Legal

Privacy policy.

Effective 2026-04-28

This is a short, honest privacy policy. If anything below is unclear, email founder@cipherm.io and we'll fix the wording.

What we collect

  • CBOM uploads. When you upload a CycloneDX 1.6 CBOM to cipherm.io, we store the JSON artifact and indexed metadata (severity counts, finding count, slug, optional origin URL). Uploads marked public are publicly readable. Unlisted uploads are accessible only via the unguessable slug; private uploads behind authentication are a Pro tier roadmap item.
  • Server logs. Standard request logs (IP, user agent, path, status code, response time). Retained 30 days for debugging and abuse mitigation, then deleted.
  • Waitlist email. If you sign up for the Pro waitlist or contact us, we store the email address and the source page. Email is only used for the purpose you signed up for and never sold.
  • Browser anonymous analytics. When deployed behind an analytics provider (Plausible / Vercel Analytics), we collect anonymous aggregate page views. No cookies. No cross-site tracking. No fingerprinting.

What we don't collect

  • Source code. The CLI scanner runs locally; the only thing that leaves your machine is the CBOM you choose to upload.
  • Authentication tokens, secrets, or API keys. The scanner never sends credentials home; if a CBOM contains a leaked PEM key as a finding, the snippet is short by design and the file path is yours.
  • Cookies for marketing pages. CipherM's marketing site doesn't set tracking cookies. (Vercel may set strictly necessary cookies for the platform itself; review their policy.)
  • Cross-site identifiers, advertising IDs, or third-party trackers.

Service providers

  • Vercel — hosts the marketing site. See vercel.com/legal/privacy-policy.
  • Managed application host — hosts the registry backend, database, and CBOM storage (US region, automated backups). The current provider is listed on the procurement page and updated before any customer data is processed.

CipherM does not share user data with third parties beyond the operational hosting providers above.

Your rights

  • Delete a CBOM you uploaded: email the slug and the upload sha256 to founder@cipherm.io. We'll remove it within 7 days.
  • Export your data: every CBOM is downloadable from its detail page. Waitlist email export available on request.
  • Forget you: email founder@cipherm.io and we'll delete waitlist + all associated records within 30 days.

Children

CipherM is a developer tool not directed at children under 13 (or 16 in the EU). We don't knowingly collect data from minors.

Changes

Policy changes are logged in the public git repository. Material changes (new data categories, new providers) will be communicated via the homepage and to waitlist subscribers at least 30 days before taking effect.

Contact

founder@cipherm.io · privacy@cipherm.io (alias for the same inbox).