CRAdarCheck

Privacy policy

Last updated: 2 July 2026

The short version

We run a compliance product, so we practice what we preach: we collect the minimum, store almost nothing, and tell you exactly what happens to each piece of data.

SBOMs and Risk Check answers

SBOMs you scan are processed in memory to run the vulnerability lookup and are never stored. Component identifiers (name/version) are sent to OSV.dev, Google's public vulnerability database, to perform the lookup — no other data accompanies them. Risk Check answers are processed in your browser; if you use the “share” feature, your answers are encoded into the URL you copy — we don't receive or store them.

Email addresses

If you join the waitlist we store your email address and the page you signed up from, processed via our form provider, to email you about CRAdar's launch and product updates. No purchase of lists, no resale, no third-party marketing. Unsubscribe = tell us once at hello@cradar.dev and we delete you.

Analytics

We use Vercel Web Analytics: cookieless, no cross-site tracking, no persistent identifiers. It gives us aggregated page views and anonymous custom events (e.g. “a risk check was completed”). We cannot identify you from it.

Hosting & processors

The site runs on Vercel (EU/US infrastructure). Sub-processors: Vercel (hosting, analytics), our form provider (waitlist emails), OSV.dev (vulnerability lookups — receives package identifiers only).

Your rights

Under the GDPR you can request access, correction, deletion, or export of your data — in practice this only applies to your waitlist email, because it's the only personal data we hold. Write to hello@cradar.dev. You also have the right to complain to your supervisory authority.

Changes

We'll update this page as the product grows (accounts and billing will add processors — we'll list them here before they go live).