Privacy Policy

redbotbluebot.com is a property of SaaSaaS LLC (Washington). This page describes what data we collect, where it lives, and how to get it removed. Last updated: 2026-05-19.

What we collect

When you sign in with GitHub OAuth we receive:

  • Your GitHub user id, login, display name, email, and avatar URL.
  • An OAuth access token scoped to the repos you grant. We use this to clone the repo for audit.

For each audit run we store in our database:

  • The repository's full name, branch, and commit SHA audited.
  • The findings RedBot and BlueBot produced (CWE, severity, file path + line, mitigation, adversary score, cartoon panel).
  • The commit metadata for each finding's "introduced by" attribution (SHA, date, author, message).

What we fetch — and what we drop

To audit your code we have to read your source files. We fetch them via the GitHub Contents API at audit time, send relevant slices to the AI providers (Anthropic + xAI), and discard the raw source after the audit finishes. We keep only:

  • The findings (with file paths + line numbers, but not the surrounding code blobs).
  • Short code snippets quoted directly in a finding's description (typically <20 lines).
  • Commit metadata for attribution.

If your repo has files you'd rather not share with an AI provider — secrets, customer data, proprietary algorithms — don't audit it through us, or audit it on a sanitized fork. Provider-side retention is governed by their own policies (Anthropic 30-day Trust & Safety, xAI similar).

Where it's stored

  • Cloudflare D1 (Washington, US) — accounts, audit runs, findings, scores.
  • Cloudflare R2 (us-east) — generated cartoon JPEGs + final HTML reports.
  • Cloudflare Workers + Pages — the application. Logs retained 7 days.

Third parties

  • Anthropic + xAI — for AI rendering. RedBot and BlueBot prompts plus code slices go here.
  • Stripe — for billing. Email + price ID; card details stay with Stripe.
  • GitHub — we call the GitHub API on every audit to read the latest tree.

Deletion + export

Delete an audit run from your dashboard and we cascade-drop all its findings, scores, cartoons, and the final report from D1 + R2. Whole-account deletion is by email request.

Contact

Questions: seansp@saasaas.llc.