Skip to content
← Legal

Privacy Policy

Effective: Last updated:

Fimil, Inc. (“Fimil,” “we,” “us,” or “our”) provides an application security platform that orchestrates security scanners and an autonomous penetration-testing agent behind a single dashboard (the “Service”). This Privacy Policy explains what information we collect, how we use and share it, and the choices and rights you have. It applies to our website, the application at app.fimil.dev, and related services.

By using the Service you agree to this Privacy Policy. If you do not agree, please do not use the Service.

This Privacy Policy describes our Fimil Cloud (multi-tenant SaaS) offering. Self-hosted Enterprise deployments run in your own infrastructure; in that model you are the controller of the data processed by your deployment, and the data flows described here that involve our servers (hosting, analytics, our LLM keys) do not apply except where you configure them.

1. Information we collect

1.1 Information you provide

  • Account information — your name, email address, and organization (tenant) name.
  • Authentication data — your password (stored only as an Argon2id hash, never in plain text), and, if you enable multi-factor authentication, your TOTP secret and recovery codes (stored encrypted).
  • Profile and preferences — role, notification settings, and other settings you configure.
  • Billing information — your subscription plan and billing contact. Card payments are processed by Stripe; we do not receive or store full card numbers. We store Stripe customer, subscription, and invoice identifiers and invoice metadata (amounts, dates, status).
  • Integration credentials — when you connect a source-code provider (GitHub, GitLab, Bitbucket), cloud account (AWS, Azure, GCP), DAST target, or penetration-test target, we store the associated OAuth tokens, API keys, or login credentials. These are encrypted at rest. For penetration-test targets you may also configure login credentials and a TOTP seed, which are likewise encrypted.
  • Support and sales communications — information you submit through contact forms, demo requests, the waitlist, or support channels (name, email, company, message), together with the IP address of the submission.

1.2 Source code, scan data, and findings

To scan a repository, we clone it into an isolated, ephemeral scan environment and delete the working copy when the scan finishes — we do not retain a full copy of your repository.

However, the findings a scan produces are stored as part of your results so you can review and remediate them. A finding can include an excerpt of the affected code (the file path, line numbers, and a snippet of the relevant code), the matched rule, severity, and any vulnerable dependency, CVE/CWE, and suggested fix. We also store software bills of materials (SBOMs) generated for your repositories.

When you run the autonomous penetration-testing agent against a target you have authorized, we store an immutable audit trail of the agent’s activity — the HTTP requests it made (hashed where appropriate), response status and latency, candidate payloads, evidence, and any out-of-band callbacks received (including the source IP of the callback). This audit data supports reproducibility, billing, and abuse investigation, and is subject to a configurable retention period (see §5).

1.3 Information collected automatically

  • Device and log data — IP address, browser/user-agent, and access times, recorded in security and request logs.
  • Audit logs — security-relevant actions in the Service (logins, token changes, scan and pentest activity, finding status changes, administrative actions) are logged with the actor, tenant, IP address, user-agent, and a request correlation ID.
  • Security telemetry — failed login attempts are recorded with the email, IP address, user-agent, and approximate country, to detect and block brute-force and credential-stuffing attacks.
  • Product analytics — if you consent, we use PostHog to collect curated product-usage events. Analytics are off until you consent and are disabled when your browser sends a Do-Not-Track signal. We disable session recording and autocapture and mask captured text and attributes, so analytics do not record finding contents, repository names, or target hostnames. See our Cookie Policy.

2. How we use information

We use the information we collect to:

  • provide, operate, secure, and maintain the Service;
  • run scans and penetration tests you initiate and deliver the results;
  • generate AI-assisted finding triage, remediation suggestions, and reports (see §4);
  • process subscriptions, billing, and metered usage;
  • send technical, security, and administrative communications;
  • respond to support, sales, and legal requests;
  • detect, prevent, and investigate fraud, abuse, and security incidents; and
  • comply with legal obligations and enforce our agreements.

3. How we share information

We do not sell your personal information. We share information only as described below.

  • Subprocessors and service providers. We use third parties to host and operate the Service (for example, our cloud infrastructure provider, payment processor, email provider, and LLM provider). The current list, including each provider’s role and location, is on our Subprocessors page.
  • AI/LLM processing. See §4.
  • At your direction. When you connect an integration, we exchange data with that provider (for example, posting scan results as checks on your pull requests).
  • Legal and safety. We may disclose information to comply with law, valid legal process, or to protect the rights, safety, and security of Fimil, our users, or the public.
  • Business transfers. Information may be transferred as part of a merger, acquisition, financing, or sale of assets, subject to this Privacy Policy.
  • Aggregated/de-identified data that cannot reasonably identify you.

4. AI and LLM processing

The Service uses large-language-model (LLM) providers to power AI-assisted features — penetration-test agent reasoning, finding triage, remediation suggestions, report generation, and in-app security chat. To provide these features, relevant context is sent to our LLM provider. Depending on the feature this can include code snippets and finding metadata, and, for the penetration-test agent, HTTP response data returned by your authorized target. We apply per-policy runtime redaction to reduce exposure of sensitive values (such as authorization headers) before transmission.

We do not use your source code, findings, or scan data to train machine-learning models — ours or anyone else’s. By default our LLM provider is Anthropic, which under its commercial terms does not use the inputs and outputs of our commercial API usage to train its models. An alternative provider (DigitalOcean Gradient AI) may be configured for self-hosted deployments. This commitment is also reflected in our Master Subscription Agreement.

5. Data retention

  • Account data is retained while your account is active and for a limited period after closure to support reactivation, billing, and legal obligations.
  • Scan results and findings are retained for the life of the account so you can track remediation, unless you delete them sooner.
  • Penetration-test audit data (HTTP attempts and out-of-band hits) is retained according to the per-policy retention period (default 365 days, configurable shorter), after which it is permanently purged.
  • Audit logs and security telemetry are retained as needed for security, fraud prevention, and legal compliance.
  • Billing records are retained as required by tax and accounting law.

Following account termination, we delete or anonymize your customer content within 30 days, except where longer retention is required by law. Penetration-test audit data is the one exception to the 30-day window: it follows the per-policy retention period above (365 days by default) so your test results remain reviewable, and is then permanently purged.

6. Your rights and choices

Depending on your location you may have rights to access, correct, delete, restrict, or object to the processing of your personal information, to data portability, and to withdraw consent.

We provide tooling to support these requests: an authenticated data-export that returns the personal information we hold about a user, and an erasure process that deletes a user’s tokens and preferences and anonymizes the user record. Note that, to preserve a tamper-evident security record, erasure detaches your identity from historical audit-log and security entries (by nulling the user reference) rather than deleting those entries.

To exercise your rights, contact privacy@fimil.dev. We respond within the time required by applicable law (generally within 30 days). We will not discriminate against you for exercising your rights.

7. Internal and support access

Authorized Fimil personnel may access account data to operate the Service and provide support. Our internal operator tooling can, for support purposes, act on behalf of (impersonate) a user; all such access is restricted, time-limited, and recorded in our audit logs.

8. International data transfers and data location

The Service is hosted in the United States (DigitalOcean, San Francisco region). If you access the Service from outside the United States, your information will be transferred to and processed in the United States. For transfers of personal data from the EEA, the United Kingdom, or Switzerland, we make Standard Contractual Clauses available as part of our Data Processing Agreement.

9. Security

We implement technical and organizational measures to protect your information, including encryption in transit (TLS 1.2+), encryption at rest (managed-database encryption plus application-layer encryption of sensitive fields such as integration tokens, credentials, and MFA secrets), role-based access control, multi-factor authentication, network isolation of scanner workloads, runtime monitoring, and audit logging. See our Security Overview. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

10. Children’s privacy

The Service is intended for business use and is not directed to individuals under 18. We do not knowingly collect personal information from children. If you believe a child has provided us personal information, contact us and we will delete it.

11. California privacy rights (CCPA/CPRA)

If you are a California resident, you have the right to know what personal information we collect and how we use it, to request deletion or correction, and to be free from discrimination for exercising your rights. We do not sell or “share” (as defined under the CPRA) your personal information. To exercise these rights, contact privacy@fimil.dev.

12. European/UK data protection (GDPR)

Where the GDPR or UK GDPR applies, our legal bases for processing are: performance of our contract with you; our legitimate interests in operating and securing the Service (balanced against your rights); your consent (for example, analytics cookies); and compliance with legal obligations. You may lodge a complaint with your supervisory authority. Where we act as a processor on your behalf, our Data Processing Agreement governs that processing.

EU/UK representative. Where we are required under Article 27 of the EU GDPR or UK GDPR to designate a representative in the EU or UK, our representative and its contact details are: [EU/UK representative — to be appointed]. Until a representative is appointed, EU and UK data subjects may contact us directly at dpo@fimil.dev.

13. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. For material changes we will provide notice through the Service or by email before they take effect. The “Last updated” date above reflects the most recent revision.

14. Contact us

  • General privacy inquiries: privacy@fimil.dev
  • Data Protection Officer: Ethan Aldrich, dpo@fimil.dev
  • Fimil, Inc., 2093 Philadelphia Pike, Suite #2016, Claymont, DE 19703, USA