Last updated: March 18, 2026
DepTools SAS ("DepTools", "we", "us", or "our") is committed to protecting your personal data and respecting your privacy. This Privacy Policy explains what data we collect when you use deptools.io, why we collect it, how we process it, and what rights you have under the General Data Protection Regulation (GDPR) and applicable French law.
By creating an account or using our services, you acknowledge that you have read and understood this policy.
Data controller
DepTools SAS
84 rue de Buzenval, 75020 Paris, France
Privacy contact
privacy@deptools.ioSupervisory authority
CNIL (Commission Nationale de l'Informatique et des Libertés)
Hosting
OVH SAS — Gravelines (GRA), France
When you register with an email and password, we collect:
When you sign in or link your account via GitHub, we receive and store:
Requested OAuth scopes: read:user, user:email, read:org
Pro plan users connect their GitHub organization via our GitHub App, which grants DepTools access to private repositories. The GitHub App requests the following permissions:
Repository contents: read — to read dependency manifest files (e.g. package.json, pom.xml, Cargo.toml, etc.)Repository metadata: read — to access repository name, visibility, and default branchOrganization members: read — to verify organization membership during setupWe do not access source code beyond dependency manifest files. GitHub App access can be revoked at any time from your GitHub organization settings.
To provide our dependency analysis service, we access and store:
package.json, pom.xml, Cargo.toml, etc.)Analysis results are stored as JSON files on our OVH server in Gravelines, France. We do not access your source code beyond the dependency manifest files required to perform the analysis.
The visibility of a project on DepTools mirrors its visibility on GitHub: analysis dashboards for public GitHub repositories are accessible without authentication to any visitor of deptools.io. Private repositories are never exposed publicly.
Payment processing and invoicing are handled entirely by Lemon Squeezy, which acts as the merchant of record. We do not store your credit card information and we do not manage invoices. We only store the minimum subscription metadata needed to determine your plan access:
For invoices, payment history, and billing records, please refer directly to your Lemon Squeezy customer portal.
Our server and application may generate standard technical logs including:
We do not use tracking cookies. We store the following data in your browser's localStorage to keep you authenticated and to remember your preferences:
| Key | Purpose | Duration |
|---|---|---|
| access_token | Authenticates your API requests (JWT) | Session |
| refresh_token | Renews your session without re-login (JWT) | 31 days |
| user | Caches basic profile info (email, ID) | Session |
| organizations | Caches the list of organizations you belong to | Session |
| selected_org_slug | Remembers your last selected organization | Persistent |
| nuxt-color-mode | Stores your light/dark theme preference | Persistent |
A short-lived httpOnly cookie (github_link_user_id) is temporarily set during the GitHub account linking flow only. It expires after 10 minutes and is not used for tracking.
Under GDPR (Article 6), we process your data under the following legal bases:
Contract performance (Art. 6.1.b)
Account information, GitHub data, repository data, and scan logs — necessary to provide the dependency analysis service you signed up for.
Legitimate interest (Art. 6.1.f)
Technical logs and error monitoring — used to ensure service security, stability, and to investigate incidents.
We share data with the following third parties only to the extent necessary to provide our service:
GitHub (GitHub, Inc.)
OAuth & AppUsed for user authentication and repository access. Data shared includes your GitHub user ID and OAuth tokens. GitHub's privacy policy applies to data processed on their platform.
GitHub Privacy Policy →Lemon Squeezy (Lemon Squeezy, LLC)
PaymentUsed to process subscription payments. Your email address and subscription details are shared with Lemon Squeezy. We never receive or store your payment card data.
Lemon Squeezy Privacy Policy →OVH SAS
HostingOur servers and all stored data are hosted exclusively on OVH infrastructure located in Gravelines (GRA), France. GitHub Inc. and Lemon Squeezy LLC are US-based companies; data shared with these providers is governed by their respective Data Processing Agreements and Standard Contractual Clauses (SCCs) adopted by the European Commission.
We do not use advertising networks, analytics platforms (Google Analytics, Mixpanel, etc.), or any other third-party tracking services.
| Data type | Retention period |
|---|---|
| Account data (name, email, password) | Deleted immediately upon account deletion |
| GitHub OAuth tokens | Deleted immediately upon account deletion. Revoking access via GitHub's settings does not automatically delete your data from DepTools — you must delete your account to remove all stored data. |
| Repository metadata and analysis results | Deleted immediately upon account or project deletion |
| Repository data from GitHub App uninstallation | Deleted automatically within 30 days of uninstallation |
| Subscription metadata (plan, status, IDs) | Deleted immediately upon account deletion |
| Technical and application logs | Retained for a maximum of 90 days, then permanently deleted |
As a data subject under GDPR, you have the following rights:
Right of access
Request a copy of all personal data we hold about you.
Right to rectification
Request correction of inaccurate or incomplete data.
Right to erasure
Request deletion of your personal data ("right to be forgotten").
Right to data portability
Receive your data in a structured, machine-readable format.
Right to restriction
Request that we limit how we process your data in certain circumstances.
Right to object
Object to processing based on legitimate interest.
To exercise any of these rights, contact us at privacy@deptools.io. We will respond within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with the CNIL.
We implement appropriate technical and organizational measures to protect your data:
Despite these measures, no method of transmission or storage is 100% secure. If you discover a security vulnerability, please report it responsibly to privacy@deptools.io.
Data breach notification
In the event of a personal data breach, we will notify the CNIL within 72 hours as required by GDPR Article 33. If the breach is likely to result in a high risk to your rights and freedoms, you will be informed without undue delay in accordance with GDPR Article 34.
DepTools is intended for professional and developer use only. We do not knowingly collect data from persons under the age of 16. If you believe a minor has created an account, please contact us at privacy@deptools.io and we will delete the account promptly.
We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. For significant changes, we will notify registered users by email. Continued use of the service after any changes constitutes acceptance of the updated policy.