Legal

Privacy Policy

Last updated: January 2026 · Contact: hello@terrawatch.dev

What we collect

When you connect TerraWatch to your GitHub account and use the service, we collect the following information:

  • GitHub identity — your GitHub username, display name, and email address, obtained via GitHub OAuth.
  • Repository names — the names of repositories where you have installed the TerraWatch GitHub App, so we can scope scan results to your account.
  • Pull request metadata — PR number, title, author, branch names, and commit SHAs. This is used to associate scan results with the correct pull request.
  • Scan findings — the rule ID, severity, file name, and line number for each security finding we detect. This is the core data that powers your security dashboard.

What we do not collect

🔒

We never store your source code. Terraform file contents are loaded into memory for scanning, then immediately discarded. Nothing is written to disk or persisted in any database.

  • We do not store or log the contents of any .tf file.
  • We do not train any machine learning models on your infrastructure code or scan results.
  • We do not sell your data to third parties.
  • We do not use your data for advertising purposes.

How we use your data

We use the data we collect solely to provide and improve the TerraWatch service:

  • To authenticate you and associate your GitHub account with your TerraWatch account.
  • To display scan findings on your security dashboard.
  • To post bot comments on pull requests with findings and suggested fixes.
  • To send transactional emails (e.g. billing confirmations) if you are on a paid plan.

We do not use your data for any purpose beyond operating the service you have signed up for.

Third parties

TerraWatch relies on the following sub-processors to operate:

  • GitHub — we interact with the GitHub API to receive webhook events, read PR diffs, and post check results and comments. Subject to GitHub's Privacy Statement.
  • Supabase — we use Supabase (EU region) as our database to store account information and scan findings metadata. No source code is stored here.
  • Railway — our application is hosted on Railway (EU region). Terraform file contents pass through Railway memory during scanning but are never persisted.

Data retention

Scan findings and account data are retained for as long as you have an active TerraWatch account. If you delete your account, all associated data — including findings, repository associations, and your GitHub identity — is permanently deleted within 30 days.

To delete your account, email hello@terrawatch.dev from the address associated with your GitHub account.

GDPR rights

If you are located in the European Economic Area (EEA), you have the following rights regarding your personal data:

  • Right of access — you may request a copy of the personal data we hold about you.
  • Right to rectification — you may ask us to correct inaccurate data.
  • Right to erasure — you may request deletion of all your personal data.
  • Right to portability — you may request your data in a machine-readable format.
  • Right to object — you may object to our processing of your data.

To exercise any of these rights, contact us at hello@terrawatch.dev. We will respond within 30 days.

Contact

Questions about this privacy policy or how we handle your data? Reach us at hello@terrawatch.dev. We aim to respond to all privacy enquiries within 48 hours.