Customer Privacy Policy

Effective Date: October 4, 2025

Sherlock ("We," "Us," or "Our") is committed to protecting your privacy. This Privacy Policy explains how Sherlock collects, uses, discloses, and safeguards your information when you use our website, our services including collaborative audits, audit contests, bug bounties, and our AI audit product ("Sherlock AI"), or otherwise interact with us. By accessing or using our Services, you agree to this Privacy Policy.

If you are a resident of the European Economic Area (EEA), United Kingdom (UK), or California, you may have additional rights under applicable data protection laws such as the General Data Protection Regulation (GDPR), UK GDPR, or California Consumer Privacy Act (CCPA). We act as a data processor for certain data related to our Services, particularly code and repository data accessed via Sherlock AI.

Key Points:

  • We prioritize data security: Your code and personal information are handled with enterprise-grade protections, including encryption and access controls. We do not use your proprietary code for AI training without explicit consent.

  • Limited data collection: We collect only what's necessary for providing Services, such as account details, usage data, and code snippets for vulnerability disclosures.

  • No unnecessary sharing: Data is shared only with authorized service providers or as required by law; we do not sell your data.

  • Enterprise considerations: For large organizations, we offer data processing agreements (DPAs), support for GDPR/CCPA compliance, and options for data residency. Research suggests that tools like ours must balance innovation with privacy, and we lean toward strict controls to build trust.

  • User rights emphasized: You can access, delete, or opt out of certain processing; however, evidence from industry guides indicates that complete data anonymity in AI tools is challenging, so we provide transparent opt-outs where possible.

What Information We Collect

We collect personal data (e.g., name, email, IP address) when you create an account or contact us, and non-personal data like code snippets and vulnerability reports during audits. For Sherlock AI, we access GitHub repositories with your permission to scan pull requests (PRs) for vulnerabilities, but we do not store your code except snippets needed in vulnerability reports.

How We Use Your Information

Data is used to deliver Services, improve security insights, and comply with legal obligations. For AI audits, a proprietary codebase is analyzed in real-time but not stored long-term.

Your Privacy Choices

Request access or deletion via [email protected]. CCPA residents: We do not sell personal information.

This Privacy Policy ("Policy") describes our practices regarding the collection, use, disclosure, and protection of information when you use our Services. Please read it carefully. If you do not agree, do not use our Services.

1. Interpretation and Definitions

Interpretation

Capitalized terms have the meanings defined below, applicable in singular or plural.

Definitions

  • Account: A unique profile for accessing our Services.

  • Company: Sherlock, operating under DeFi Risk Management Foundation, located at Dresdner Tower, 11th Floor 50th St. and 55th East Street, Panama City, Panama 00000.

  • Cookies: Small files tracking browsing activity.

  • Device: Any tool accessing our Services (e.g., computer, mobile).

  • Personal Data: Information identifying an individual (e.g., name, email).

  • Services: Our website, audits, contests, bounties, and Sherlock AI.

  • Usage Data: Automatically collected data (e.g., IP address, visit duration).

  • You: The individual or entity using our Services.

2. Collecting and Using Your Personal Data

Types of Data Collected

Personal Data

We may collect:

  • Email, name, and contact details for account creation and communication.

  • Payment information (processed via third-party providers like Stripe).

  • GitHub authentication data when integrating Sherlock AI.

Usage Data

Automatically collected:

  • IP address, browser type, pages visited, time spent.

  • For mobile access: Device ID, OS, browser.

Code and Repository Data (Non-Personal but Sensitive)

For Sherlock AI and audits:

  • Code snippets for vulnerability reports.

  • Vulnerability findings and metadata. This data is treated as confidential and processed only for security analysis. We do not collect data from full repositories unless authorized.

Data from Third-Party Services

  • GitHub integration: We receive repo access tokens, usernames, and metadata per your permissions.

  • Social logins (e.g., Google): Name, email.

Tracking Technologies and Cookies

We use:

  • Essential Cookies: For authentication and functionality.

  • Performance Cookies: To analyze usage.

  • You can manage cookies via browser settings.

3. Use of Your Personal Data

We use data for:

  • Providing Services: Conducting audits, running AI reviews, reporting vulnerabilities.

  • Account management: Registration, support.

  • Performance of contracts: Fulfilling audit or bounty agreements.

  • Communications: Updates, security alerts (opt-out available).

  • Compliance: Legal obligations, dispute resolution.

  • For Sherlock AI: Real-time analysis of PRs to detect vulnerabilities; no long-term storage of code.

We do not use your proprietary code to train AI models unless you explicitly opt-in via enterprise agreements.

4. Sharing of Your Personal Data

We share data:

  • With Service Providers: For hosting (e.g., AWS), analytics (e.g., Google), under strict confidentiality.

  • Affiliates: For internal operations, bound by this Policy.

  • Business Partners: For joint services, with your consent.

  • In Business Transfers: During mergers/acquisitions.

  • With Your Consent: For other purposes.

  • For Legal Reasons: To comply with laws, protect rights, or respond to authorities.

We do not sell Personal Data. For enterprises, we offer DPAs outlining processor responsibilities.

Sharing Scenario

Recipients

Purpose

Service Providers

Cloud hosts, payment processors

Operational support

Legal Compliance

Government agencies

As required by law

Business Transfers

Acquirers

Asset evaluation

5. Retention of Your Personal Data

  • Personal Data: Retained as needed for Services, legal compliance (e.g., 7 years for financial records).

  • Code Data: Not stored except in code snippets used in vulnerability reports, unless retained for audits with consent.

  • Usage Data: Retained for 12 months for analytics.

6. Transfer of Your Personal Data

Data may be processed outside your jurisdiction (e.g., US servers). We use Standard Contractual Clauses (SCCs) for EEA/UK transfers and ensure equivalent protections.

7. Security of Your Personal Data

We employ encryption and access controls. However, no system is 100% secure. For Sherlock AI, proprietary code is not collected and access is limited to authorized personnel.

8. Your Privacy Rights

  • Access, correct, or delete your data.

  • Opt-out of marketing or certain processing.

  • GDPR/CCPA Rights: Object to processing, request portability, non-discrimination. Contact: [email protected]. We respond within 30 days (45 for CCPA).

For California Residents:

  • Categories Collected: Identifiers, commercial info, internet activity.

  • Sources: Directly from you, GitHub.

  • Disclosures: To providers for business purposes.

  • No sales in past 12 months.

9. Children's Privacy

Services not for under 18; we do not knowingly collect data from children.

10. Links to Other Websites

We are not responsible for third-party privacy practices (e.g., GitHub).

11. Changes to This Privacy Policy

Updates posted here with "Last Updated" date. Significant changes notified via email.

12. Contact Us

Questions? Email [email protected].

Last Updated: October 4, 2025

PreviousSecurity Researcher Privacy Policy

Last updated