Privacy policy
Last updated: 2 July 2026
The short version
We run a compliance product, so we practice what we preach: we collect the minimum, store almost nothing, and tell you exactly what happens to each piece of data.
SBOMs and Risk Check answers
SBOMs you scan are processed in memory to run the vulnerability lookup and are never stored. Component identifiers (name/version) are sent to OSV.dev, Google's public vulnerability database, to perform the lookup — no other data accompanies them. Risk Check answers are processed in your browser; if you use the “share” feature, your answers are encoded into the URL you copy — we don't receive or store them.
Email addresses
If you join the waitlist we store your email address and the page you signed up from, processed via our form provider, to email you about CRAdar's launch and product updates. No purchase of lists, no resale, no third-party marketing. Unsubscribe = tell us once at hello@cradar.dev and we delete you.
Analytics
We use Vercel Web Analytics: cookieless, no cross-site tracking, no persistent identifiers. It gives us aggregated page views and anonymous custom events (e.g. “a risk check was completed”). We cannot identify you from it.
Hosting & processors
The site runs on Vercel (EU/US infrastructure). Sub-processors: Vercel (hosting, analytics), our form provider (waitlist emails), OSV.dev (vulnerability lookups — receives package identifiers only).
Your rights
Under the GDPR you can request access, correction, deletion, or export of your data — in practice this only applies to your waitlist email, because it's the only personal data we hold. Write to hello@cradar.dev. You also have the right to complain to your supervisory authority.
Changes
We'll update this page as the product grows (accounts and billing will add processors — we'll list them here before they go live).