FP
FIREPAN

Privacy Policy

Last Updated: February 23, 2026

Back to Home
TermsPrivacy Policy

1. Introduction

Firepan, Inc., a Delaware corporation ("FirePan," "we," "us," or "our"), provides AI-powered smart contract security services, including SaaS security monitoring, Boutique Audits, and related tools and APIs (collectively, the "Services"). This Privacy Policy explains how we collect, use, disclose, and protect your information when you use our Services.

By using FirePan, you agree to the collection and use of information in accordance with this policy. If you are using the Services on behalf of an organization, you represent that you have the authority to bind that organization to this Privacy Policy and that "you" and "your" refer to that organization.

2. Information We Collect

Account Information

  • Email address
  • Name
  • Company or organization name
  • Account credentials (passwords are hashed and salted; where available, authentication is provided via GitHub OAuth, in which case we receive only the information authorized by your OAuth grant)

Code and Project Data

  • Smart contract source code you submit for analysis
  • Smart contract bytecode and ABI definitions
  • Repository URLs and metadata
  • Analysis results and security findings

Blockchain and Wallet Data

  • Wallet addresses associated with deployed contracts under analysis
  • On-chain transaction data related to analyzed contracts
  • Contract deployment metadata

Public Repository Data

  • Publicly available code from GitHub and other public repositories
  • Organization and developer contact information from public sources
  • Repository metadata (stars, commits, contributors)

Usage Data

  • Log files and analytics data
  • Feature usage patterns
  • API call records
  • Device and browser information
  • IP addresses

Payment Information

  • Payment details are processed by Stripe
  • We do not store full credit card numbers on our servers
  • We may retain the last four digits of your card number for identification and support purposes

3. Public Repository Scanning

Important Notice: FirePan scans publicly available GitHub repositories and other public code sources as part of our security research, vulnerability disclosure, and business development activities.

  • We analyze public repositories to identify smart contract projects and potential security issues
  • We may contact developers and organizations based on our analysis of their public repositories
  • This outreach is based on publicly available information and our legitimate interest in providing security services to the blockchain community

Legal Basis (GDPR). For users in the EEA and UK, our processing of publicly available repository data is based on our legitimate interest under Article 6(1)(f) of the GDPR. We have conducted a Legitimate Interest Assessment ("LIA") and determined that our interest in identifying and communicating about smart contract security vulnerabilities does not override the rights and freedoms of data subjects, given that the data is publicly available and our outreach serves a protective purpose.

Your Rights:

  • You can opt out of receiving communications from us at any time
  • We maintain a suppression list for organizations that do not wish to be contacted
  • To opt out, email us at privacy@firepan.com with "Opt Out" in the subject line
  • We will process opt-out requests within ten (10) business days
  • Opting out of marketing communications does not affect our ability to communicate with you regarding active service engagements, security disclosures, or legal obligations

4. How We Use Your Information

We use the information we collect to:

  • Provide security analysis and scanning Services
  • Generate vulnerability reports and security findings
  • Send you alerts about security issues in your code
  • Process payments and manage your subscription
  • Send marketing communications (with your consent or based on legitimate interest)
  • Improve our Services through aggregate analytics
  • Comply with legal obligations
  • Protect against fraud and abuse
  • Enforce our Terms of Service
  • Respond to law enforcement requests and legal process, where required by applicable law
  • Research and development, including improving our AI models and detection algorithms; Customer Code used for R&D purposes is anonymized and aggregated prior to use

5. AI Processing and Third-Party Providers

AI Analysis

Your code is processed using artificial intelligence technologies to identify potential vulnerabilities. This processing involves third-party AI providers. You acknowledge that AI analysis may produce false positives (flagging issues that are not actual vulnerabilities) and false negatives (failing to identify actual vulnerabilities). FirePan does not guarantee the accuracy of AI-generated findings.

Third-Party AI Providers

We use the following AI providers to analyze code:

  • DeepSeek — AI analysis services
  • OpenAI — AI analysis services
  • Anthropic — AI analysis services

Each provider has their own privacy policy and data handling practices. We select providers that offer terms prohibiting training on customer data, and we configure our API usage to opt out of training where such options are available.

DeepSeek Jurisdiction Disclosure. DeepSeek is headquartered in the People's Republic of China (PRC). Customer Code processed by DeepSeek may be subject to PRC data protection laws, including the Personal Information Protection Law (PIPL) and the Data Security Law (DSL). Enterprise customers may opt out of DeepSeek processing by contacting us at privacy@firepan.com.

Provider Requirements

FirePan maintains Data Processing Agreements with its AI providers that include:

  • Deletion timelines: Providers are required to delete Customer Code within thirty (30) days of processing
  • Breach notification: Providers are required to notify FirePan of any data breach affecting Customer Code
  • Data Processing Agreements: Providers are bound by DPAs that limit the use of Customer Code to the specific purposes authorized by FirePan

A current list of sub-processors is maintained at firepan.com/sub-processors.

Our Commitment

  • We do not train our own proprietary models on Customer Code without explicit written consent
  • We do not sell your code or analysis results to third parties

6. Other Third-Party Services

We use additional third-party services to operate our platform:

ServicePurpose
GitHub APIRepository scanning, integration, and OAuth authentication
StripePayment processing
SendGridEmail communications
DigitalOceanInfrastructure and hosting
CaddyWeb server and TLS termination

GitHub OAuth. If you authenticate using GitHub OAuth, we receive your GitHub username, email address, and public profile information as authorized by your OAuth grant. We do not receive your GitHub password.

Each service processes data according to their own privacy policies.

7. Data Retention

We retain your data according to the following schedule:

Data TypeRetention Period
Analysis resultsTier-dependent: Starter 30 days, Professional 90 days, Enterprise 1 year (or as specified in SOW)
Submitted codeDeleted within 30 days of analysis completion (SaaS) or 60 days of report delivery (Boutique)
Account dataWhile account is active + 90 days after deletion request
Marketing contact dataUntil you opt out
Payment recordsAs required by law (typically 7 years)
Blockchain/wallet dataDuration of subscription + 1 year
Anonymized/aggregated dataRetained indefinitely for research and service improvement

8. Your Rights

You have the following rights regarding your data:

  • Access: Request a copy of your personal data
  • Correction: Request correction of inaccurate data
  • Deletion: Request deletion of your account and personal data
  • Restriction: Request restriction of processing of your personal data in certain circumstances
  • Opt-out: Unsubscribe from marketing communications
  • Portability: Export your security reports and analysis data
  • Object: Object to processing based on legitimate interest
  • Non-discrimination: We will not discriminate against you for exercising your privacy rights

We will respond to verifiable requests within thirty (30) days. If we require additional time, we will notify you and may extend the response period by up to forty-five (45) additional days.

To exercise these rights, contact us at privacy@firepan.com.

8A. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have the following additional rights under the California Consumer Privacy Act and the California Privacy Rights Act:

  • Right to Know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose for collecting it, and the categories of third parties with whom we share it.
  • Right to Delete: You have the right to request that we delete personal information we have collected from you, subject to certain exceptions.
  • Right to Correct: You have the right to request correction of inaccurate personal information.
  • Right to Opt-Out of Sale or Sharing: FirePan does not sell personal information. We do not share personal information for cross-context behavioral advertising purposes.
  • Right to Limit Use of Sensitive Personal Information: To the extent we process sensitive personal information, you may request that we limit its use to the purposes necessary to provide the Services.

How to Exercise Your Rights. To submit a CCPA/CPRA request, contact us at privacy@firepan.com. We will verify your identity before processing your request.

Financial Incentives. We do not offer financial incentives for the collection, sale, or deletion of personal information.

9. International Users

GDPR (European Economic Area and UK)

If you are in the EEA or UK, our legal bases for processing are:

  • Contract: Processing necessary to provide Services you requested
  • Legitimate Interest: Business operations, security, and B2B marketing
  • Consent: Marketing communications where required
  • Legal Obligation: Compliance with applicable laws and regulations

Your Additional Rights:

  • Right to lodge a complaint with a supervisory authority
  • Right to object to direct marketing at any time
  • Right to restrict processing in certain circumstances
  • Right to data portability in a structured, commonly used, and machine-readable format

International Data Transfers

FirePan is based in the United States. If you are accessing our Services from outside the US, your data will be transferred to and processed in the US.

For transfers from the EEA/UK, we rely on:

  • Standard Contractual Clauses approved by the European Commission
  • The EU-U.S. Data Privacy Framework, where applicable
  • Other lawful transfer mechanisms as appropriate

China (DeepSeek). Where Customer Code is processed by DeepSeek, supplementary measures are implemented including encryption in transit, contractual restrictions on onward transfer, and the option for Enterprise customers to opt out of DeepSeek processing entirely.

10. Cookies and Tracking

We use cookies and similar technologies for:

  • Essential Functions: Site functionality, authentication, security
  • Preference Cookies: Remembering your settings and preferences
  • Analytics: Understanding how users interact with our Services

Where required by law, we obtain consent before placing non-essential cookies. For more information about our cookie practices and to manage your cookie preferences, visit firepan.com/cookies.

11. Children's Privacy

FirePan's Services are designed for business and professional use and are not intended for users under 18 years of age. We do not knowingly collect personal information from children. If we learn we have collected data from a person under 18, we will delete it promptly.

If you believe a child has provided personal information to FirePan, please contact us at privacy@firepan.com so we can take appropriate action.

12. Security

We implement appropriate technical and organizational measures to protect your data, including:

  • Encryption in transit (TLS/HTTPS)
  • Encryption at rest for stored Customer Code and sensitive data
  • Secure API key management
  • Access controls and authentication
  • Regular security assessments
  • Employee security training and access policies
  • Incident response procedures for security events

FirePan is committed to obtaining SOC 2 Type II certification. Current compliance status is available upon request.

However, no system is completely secure. We cannot guarantee absolute security of your data.

12A. Data Breach Notification

In the event of a data breach that affects your personal data or Customer Code, FirePan will:

  1. Notify affected customers within seventy-two (72) hours of becoming aware of the breach
  2. Notify the relevant supervisory authority (where required under GDPR or other applicable law) within seventy-two (72) hours
  3. Provide details regarding the nature of the breach, the categories of data affected, the approximate number of affected individuals, and the measures taken or proposed to address the breach
  4. Take immediate steps to contain the breach and mitigate harm

13. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will provide at least thirty (30) days' advance notice via email or through our Services before the changes take effect.

Changes will be posted on this page with an updated "Last Updated" date. Your continued use of the Services after the effective date of any changes constitutes acceptance of the updated Privacy Policy.

14. Contact Us

For questions about this Privacy Policy or our data practices:

Privacy inquiries: privacy@firepan.com

General inquiries: hello@firepan.com

Corporate Entity: Firepan, Inc., a Delaware corporation

EU Representative. If you are located in the EEA and wish to exercise your rights under GDPR, you may contact our designated EU representative at privacy@firepan.com. (A formal EU representative appointment will be published when required by processing volume.)

California Residents. For CCPA/CPRA requests, contact privacy@firepan.com.

15. Dispute Resolution

Any disputes arising from this Privacy Policy shall be resolved in accordance with the dispute resolution provisions in our Terms of Service, including the binding arbitration clause and class action waiver contained therein.

16. Do Not Track Signals

In compliance with the California Online Privacy Protection Act (CalOPPA), FirePan does not currently respond to "Do Not Track" browser signals. This is because there is no industry standard for how to respond to such signals. We will update this policy if an industry standard is established.

17. Governing Law

This Privacy Policy is governed by the laws of the State of Delaware, without regard to conflict of law principles. To the extent that the GDPR, CCPA/CPRA, or other local privacy laws apply to our processing of your data, the provisions of such laws shall apply in addition to (and shall prevail over, in the event of conflict with) the provisions of this Privacy Policy.

FirePan — Ship contracts. Not obituaries.

If you have any questions about these privacy policy, please contact us.