Privacy Policy

Last updated: March 14, 2026

1. Who we are

Gerion ("Gerion", "we", "our") operates the Application Security Posture Management (ASPM) platform available at gerion.dev. This Privacy Policy describes how we collect, use, store, and protect the personal data of people who access our web platform, use our SaaS services, or download and run the Gerion CLI.

The data controller is Gerion, reachable at privacy@gerion.dev.

2. Data we collect

We collect only the data necessary to provide the service:

• Account data: name, email address, organization name, and password (stored as a hash — never in plain text).
• Finding data: for each detected vulnerability or issue — severity, scanner type, file path, line number, the rule message, a code context snippet (the relevant lines around the issue), and a suggested fix where available. For secret findings, the secret value is transmitted redacted (e.g., ABC123...[REDACTED]...XYZ789); the full token never reaches our servers.
• Git and CI/CD metadata: branch name, commit hash, and commit author. Additionally, system environment variables exposed by the CI/CD platform to identify the workflow context: repository URL, pipeline ID, job name, workflow name (e.g. GITHUB_REPOSITORY, GITHUB_REF, CI_PIPELINE_URL, BUILD_URL). User-defined environment variables and application secrets are not collected.
• Financial impact: metrics calculated by the platform (Technical Debt in €, Realized Savings) derived from the finding data above.
• Usage data: activity logs on the platform (pages visited, filters applied, reports generated), CLI execution timestamps, and number of repositories scanned.
• Technical data: IP address, browser type, operating system, and CLI version. Used exclusively for technical diagnostics and security.
• Billing data: for paying customers — name, billing contact details, and the last four digits of the payment method. Full card data is handled exclusively by our payment provider (Stripe) and never passes through our servers.

3. What we do not collect

By design of our architecture, the Gerion CLI runs all scanners inside your own CI/CD infrastructure. Complete source files are never transmitted to Gerion. The distinction is the same as receiving "SQL Injection at src/api/users.py:47" versus receiving the entire file.

Gerion never receives, stores, or processes: complete source files, your repository tree, user-defined environment variables, configuration files containing secrets in plain text, or any other codebase content beyond the finding context snippet described in the section above.

4. Third-party scanner telemetry

The Gerion CLI orchestrates four independent open-source tools: Opengrep, OSV-Scanner, Gitleaks, and KICS. These tools run inside your own infrastructure, but may independently collect and transmit their own telemetry — outside of Gerion's control and beyond the scope of this Privacy Policy.

Gerion does not control, access, or bear responsibility for any telemetry these tools may send to their respective maintainers. We recommend reviewing each project's privacy policy if you operate in environments with strict network egress restrictions:

• Opengrep — community fork of Semgrep
• OSV-Scanner — Google Open Source Security
• Gitleaks
• KICS — Checkmarx

If you need to disable telemetry for any of these tools, refer to their official documentation. The Gerion CLI does not add any telemetry of its own beyond what these tools may collect independently.

5. How we use your data

We use collected data for the following purposes:

• Service delivery: processing and displaying security findings, calculating financial impact, and generating dashboards and reports.
• Account management: authentication, subscription management, and service-related communications (payment confirmations, renewal notices, account security alerts).
• Technical support: diagnosing issues when a user requests assistance.
• Service improvement: aggregated and anonymized usage analysis to improve the platform. Individual finding data is never used for this purpose.
• Security and fraud prevention: detecting unauthorized access and abusive use of the platform.
• Legal compliance: retaining data to the extent required by applicable law.

6. Legal basis for processing (GDPR)

Processing of your personal data is based on the following legal grounds under Article 6 of the General Data Protection Regulation (GDPR):

• Contract performance (Art. 6.1.b): account and scan data are necessary to deliver the contracted service.
• Legitimate interests (Art. 6.1.f): technical and usage data for platform diagnostics, security, and service improvement, provided your fundamental rights do not override those interests.
• Legal obligation (Art. 6.1.c): retention of billing records and compliance with legal or regulatory requirements.
• Consent (Art. 6.1.a): for marketing communications, where applicable. You may withdraw consent at any time.

7. Data retention

• Active account data: for the duration the account remains active.
• Scan data (findings): for the duration of the subscription plus 90 days after cancellation, to allow data export.
• Activity logs: 12 months from generation.
• Billing records: 7 years, as required by Spanish tax law.
• After the above periods expire, data is securely deleted or irreversibly anonymized.

8. Data sharing and subprocessors

We do not sell or rent your personal data to third parties. We may share data with the following subprocessors, all operating under GDPR-compliant data processing agreements:

• Cloud infrastructure: servers and storage hosted within the European Union.
• Payment processing: Stripe, Inc. — billing data only, to the extent necessary for payment processing.
• Support: customer support ticketing tools, with access limited to the minimum data required to resolve the issue.
• Monitoring and error tracking: observability tools for detecting technical failures, with no access to findings data.

We may disclose personal data to public authorities when required by law or court order, notifying the user to the extent permitted by law.

9. International data transfers

All platform data is stored and processed on servers located within the European Union. If any subprocessor requires a transfer outside the European Economic Area, we will ensure that appropriate safeguards under the GDPR are in place (standard contractual clauses or equivalent mechanism).

10. Security

We apply appropriate technical and organizational measures to protect personal data against unauthorized access, accidental loss, destruction, or alteration. These include:

• Encryption in transit (TLS 1.2 or higher) and at rest.
• Multi-factor authentication (MFA) available for all accounts.
• Role-based access control within the platform.
• Regular security audits and vulnerability scanning.
• Incident management policy with supervisory authority notification within GDPR-mandated timeframes (72 hours).

11. Your rights under GDPR

Under the GDPR, you have the following rights over your personal data:

• Access: obtain confirmation of whether we process your data and receive a copy.
• Rectification: request correction of inaccurate or incomplete data.
• Erasure: request deletion of your data when it is no longer necessary or you withdraw consent.
• Restriction: request that we suspend processing of your data in certain circumstances.
• Portability: receive your data in a structured, commonly used, machine-readable format.
• Objection: object to processing based on legitimate interests.
• No automated decisions: we do not make decisions with legal effects based solely on automated processing.

To exercise any of these rights, contact us at privacy@gerion.dev. We will respond within 30 days. You also have the right to lodge a complaint with a supervisory authority — in Spain, the Agencia Española de Protección de Datos (AEPD) at aepd.es.

12. Cookies

We use strictly necessary cookies for service functionality (user session, language and theme preferences). We do not use third-party tracking cookies or behavioral advertising. You can configure your browser to reject cookies, though this may affect platform functionality.

13. Minors

The service is intended for professional users and is not directed at individuals under the age of 16. We do not knowingly collect personal data from minors. If we discover that we have inadvertently collected data from a minor, we will delete it without delay.

14. Changes to this policy

We may update this Privacy Policy periodically. When we make material changes, we will notify you by email or through a prominent notice on the platform at least 30 days in advance. The "Last updated" date at the top of this document always reflects the current version.

15. Contact

For any privacy-related inquiries or to exercise your data rights:

• Email: privacy@gerion.dev
• Web: gerion.dev