Privacy Policy

Last updated: 8 May 2026 · Effective immediately

This privacy policy explains how CRA Shield ("we", "us", "our") collects, uses, and protects personal data when you use our website at cra-shield.com and our application at app.cra-shield.com. We follow the EU General Data Protection Regulation (GDPR, Regulation (EU) 2016/679).

Short version: we only collect what we need to run the service (your email, your apps' classification & assessment data, dependency files you upload), we never sell your data, we host on Cloudflare in the EU, and you can delete your account at any time by emailing [email protected].

1. Who is the data controller

CRA Shield is the controller of your personal data within the meaning of Article 4(7) GDPR. For privacy questions, data subject requests, or to contact our data protection contact, write to [email protected].

2. What data we collect and why

Category	Data	Purpose	Lawful basis (Art. 6)
Account	Email, display name, avatar URL, OAuth provider ID (Google or GitHub)	Authenticate you, provide the service	Contract performance, 6(1)(b)
Session	Session token (HttpOnly cookie), IP address (for rate-limit + abuse prevention only)	Keep you signed in, prevent abuse	Legitimate interest, 6(1)(f)
Application data	App names, classification answers, assessment notes, uploaded dependency files (SBOM source)	Deliver the compliance toolkit	Contract performance, 6(1)(b)
Billing	Stripe customer ID, plan, subscription status. We never see your card.	Process payments and manage subscriptions	Contract performance, 6(1)(b)
Logs	Aggregate request logs (path, status, duration, IP). Retained ~30 days.	Operate the service, debug, security monitoring	Legitimate interest, 6(1)(f)

We do not use tracking cookies, advertising pixels, or third-party analytics. The only cookies set are session and CSRF cookies strictly necessary for the service to function.

3. Sub-processors and where data is stored

We use the following sub-processors, each with their own GDPR posture and Standard Contractual Clauses where applicable:

Sub-processor	Purpose	Region
Cloudflare, Inc.	Hosting (Workers, Pages), database (D1), object storage (R2), session store (KV), CDN, DDoS	EU (primary region)
Stripe Payments Europe, Ltd.	Payment processing	EU / global
Google Ireland Ltd.	OAuth sign-in (only if you choose Google)	EU / global
GitHub, Inc.	OAuth sign-in (only if you choose GitHub)	USA (with SCCs)
OSV.dev (Google)	Public vulnerability database queried with package name + version (no personal data)	USA
Resend, Inc.	Transactional email (sign-in links, vulnerability alerts)	USA (with SCCs)

4. International transfers

Where a sub-processor is based outside the EEA, the transfer is covered by the European Commission's Standard Contractual Clauses (SCCs) and supplementary technical measures including TLS-in-transit and at-rest encryption. We do not transfer data to jurisdictions without adequate protection beyond these mechanisms.

5. Retention

Account & application data — kept until you delete your account, then removed within 30 days.
Backups — included in our database backups for up to 35 days, then permanently purged.
Sign-in tokens (magic links) — 15 minutes maximum, single-use.
Sessions — 7 days, refreshed on use.
Operational logs — ~30 days.
Billing records — retained for 10 years to comply with EU tax / accounting obligations (Article 6(1)(c)).

6. Your GDPR rights

Under Articles 15-22 GDPR you have the right to:

Access — request a copy of the data we hold on you.
Rectification — correct inaccurate data.
Erasure ("right to be forgotten") — delete your account and all associated data.
Restriction — ask us to limit processing while a dispute is resolved.
Portability — receive your data in a machine-readable format (JSON export available on request).
Object — opt out of processing based on legitimate interest.
Withdraw consent — where processing relies on consent, withdraw it at any time.
Lodge a complaint — with your national supervisory authority. A list is available at edpb.europa.eu.

To exercise any of these rights, email [email protected]. We respond within one month (Article 12(3)).

7. Security

We follow industry-standard practices, including:

TLS 1.3 for all traffic, HSTS with includeSubDomains.
HttpOnly, Secure, SameSite=Lax session cookies. No client-side storage of credentials.
Parameterised SQL only (no string-concatenated queries).
OAuth-only or magic-link authentication. No passwords stored.
Audit log of all administrative actions.
Encryption at rest provided by Cloudflare D1 and R2.

8. Data breach notification

If a personal data breach occurs and is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours (Article 33) and, where the risk is high, notify affected users without undue delay (Article 34).

9. Children

CRA Shield is intended for use by software developers and businesses. We do not knowingly collect personal data from children under 16. If you believe a child has provided data to us, please contact [email protected] and we will delete it.

10. Changes to this policy

We will update the "Last updated" date at the top of this page when material changes are made and, where the change is significant, notify users by email. Continued use of the service after the effective date constitutes acceptance of the revised policy.

11. Contact

Privacy questions and data subject requests: [email protected]
Security issues: [email protected]
General contact: [email protected]

CRA Shield is a compliance toolkit, not legal advice. This privacy policy describes how we handle your personal data; it is not a substitute for professional advice on your own GDPR or CRA obligations as a software vendor.