Privacy Policy
This page describes the minimum current V1 privacy posture for the VORO web product surface. VORO is designed to support local-first and self-hosted workflows, but privacy outcomes still depend on how an operator deploys and uses the system.
1. What may be processed
VORO may process repository URLs, uploaded source files, contract addresses, scan requests, generated reports, limited runtime logs needed to operate the scan-to-report workflow, and service-side access data such as IP-address-level request metadata or operator-provisioned access-key usage needed to protect and run the current V1 surface.
2. How data is used
Submitted material is used to run scans, generate reports, troubleshoot failures, and operate the service. VORO does not represent this V1 surface as a general-purpose customer data platform or a broad analytics/marketing system.
3. Access and deployment boundary
The current V1 web path now includes authenticated website access for scan, report, payment, and account-adjacent flows, and it may also issue operator-provisioned or purchase-provisioned access keys for the hosted Pro/API path. It is still not a broad self-serve entitlement platform. In self-hosted deployments, the operator controls infrastructure, access logs, report storage, backup handling, and retention settings.
4. Third-party services
Depending on scan mode and deployment choices, the current narrow V1 path may interact with third-party services such as GitHub for repository access, Etherscan for contract source retrieval, and payment or deployment providers used by the operator-managed web surface. In the current V1 model, those third parties process only the portion of data needed for repository access, contract-source retrieval, payment handling, or hosting/deployment operations. They apply their own terms and privacy practices.
5. Retention and deletion
VORO does not currently advertise a universal self-serve deletion or retention control surface. Retention depends on the deployment and the operator managing it. If you use an operator-managed instance, direct retention questions to that operator.
6. Security boundary
The current live V1 trust control is worker-side lock verification before report save. Broader provenance, badge verification, authority co-sign, instance attestation, and end-to-end `scan_provenance` should not be inferred from this Privacy Policy as closed customer-live guarantees.
7. Rights and requests
Questions about access, retention, deletion, or current privacy handling should be directed first through the current V1 help route at /help. If a privacy issue requires human follow-up beyond that route, contact VORO Labs at [email protected]. Because the V1 web path is operator-provisioned and not a broad self-serve account system, privacy requests are handled through those current support paths rather than through an automated customer dashboard.
8. Changes
VORO may update this Policy as the V1 launch path hardens. Updates will be posted on this page.