Back to SaaS Pawned?

Privacy Policy

Effective date: May 22, 2026

1. Who We Are

SaaS Pawned? (“we,” “us,” or “our”) is a security scanning service that analyzes npm and pnpm dependency files for known vulnerabilities. Our infrastructure is hosted on Google Firebase with data stored in Canadian data centers.

2. Information We Collect

When you use SaaS Pawned?, we collect the following information:

  • Dependency file contents: The package-lock.json, package.json, or pnpm-lock.yaml you upload or paste, including package names and version numbers.
  • Website URL: The URL of your application, if provided.
  • Infrastructure information: Hosting platform (e.g. Vercel, AWS), operating system distribution, and OS version, if provided.
  • Vulnerability scan results: The list of CVEs and severity ratings identified in your dependency file.
  • AI analysis output: The security assessment generated by our AI provider based on your data.
  • IP address: Collected transiently for rate-limiting purposes. Not persisted to our database.
  • Usage analytics: Page views, feature interactions (e.g. file uploads, analysis completions), browser type, and general geographic region, collected via Google Analytics.

3. How We Use Your Information

  • To perform vulnerability scans and deliver AI-powered security assessments.
  • To enforce rate limits and prevent abuse of the service.
  • To analyze how the service is used and improve its features.
  • To generate aggregated, statistical insights about common vulnerabilities in the ecosystem.

4. Sale and Sharing of Data

We may sell or share collected data — including dependency information, vulnerability scan results, infrastructure details, and associated metadata — with third parties, including but not limited to security research firms, data brokers, and commercial partners.

Any data sold or shared will not be directly linked to individually identified natural persons, but may include domain names, package lists, hosting configurations, and vulnerability profiles. If you do not wish your data to be sold or shared, do not use the service.

5. Third-Party Services

We rely on the following third-party processors to operate the service:

Google Firebase / Firestore

Used to store scan results and infrastructure metadata. Data is stored in Canadian data centers (northamerica-northeast1 region). Governed by Google’s Terms of Service and Privacy Policy.

OpenAI

Your dependency file contents and vulnerability data are sent to OpenAI’s API to generate the AI security assessment. Data is processed according to OpenAI’s Privacy Policy. OpenAI may retain API inputs for up to 30 days for safety purposes.

Google Analytics (GA4)

Used to collect anonymous usage statistics. Google Analytics sets cookies and collects data including your IP address, browser, and interactions with the service. You can opt out via the Google Analytics Opt-Out Browser Add-on.

OSV.dev (Google Open Source Security)

Package names and version numbers are sent to the OSV.dev public API to identify known vulnerabilities. No account information is required or transmitted. OSV.dev is a public service operated by Google.

6. Data Storage and Retention

Data stored in Firestore (scan metadata, URLs, vulnerability counts) is retained indefinitely unless you contact us to request deletion. Locally, your form inputs and scan results are stored in your browser’s localStorage and remain until you click “Start over” or clear your browser data.

7. Your Rights

Depending on your jurisdiction, you may have the right to access, correct, or request deletion of personal data we hold about you. To make such a request, contact us at the address below. We will respond within 30 days.

Canadian residents are protected under the Personal Information Protection and Electronic Documents Act (PIPEDA). Quebec residents have additional rights under Law 25.

8. Children

This service is not directed at children under the age of 16. We do not knowingly collect personal information from children.

9. Changes to This Policy

We may update this Privacy Policy at any time. The effective date at the top of this page will reflect the most recent revision. Continued use of the service after changes constitutes acceptance of the updated policy.

10. Contact

For privacy-related inquiries or data deletion requests, contact us at: privacy@saaspawned.com

Terms of Service·Scanner·Home