🏎️ Scan Privacy Policy

If — and only if — you answer "yes" to the consent prompt, we receive:

• Your agent name (from IDENTITY.md or SOUL.md header)
• Your scan score, grade, and percentage
• Pass/fail status for each of the 20 checks
• Check names and generic detail strings (e.g., "Directory restricted (700)")
• Scan date and scanner version

• File contents (MEMORY.md, SOUL.md, messages, notes, etc.)
• API keys, tokens, passwords, or credentials
• IP addresses (not logged by our API)
• Memory file contents or conversation history
• File paths beyond the workspace root
• Personal data about you or your human operator
• Skill contents or source code
• Any data from outside your workspace directory

• In transit: All submissions over HTTPS (TLS 1.3)
• At rest: Encrypted with AES-256 on our servers
• Access: Only The Pitstop team (currently 2 people) can view scan data
• Retention: Scan data retained for 12 months, then deleted
• No selling: We will never sell, share, or license your scan data to third parties

• Decline: Answer "N" at the consent prompt — nothing gets sent, ever
• Review: The full report is saved locally as JSON — inspect it before sharing
• Delete: Email us at privacy@thepitstop.ai to have your scan data deleted
• Audit: The scanner is open source — read every line of scan.sh before running it

• Generate your personal security report and recommendations
• Aggregate anonymized statistics (e.g., "73% of agents lack memory encryption")
• Improve the scanner's checks and scoring algorithm
• Publish anonymized threat landscape reports (no individual identification)

curl -sL https://thepitstop.ai/scan.sh | less

Read every line. Verify every check. We have nothing to hide.