OSSScan Open Source License & Security Scanning

Privacy Policy

Effective date: May 10, 2026  ·  Vendor: BigBrainCorp LLC  ·  Contact: jim@ossscan.com

Summary

  • No telemetry. OSSScan collects zero usage analytics, crash reports, or behavioral telemetry.
  • Your source code never leaves your machine. OSSScan reads files locally; it does not upload source code, scan results, SBOM data, company information, or product details to any server.
  • No licensing server. License validation happens entirely on your device using a signed license file tied to your hardware. There is no backend licensing server and no call home on launch.
  • Designed for anonymous use. You can purchase and use OSSScan without associating it with your company or product. Any email address works for license delivery; it does not have to be a corporate address or linked to the codebase you are scanning.
  • Outbound network requests are minimal and purposeful. In normal operation, requests go only to well-known package registries and metadata services (deps.dev, ClearlyDefined, npm, PyPI, etc.) to look up license and vulnerability data for the packages you scan.
  • Light mode makes zero outbound calls. When you use OSSScan in Light mode, all analysis is performed offline.
  • Payment data is handled by Stripe. OSSScan never stores your credit card number; payment processing is handled entirely by Stripe.
  • GDPR-friendly by design. Because personal data processed is limited and purposeful, the compliance surface is small. You retain rights of access, correction, and deletion for any personal data we hold.

Information Processed Locally

The following information is processed entirely on your machine and is never transmitted to OSSScan or any third party:

  • File system paths and directory structures of the folder you choose to scan
  • Source code file contents read during scanning
  • Package manifest files (e.g., package.json, requirements.txt, pom.xml)
  • Output reports written to your chosen destination
  • Application preferences and configuration stored in your local application data folder
  • Results from third-party tools (Syft, Grype, ScanCode) when invoked

Outbound Network Requests

What is sent

When OSSScan makes outbound requests, only the minimum data necessary is transmitted, typically package names, versions, and ecosystems (e.g., npm/lodash@4.17.21). No file contents, source code, or personal information are included in these requests.

Which third parties receive requests

Destination Purpose Data sent
deps.dev (Google) License metadata and dependency graph lookups Package name, version, ecosystem
registry.npmjs.org npm package license metadata Package name, version
pypi.org Python package license metadata Package name, version
api.clearlydefined.io Pre-computed license harvest data Package coordinates (type/provider/name/version)
licensing.ossscan.com (BigBrainCorp) License key validation License key, machine fingerprint (non-reversible)
Update check endpoint (BigBrainCorp) Checking for application updates Current app version, OS platform

All requests use HTTPS. No request includes personal identifiers beyond the machine fingerprint used for licensing.

Designed for Anonymous Use

OSSScan is built to protect your privacy at every level. There is no backend server that knows what you are scanning, no licensing server that tracks your activity, and no telemetry of any kind. The following design choices are intentional:

  • No scan data ever leaves your machine. Your SBOM, license findings, CVE results, source-file references, and the names of the codebases you scan are never transmitted to the Vendor or any third party controlled by the Vendor.
  • No licensing server. OSSScan does not call home to validate your license. The license file is verified locally on your device using a cryptographic signature tied to your hardware fingerprint. Once delivered, the license works entirely offline.
  • Any email address works for license delivery. You are not required to use a company email address. A personal address, an alias, or any address you control is sufficient. The email is used only to deliver your license file and for re-send support; it is not linked to the codebases you scan.
  • Your company and product names are never collected. The Vendor has no knowledge of which products you scan, which repositories you analyze, or which organization you belong to.
  • Hardware fingerprint is pseudonymous and local. The fingerprint sent at purchase is a one-way hash of OS-provided hardware identifiers. It cannot be used to identify you or your machine beyond binding your license to it.

The practical result is that you can use OSSScan to scan sensitive, unreleased, or commercially confidential codebases with no risk that the scanning activity itself becomes visible to a third party.

Telemetry and Analytics

OSSScan collects no telemetry, analytics, or usage data of any kind. There are no analytics SDKs embedded in the application. We do not record which features you use, how long you run scans, what packages you scan, or any other behavioral information.

Legal Basis for Processing (GDPR)

For users in the European Economic Area, the United Kingdom, and Switzerland, the legal basis for processing the limited personal data described in this policy is as follows: license validation (including machine fingerprint) is processed on the basis of contract performance, as it is necessary to provide the software license you have purchased. Update checks are processed on the basis of our legitimate interests in keeping customers informed of security and feature updates. You may disable update checks in application settings at any time.

Sharing and Disclosure

We do not sell, rent, or trade personal data. We share data only with the sub-processors necessary to operate the service (Stripe for payment processing, Microsoft Azure for licensing infrastructure, and transactional email providers for license delivery). We may disclose data if required by law or to protect the rights, property, or safety of BigBrainCorp LLC, our customers, or the public, but we will notify you where legally permitted.

Data Retention

License purchase records (email address, machine fingerprint, transaction ID) are retained for as long as your license is active and for a reasonable period thereafter for accounting and fraud-prevention purposes. Payment card data is never stored by us; Stripe retains it subject to their own privacy policy. You may request deletion of your personal data at any time by contacting jim@ossscan.com; deletion may affect your ability to reactivate a license.

License Purchases

Data collected at purchase

  • Email address: used to deliver your license key and send important product notices
  • Payment information: collected and processed directly by Stripe; BigBrainCorp LLC never sees or stores your full card number
  • Machine fingerprint (at activation): a one-way hash derived from stable hardware characteristics of the machine where you activate OSSScan, used solely to enforce per-seat licensing and cannot be used to identify you personally or reconstruct your hardware configuration
  • Transaction metadata: order ID, purchase date, license tier, and country of purchase, retained for accounting purposes

Processors used

  • Stripe: payment processing (stripe.com/privacy)
  • Microsoft Azure: license key storage and validation infrastructure
  • Transactional email provider: delivery of license keys and order confirmations to your email address

Your rights

You have the right to access, correct, or request deletion of any personal data we hold about you. To exercise these rights, contact jim@ossscan.com. We will respond within 30 days.

Children's Privacy

OSSScan is not directed at children under 13, and we do not knowingly collect personal data from anyone under 13 years of age.

Changes to This Policy

We may update this Privacy Policy from time to time; material changes will be announced via the OSSScan website and, where possible, by email to license holders.

Contact

Privacy questions and data subject requests: jim@ossscan.com