Privacy Policy

When you inspect a public repository, SlopCop collects the GitHub, GitLab, or Bitbucket repository URL you submit, scan status, generated findings, logs, report output, and operational metadata needed to run and display the case.

When a Brokk-backed scan fails, SlopCop may retain a bounded executor debug-log excerpt for administrator-only troubleshooting. These debug artifacts are not shown on public or private case pages.

When you use the GitHub App flow for private repositories, SlopCop receives GitHub account and installation information needed to verify that you can access the selected repository. SlopCop stores sanitized repository metadata and requester information so private scan artifacts can be protected after creation.

If you request an email notification, SlopCop stores the email address long enough to deliver or attempt to deliver the completed-report notification. Administrators may also store email addresses for public scan failure alerts until those recipients are removed. The application may store masked versions of those addresses for status and audit purposes.

If a reader disputes a completed report, SlopCop stores that disagreement submission with the scan, including any optional note the reader leaves.

If you submit a Night Shift arcade score, SlopCop stores the three-character initials you enter, score timing, collected powerup totals, and run validation metadata needed to operate the leaderboard.

For public scans, SlopCop clones the public GitHub, GitLab, or Bitbucket repository URL you provide. For private scans, SlopCop uses the GitHub App installation selected by the signed-in user and mints a short-lived installation token immediately before clone time.

Browser-supplied GitHub user tokens are not sent to the Rust scan backend for cloning. Private clone credentials are created server-side, used for the requested scan, and are not intentionally stored in the database.

We use scan data to clone repositories, run the configured analysis engine, generate findings, display case progress, prepare final reports, send requested email notifications, send administrator-configured public scan failure alerts, and operate public Most Wanted pages when you choose to publish a scan.

We may use aggregated operational information, such as scan counts, errors, and performance metrics, to maintain and improve SlopCop. We do not use private repository contents to train models unless a separate written agreement says otherwise.

Public scan result URLs are intentionally shareable by scan ID. If you publish a scan to Most Wanted, the score, verdict, report excerpts, file paths, code references, repository identity, and related case details may become publicly visible.

Night Shift leaderboard entries are public within the case-page arcade widget and display the submitted initials, score, survival time, bonus time, and powerup totals.

Private repository scans require an additional acknowledgement before publishing. Publishing a private scan can make information about a private repository visible to anyone with the published URL, including search engines.

Unpublished private scan artifacts may be automatically scrubbed after the configured retention period. The default product behavior is to remove unpublished private scan contents after a limited period, while retaining a tombstone record needed to show that the case was deleted.

Scans of public repositories are not part of automatic deletion. Manual deletion and administrator removal paths may still apply where supported.

Administrator-only per-scan debug artifacts may be retained for a limited troubleshooting window and may be pruned separately from public scan history.

Scrubbing a scan removes report contents, logs, findings, per-scan debug artifacts, email notification records, live disagreement records, and repository details associated with that scan. Published entries may remain available unless removed by an administrator or a separate removal process.

When an unpublished private scan is scrubbed or deleted, a disagreement note may be retained in a detached administrator-only record so operators can review the challenge without keeping the private repository identity attached to that note.

SlopCop may use third-party providers such as GitHub for repository access and authentication, SendGrid or another configured mail provider for notifications, hosting providers for application infrastructure, and model providers configured for the analysis engine.

Those providers process information only as needed to deliver the service features they support, subject to their own terms and privacy commitments.

SlopCop uses session cookies and similar local storage mechanisms to keep users signed in, protect private scan routes, remember local case state, and support the GitHub App flow. Disabling cookies may prevent private repository scans and session-protected features from working.

For privacy questions or deletion requests, contact [email protected]. Include enough case or repository information for us to locate the relevant records without sending secrets or access tokens.