Privacy Policy
Last updated 21 June 2026
This policy explains what Wardrail (Ghostables Ltd) collects, why, and the control you have. We are the data controller for your account data.
What we collect
- Account — your name, email, and a hashed password (or your better-auth session).
- Projects — repository names, branches, your committed “contract” (guardrails), scan findings, verdicts, the trust ledger, and an audit log.
- Billing — handled by Stripe. We store your Stripe customer/subscription IDs and plan, never your card details.
- Operational — basic logs and error reports needed to run the Service securely.
What we deliberately do NOT collect
- Your model provider API key. It is encrypted in your browser’s zero-knowledge vault. We never receive it in usable form and cannot decrypt it.
- Your source code. Repository access is read-only and used to produce findings; we do not store your code, only the analysis results you see.
- Your AI prompts/responses. Those calls go from your browser (or CI) directly to your model provider — never through us.
Why we use it
To provide the Service, secure your account, process payments, and communicate essential service messages. We do not sell your data or use it for advertising.
Processors we rely on
- Hosting — our cloud/VPS provider (EU/UK region).
- Stripe — payments.
- Email — a transactional email provider for sign-in and account messages.
- GitHub — to read repositories you explicitly connect.
Retention
We keep account and project data while your account is active. The audit log is append-only and may be retained as a governance record. When you delete your account we remove your personal data and projects, except where we must keep limited records (e.g. invoices) to meet legal obligations.
Your rights
Under UK/EU GDPR you can access, correct, export, or erase your data, and object to or restrict processing. You can export your data and delete your account yourself from the dashboard, or email privacy@wardrail.io. You may also complain to the UK ICO.
Security
Data is encrypted in transit (TLS). The vault uses client-side encryption so secrets never reach our servers. We apply least-privilege access and keep the attack surface small. No system is perfectly secure; we’ll notify affected users of any breach as required by law.
Changes
We’ll post updates here and notify you of material changes.
Wardrail is a product of Ghostables Ltd. Questions: legal@wardrail.io. This document is a plain-language summary and does not replace legal advice.