Privacy Policy

Greywatch (the CLI tool)

Greywatch runs entirely on your machine. It does not phone home, collect telemetry, or transmit any data. No analytics, no crash reports, no usage tracking. The activity it records stays local to your machine.

This website (greywatch.co)

The Greywatch landing page is a static site hosted on Vercel. We do not use cookies, analytics scripts, or tracking pixels. Vercel may collect minimal server logs (IP address, user agent, timestamp) as part of standard web hosting. See Vercel's privacy policy for details.

Greyscan

When you use Greyscan at /greyscan, the following happens:

• Your browser fetches the public file tree, dependency list, and README from GitHub's API directly. This data never passes through our servers during collection.
• To generate the threat report, a summary of the repo structure (file names, detected stack, dependency names, and up to 8,000 characters of the README) is sent to our server and forwarded to a third-party LLM provider for analysis.
• Results are cached in server memory for up to 24 hours to avoid redundant LLM calls for the same repository, then discarded. We do not persist scan results to disk or a database.
• No repository source code is read or transmitted. Only file paths, dependency names, and the public README are included.

Third-party services

• GitHub API. Greyscan calls the GitHub REST API from your browser to fetch public repository metadata. Subject to GitHub's privacy statement.
• LLM provider. Repo summaries sent through Greyscan are processed by a third-party LLM to generate threat reports. The provider may retain data per their own policies.
• Vercel. Hosting infrastructure. See Vercel's privacy policy.

Security

If you discover a security issue in Greywatch or this website, please report it to us at greyhaven.co/contact. We will respond promptly.

Contact

For questions about this policy, reach us at greyhaven.co/contact.