practices. We do not control and are not responsible for the data handling practices, security measures, data retention policies, or privacy practices of these third-party providers.

Inherent Risks Acknowledgment: You acknowledge and accept the inherent risks associated with third-party processing of your source code and sensitive information, including but not limited to:

6.2 Payment Processing Service Provider

Stripe Payment Processing: All payment processing is conducted by Stripe, Inc., a third-party payment processing service provider. Stripe processes your payment information, billing details, and transaction data in accordance with its own privacy policy and terms of service. We receive confirmation of payments and limited transaction information from Stripe but do not directly handle or store your complete payment card information.

6.3 Legal and Regulatory Disclosure

We may disclose your information when we believe in good faith that disclosure is necessary or appropriate for any of the following purposes:

Legal Compliance: Comply with applicable laws, regulations, legal processes, or governmental requests, including but not limited to responding to subpoenas, court orders, or other legal demands.

Rights Protection: Protect and defend our rights, property, interests, or safety, including enforcement of our Terms of Service and other agreements.

Safety and Security: Protect the safety, security, rights, property, or interests of our users, third parties, or the general public.

Legal Proceedings: Participate in legal proceedings, investigations, or regulatory inquiries where disclosure of information is required or appropriate.

6.4 Business Transfers and Corporate Transactions

In the event of any merger, acquisition, consolidation, sale of assets, bankruptcy, reorganization, or other corporate transaction involving the Company, your information may be transferred, sold, or assigned to the acquiring entity or successor organization. You will be notified of any such transfer through prominent notice on our Service or by email.

6.5 Service Providers and Business Partners

We may share your information with trusted service providers, contractors, and business partners who assist us in operating our Service, conducting our business, or providing services to you, provided that such parties agree to keep your information confidential and use it only for the specified purposes.

6.6 Aggregated and De-Identified Information

We may share aggregated, anonymized, or de-identified information that cannot reasonably be used to identify you or any individual for research, analytics, marketing, or other business purposes.

7. DATA RETENTION POLICIES

7.1 Indefinite Retention Rights

General Retention Policy: The Company reserves the right to retain all information collected through our Service indefinitely and for any lawful purpose. This includes, but is not limited to:

Account Information: We may retain your account information, authentication data, and profile information indefinitely, even after account termination or Service discontinuation.

Source Code and Repository Data: We may retain complete copies of your source code, repository contents, metadata, and related information indefinitely, regardless of whether you disconnect repositories from our Service or terminate your account.

Scan Results and Analysis: We may retain all vulnerability scan results, analysis reports, risk assessments, and related analytical data indefinitely for business, research, and Service improvement purposes.

Transaction and Billing Records: We may retain all payment, billing, and transaction information indefinitely for accounting, tax, legal compliance, and business record purposes.

Technical and Usage Data: We may retain all technical logs, usage analytics, performance data, and system information indefinitely for business operations and Service improvement.

7.2 Retention Justifications

Our retention of information serves the following legitimate business purposes:

7.3 Data Deletion Discretion

While we reserve the right to retain information indefinitely, we may, in our sole discretion and without any obligation, delete or anonymize information at any time. However, you should not rely on our voluntary deletion of information and should assume that any information provided to us may be retained indefinitely.

7.4 Post-Termination Retention

Even after your account is terminated, suspended, or deactivated, whether voluntarily or involuntarily, we may continue to retain and use your information as described in this Privacy Policy. Account termination does not result in automatic deletion of your information.

8. DATA SECURITY MEASURES

8.1 Security Implementation

We implement reasonable technical, administrative, and physical security measures designed to protect your information against unauthorized access, alteration, disclosure, or destruction. These measures include, but are not limited to:

Technical Safeguards: Encryption of data in transit and at rest, secure authentication protocols, access controls and authorization systems, network security measures, and regular security monitoring and logging.

Administrative Safeguards: Employee training on data protection and privacy practices, access controls limiting employee access to information on a need-to-know basis, background checks for personnel with access to sensitive information, and incident response procedures.

Physical Safeguards: Secure data centers with controlled access, environmental controls, and monitoring systems to protect physical infrastructure and equipment.

8.2 Security Limitations and Risk Acknowledgment

No Absolute Security Guarantee: Despite our security measures, no method of transmission over the internet or method of electronic storage is completely secure. We cannot guarantee absolute security of your information, and you acknowledge and accept this inherent limitation.

Inherent Risks: You acknowledge and accept the following inherent security risks:

8.3 Security Incident Response

In the event of a security incident involving your information, we will take appropriate measures to investigate and respond to the incident, which may include notifying affected users and relevant authorities as required by law.

9. INTERNATIONAL DATA TRANSFERS

9.1 Cross-Border Data Processing

Your information may be transferred to, processed in, and stored in countries other than your country of residence, including countries that may have different data protection laws than your jurisdiction. This includes transfers to:

9.2 Transfer Safeguards

When we transfer your information internationally, we endeavor to implement appropriate safeguards to protect your information, which may include contractual protections, adequacy decisions, or other lawful transfer mechanisms.

10. YOUR RIGHTS AND CHOICES

10.1 Access and Portability Rights

Information Access: You may request access to certain Personal Information we maintain about you, subject to legal limitations and verification requirements.

Data Portability: You may request a copy of certain information in a portable format, though this right may be limited by technical feasibility and legal restrictions.

10.2 Correction and Update Rights

You may request correction or updating of certain Personal Information we maintain about you. However, we reserve the right to verify the accuracy of requested changes and may decline to make changes that could compromise data integrity or legal compliance.

10.3 Deletion and Erasure Requests

You may request deletion of certain Personal Information, though such requests are subject to our retention policies described in Section 7 and legal or business requirements that may necessitate continued retention.

10.4 Communication Preferences

You may opt out of certain promotional or marketing communications, though you will continue to receive service-related communications that are necessary for account management and Service provision.

10.5 Rights Limitations

Your rights are subject to certain limitations, including:

11. CALIFORNIA PRIVACY RIGHTS

11.1 California Consumer Privacy Act (CCPA) Rights

If you are a California resident, you may have the following rights under the California Consumer Privacy Act:

Right to Know: You have the right to request information about the categories and specific pieces of Personal Information we have collected about you, the categories of sources from which we collected the Personal Information, the business or commercial purpose for collecting the Personal Information, and the categories of third parties with whom we share Personal Information.

Right to Delete: You have the right to request deletion of Personal Information we have collected about you, subject to certain exceptions and our retention policies.

Right to Opt-Out: You have the right to opt-out of the sale of your Personal Information. However, we do not sell Personal Information as defined by the CCPA.

Right to Non-Discrimination: You have the right not to receive discriminatory treatment for exercising your privacy rights.

11.2 Exercising California Rights

To exercise your CCPA rights, please contact us using the information provided in Section 14. We will verify your identity before processing your request and respond within the timeframes required by law.

11.3 CCPA Disclosures

In the preceding 12 months, we have collected the categories of Personal Information described in Section 3 of this Privacy Policy. We have disclosed Personal Information to the categories of third parties described in Section 6 for business purposes.

12. CHILDREN'S PRIVACY

12.1 Age Restrictions

Our Service is not intended for, designed for, or directed to individuals under the age of 18. We do not knowingly collect, process, or solicit Personal Information from individuals under 18 years of age. Our Terms of Service require users to be at least 18 years of age to use our Service.

12.2 Parental Notice and Consent

If we become aware that we have collected Personal Information from an individual under 18 years of age without proper parental consent, we will take appropriate steps to delete such information promptly. Parents or legal guardians who believe we may have collected information from their child should contact us immediately.

13. POLICY UPDATES AND MODIFICATIONS

13.1 Right to Modify

We reserve the right to modify, update, amend, or replace this Privacy Policy at any time and in our sole discretion. Changes may be made to reflect changes in our business practices, legal requirements, or for any other reason we deem appropriate.

13.2 Notice of Changes

We will provide notice of material changes to this Privacy Policy by:

13.3 Continued Use Constitutes Acceptance

Your continued access to or use of our Service after any changes to this Privacy Policy constitutes your acceptance of the revised Privacy Policy. If you do not agree with any changes, you must discontinue use of our Service.

14. CONTACT INFORMATION AND PRIVACY INQUIRIES

14.1 Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us at:

Verabit Labs Ltd
Email: legal@zellic.io

14.2 Response Timeframes

We will endeavor to respond to privacy inquiries and rights requests within a reasonable timeframe and in accordance with applicable legal requirements. Complex requests may require additional time for proper investigation and response.

14.3 Verification Requirements

For security purposes, we may require verification of your identity before processing certain privacy requests or providing access to Personal Information. We will provide instructions for identity verification when necessary.

Privacy Policy | V12 - Autonomous Solidity Audits