How SecureOS and Athena collect, use, and protect your data. We've tried to make this clear, fair, and honest. Last updated June 3, 2026.
SecureOS ("we," "us," or "Company") provides Athena, an autonomous AI security engineer that scans your connected code repositories and cloud assets for security issues and helps you remediate them. This Privacy Policy explains what data we collect, how we use it, and the choices you have. It applies to the SecureOS website, the Athena application, and the Vigil editor extension (together, the "Service").
By using the Service you agree to the practices described here. If you do not agree, please do not use the Service.
When you sign in (via GitHub, GitLab, or Bitbucket OAuth) we receive your username, email, avatar, and a provider access token. We use the token only to perform the actions you ask Athena to take — listing repositories, cloning code for a scan, and (with your permission) opening remediation pull requests.
To analyze your code, Athena clones the specific repositories you connect, into a temporary working directory, runs security scanners, and then deletes the clone. We store the findings a scan produces (vulnerability type, severity, file path, line number, code snippet, and recommended fix) so you can review them, track them over time, and so Athena can correlate patterns across your repositories.
If you connect a cloud account for posture scanning, you provide read-only credentials. These are used solely to run read-only checks against accounts you own and authorize. We never use them to modify your cloud, and never scan assets you have not connected.
We collect standard product telemetry — scans run, features used, errors — to operate and improve the Service. We may use privacy-respecting analytics for this purpose.
We do not sell your personal data, and we do not use your private code to train third-party foundation models.
Athena uses large language models to plan work, profile repositories, triage findings, and write reports. For these steps, relevant context (such as a repository's README, dependency manifests, and the findings produced by scanners) is sent to our model provider for processing. We send the minimum necessary, treat untrusted content as data (not instructions), and never instruct the model to exfiltrate secrets. Findings never invent data — they reflect only what real scanners observed.
We share data only as needed to run the Service:
We do not sell or rent your personal information to anyone.
Cloned code is deleted immediately after a scan completes. Findings, cases, and account data are retained while your account is active so you have continuity and history. When you delete your account, we delete or anonymize your personal data and findings within a reasonable period, except where retention is required by law.
We take protecting your data seriously — encryption in transit, scoped access tokens, per-user data isolation, and an internal "immune system" that defends Athena's own agents against malicious inputs. No system is perfectly secure, but we work to hold ourselves to the standard we help you meet.
We may process and store data in countries other than your own. Where required, we use appropriate safeguards for cross-border transfers.
The Service is not directed to children under 16, and we do not knowingly collect their personal information.
We may update this Privacy Policy. If changes are material, we'll provide notice by email or by posting on our website. Your continued use of the Service after changes take effect constitutes acceptance.
Questions, requests, or privacy concerns? Contact us at hello@secureos.dev.