Privacy Policy
Last updated: March 22, 2026
OpenDocket is an open-source compliance scanning tool. This policy explains what data OpenDocket collects, what it never collects, and how any collected data is used.
What We Collect
Anonymized pattern data only.
When you run OpenDocket against a repository, the scanner analyzes code patterns locally. The only data transmitted externally is:
- Code snippets sent to the LLM for analysis — short evidence excerpts sent to the Anthropic API for compliance analysis. These are processed under Anthropic's API terms and are not used for model training.
- Aggregate pattern statistics — signal counts, domain confidence scores, and finding severity distributions. These contain no source code or identifiable information.
What We Never Collect
We never collect, store, or transmit:
- Your source code — repositories are cloned locally and deleted after scanning.
- Identifiable developer information — no names, emails, or IP addresses.
- Company-finding linkages — no association between company identity and findings.
- Git history or credentials — no commit history, author info, or auth tokens.
How Pattern Data Is Used
Anonymized pattern data may be used to:
- Improve detection accuracy of compliance risk patterns
- Calibrate confidence scoring algorithms
- Identify common compliance gaps across domains
- Publish aggregate research on code-level compliance trends
Opt-In Badge Program (Future)
In a future version, OpenDocket plans to offer a voluntary public compliance badge program. Participation is entirely opt-in.
Third-Party Services
OpenDocket uses the Anthropic API (Claude) for primary analysis and Google Gemini for independent review. Both are governed by their respective terms of service.
Self-Hosted Scanning
OpenDocket is fully open source. You can run the entire pipeline on your own infrastructure with your own API keys.