Cawght
Cawght

Privacy Policy

Last updated: April 15, 2026

What Cawght Does

Cawght is a web application at cawght.com that analyzes your codebase, generates adversarial test scenarios using AI, executes those tests against a staging environment you configure, and reports findings about business logic vulnerabilities.

Data We Collect

  • Account information: Name, email address, and profile image from Google when you sign in with Google OAuth.
  • Repository metadata: When you connect a GitHub repository, we extract a route map (endpoints, methods, auth requirements, stack) from your code. We do not store your source code.
  • Test environment credentials: Base URL and authentication credentials (bearer tokens, API keys, or login credentials) you provide so Cawght can run tests. These are encrypted at rest using AES-256-GCM.
  • Scan results: AI-generated test scenarios, HTTP request/response data captured during scans, and findings are stored on our server and associated with your account.

Data We Do NOT Collect

  • We do not store your source code — only the extracted route map.
  • We do not collect browsing history, keystrokes, or any data outside explicit scan runs.
  • We do not sell, share, or transfer your data to third parties for advertising.

Third-Party Services

  • Google OAuth: Used for authentication. We receive your name, email, and profile image as part of sign-in.
  • Google Gemini API:Used to classify endpoints, extract business rules, generate scenarios, and evaluate results. Route metadata and response snippets are sent to Gemini during a scan. Google's API terms apply.
  • GitHub: When you connect a repository, Cawght acts as a GitHub App with read-only access. We never write to your code.
  • Polar.sh: Payment processing for paid plans.

Data Storage & Security

  • Account data, route maps, and scan results are stored in a PostgreSQL database hosted on Supabase.
  • Test environment credentials are encrypted with AES-256-GCM before storage.
  • Authentication uses JWT tokens with 30-day expiry.
  • All API communication uses HTTPS.
  • All database queries are scoped to the authenticated user — you cannot access another user's data.

Data Retention

Your account and scan data are retained as long as your account exists. We use soft-delete — records are marked as deleted but retained for recovery purposes. You can request full deletion of your account and associated data by contacting us.

Your Rights

  • You can disconnect GitHub and delete any stored test environment credentials from your dashboard.
  • You can request export or deletion of your server-side data.
  • You can revoke Cawght's Google OAuth access from your Google account security settings.

Contact

For privacy questions or data requests, open an issue on our GitHub repository or email the maintainer.