Legal

Privacy Policy

Last updated: March 2026

Short version: dpndncY is self-hosted software. When you run it on your own infrastructure, your source code, dependency data, and scan results never leave your environment. This policy describes what data we process when you visit our website or request a license.

1. Who we are

dpndncY is a software supply chain security platform distributed as self-hosted software. References to "we", "us", or "our" in this policy refer to the dpndncY team. For questions about this policy, contact us at [email protected].

2. What data we collect

We collect data in two contexts:

When you visit this website:

Standard web server logs (IP address, browser type, pages visited, referrer) — retained for up to 30 days for security and diagnostic purposes
No tracking cookies, analytics scripts, or third-party advertising tags are used on this site

When you submit a license request:

Name, work email, company name, job title, country, phone number, team size, and use case description
Submission timestamp and a generated request ID
This data is stored on our server and used solely to respond to your inquiry

When you run dpndncY on your infrastructure:

We collect no telemetry, usage data, or scan results from self-hosted instances
All dependency data, scan results, vulnerability findings, and source code remain entirely within your environment

3. How we use your data

To respond to license inquiries and communicate licensing options
To diagnose technical problems with the website
To detect and prevent abuse or unauthorized access to our systems

We do not sell, rent, or share your personal data with third parties for marketing purposes.

4. Legal basis for processing (GDPR)

If you are located in the European Economic Area, our legal basis for processing your data is:

Legitimate interest — server logs for security and diagnostics
Pre-contractual necessity / consent — license request form data, which you submit voluntarily

5. Data retention

Server logs are retained for up to 30 days
License request data is retained for up to 2 years or until you request deletion

6. Your rights

Under GDPR and applicable data protection laws, you have the right to:

Access the personal data we hold about you
Request correction of inaccurate data
Request deletion of your data ("right to be forgotten")
Object to or restrict processing of your data
Data portability — receive your data in a structured, machine-readable format

To exercise any of these rights, email [email protected]. We will respond within 30 days.

7. Cookies

This website does not use tracking cookies or analytics. If you use the dpndncY application, a session cookie is set for authentication purposes only — it contains no personal information and is not used for tracking.

8. Third-party services

This website uses Google Fonts, loaded directly from Google's CDN. Google may collect standard access log data when fonts are loaded. No other third-party services are used on this website.

The dpndncY application queries public vulnerability databases (OSV.dev, NVD, GHSA) and optionally third-party services (GitHub API, GitLab API, SMTP providers, Stripe) based on configuration you control. We do not operate or have access to data processed through these services in your self-hosted instance.

9. Data security

License request data is stored in a secured server environment with access controls. We use HTTPS for all data in transit. No system is 100% secure, and we cannot guarantee absolute security, but we take reasonable precautions to protect your data.

10. Children's privacy

dpndncY is not directed at children under 16. We do not knowingly collect personal data from children.

11. Changes to this policy

We may update this policy from time to time. The "last updated" date at the top of this page will reflect any changes. Continued use of the website after changes constitutes acceptance of the revised policy.

12. Contact

For privacy-related questions or requests, contact us at [email protected].