Privacy Policy

Last updated: February 18, 2026

1. What We Collect

ShipGrade collects the minimum data necessary to operate the trust profile platform:

  • Account information — email address and password (hashed) when you create an account, or OAuth profile data if you sign in with a third-party provider.
  • Builder profile — display name, bio, website URL, and social links you optionally provide.
  • Product URLs — the URLs you submit for scanning. For MCP server products, the GitHub repository URL or uploaded source archive.
  • Scan results — automated assessment data generated by our scanners (security headers, SSL status, DNS records, privacy signals, performance metrics, code analysis results).
  • Usage data — page views on public profiles and badge impressions, collected in aggregate without personal identifiers.

2. How We Use Your Data

  • Generate and display trust profiles for products you register.
  • Run automated scans to assess security, privacy, performance, and reliability signals.
  • Display public product profiles and directory listings for published products.
  • Send you account-related emails (password resets, security notifications).
  • Improve our scanning algorithms and scoring methodology.

3. Cookies

ShipGrade uses the following cookies:

Essential cookies

  • sb-access-token — session authentication token
  • sb-refresh-token — session refresh token

Analytics cookies

We use Google Analytics to understand how visitors use ShipGrade. Google Analytics sets cookies (such as _ga and _ga_*) to distinguish unique users and track page views, visit duration, and traffic sources. This data is collected in aggregate and does not personally identify you.

You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on. We do not use advertising trackers or any other third-party tracking pixels.

4. Third-Party Services

  • Supabase — database hosting and authentication. Your account data and scan results are stored in Supabase's infrastructure. Supabase Privacy Policy
  • Cloudflare — hosting, CDN, and DDoS protection. Cloudflare processes request metadata (IP addresses, user agents) as part of its service. Cloudflare Privacy Policy
  • Google Analytics — website analytics. We use Google Analytics to measure traffic and understand how visitors interact with ShipGrade. Google may collect IP addresses, browser type, and pages visited. IP anonymization is enabled. Google Privacy Policy

5. Data Retention

Account data is retained as long as your account is active. Scan results are retained for the lifetime of the registered product. Uptime monitoring data older than 90 days is aggregated into daily summaries and raw ping data is deleted. If you delete your account, all associated data (profile, products, scan results) is permanently removed within 30 days.

6. Your Rights

Under GDPR and CCPA, you have the right to:

  • Access — request a copy of all data we hold about you.
  • Correction — update or correct inaccurate data.
  • Deletion — request permanent deletion of your account and all associated data.
  • Portability — receive your data in a machine-readable format.
  • Objection — object to processing of your data for specific purposes.

To exercise any of these rights, contact us at hello@shipgrade.dev. We will respond within 30 days.

7. Data Security

All data is transmitted over HTTPS with TLS 1.2+. Authentication credentials are encrypted at rest. Scan results for authenticated scanning use AES-256-GCM encryption for stored credentials. We follow the principle of least privilege for all database access.

8. Changes to This Policy

We may update this privacy policy from time to time. Material changes will be communicated via email to registered users. The "Last updated" date at the top of this page indicates the most recent revision.

9. Contact

For privacy-related questions or requests, contact us at hello@shipgrade.dev.