Privacy Policy
Last updated: May 29, 2026
The Short Version
The Preflight CLI runs locally on your machine. We don't collect your code, we don't see your secrets, and we don't track what you scan. The optional dashboard at app.preflight.sh requires an account and processes a limited amount of data, described below. Everything else stays yours.
The CLI: What We Don't Collect
When you run Preflight from the command line or in CI, it runs entirely on your machine. We never receive:
- Your source code
- Your environment variables or secrets
- Your scan results (unless you choose to publish them, see below)
- Any other data from your projects
The Dashboard & Your Account
If you create an account and use the dashboard, we store the data needed to provide it:
- Your email address and a securely hashed password (or details from your sign-in provider).
- Runs you explicitly publish with
--publish. We receive only a redacted summary: check IDs, pass/warn/fail statuses, and finding messages. We do not receive your source code, file contents, or secret values. - AI fix suggestions generated for your published runs, stored so you don't have to regenerate them.
Publishing is always opt-in. If you never log in or never pass --publish, none of this leaves your machine.
Payments
Paid plans are processed by Stripe. We do not see or store your full card number or other sensitive payment details. Stripe handles that directly and securely under its own privacy policy. We retain limited billing information such as your Stripe customer and subscription identifiers, your plan and its status, and your billing email, so we can manage your subscription.
AI Providers
When you generate a fix suggestion using our hosted AI, the redacted findings for that check are sent to our AI provider (OpenAI or Anthropic) to produce the suggestion. They process it under their own policies and do not use API data to train their models. If you supply your own API key, requests go to that provider under your own account and billing.
Website Analytics
On this website (preflight.sh), we use privacy-focused analytics to understand how people find and use our site. This data is aggregated and anonymous. We can't identify individual visitors.
Cookies
This website uses minimal cookies for essential functionality like remembering your dark mode preference. The dashboard uses cookies to keep you signed in and to protect against cross-site request forgery. We don't use tracking cookies or third-party advertising cookies.
Data Retention & Deletion
We keep account and published-run data for as long as your account is active. You can delete your published runs at any time from the dashboard, and you can ask us to delete your account and associated data by emailing hello@preflight.sh. Some billing records may be retained where required for legal or accounting purposes.
Third-Party Services
When you install Preflight.sh via package managers (npm, Homebrew, etc.) or container registries (Docker, GitHub Container Registry), those services have their own privacy policies that apply to your use of their platforms. The dashboard relies on Stripe (payments) and OpenAI or Anthropic (AI suggestions), each governed by its own policy.
Contact
Questions about privacy? Email us at hello@preflight.sh.
Changes
If we change how we handle data, we'll update this page and the date above. Our approach stays simple: your code is your business, and we collect only what's needed to run the parts of the service you opt into.