Security &
Privacy
LAST_AUDIT: 2026-02-01
01. Local-First Architecture
Assertion: Your source code never leaves your machine.
SourcePrep runs entirely on localhost. Indexes, embeddings, and configuration are stored locally in ~/.local/share/sourceprep (or in-project via embedded mode). There is no cloud component, no server-side processing, and no mechanism to upload source code.
02. Telemetry & Analytics
03. Network Isolation
The SourcePrep daemon binds to 127.0.0.1:8400 by default. Remote access requires explicit configuration.
04. LLM & Embedding Usage
SourcePrep's structural code graph (imports, calls, symbol graphs) and semantic search (via built-in ONNX embeddings) work entirely locally without any external LLM. For deep reasoning and trace enrichment, you may bring your own cloud API keys (BYOK) or connect Ollama locally. We never proxy calls, never store keys, and never mark up token costs.
05. Offline Verification
License activation requires a single online key exchange. After activation, SourcePrep stores a signed Ed25519 license file locally and verifies it offline. No periodic phone-home, no subscription heartbeat.
06. Supply Chain Security
All installers are code-signed and include SHA-256 checksums.
> 7f83b1657ff1fc53b92dc18148a1d65dfc2d4b1fa3d677284addd200126d90bc
Vulnerability Reporting
If you discover a security vulnerability, please report it responsibly. We acknowledge reports within 48 hours.
[email protected]07. Bug Reports & Debug Logs
SourcePrep includes a one-click bug report feature (accessible from the dashboard log console). When you submit a report, here's exactly what's included — and what's not:
Included in Reports
- ✓ App version & OS info
- ✓ Index stats (file count, chunk count)
- ✓ Pipeline stage & build status
- ✓ Error messages & stack traces
- ✓ Your description & steps to reproduce
Never Included
- X Source code or file contents
- X Index embeddings or vectors
- X File paths beyond project root name
- X LLM prompts or responses
- X License keys or credentials
Bug reports are previewed before submission — you can review every field. If you're offline or prefer not to send data, the report is saved as a local JSON file you can inspect and email manually to [email protected].
Privacy Policy
LAST_UPDATED: 2026-02-01
08. Data Inventory
Executive Summary: SourcePrep is a local-first desktop application. Your source code never leaves your machine. We collect the absolute minimum data needed to operate the business — license activation and optional support requests. That's it.
Not Collected
- X Source Code & Files
- X Index Data / Metadata
- X Telemetry / Usage Stats
- X AI Prompts / Responses
Collected
- ✓ License Key (Activation)
- ✓ Machine ID (Hardware Lock)
- ✓ Email (Support/Billing)
09. Payments
Payments are processed by Lemon Squeezy, our Merchant of Record. SourcePrep Inc. does not store credit card numbers, banking information, or tax IDs.
10. Data Retention
| Data Type | Retention Period |
|---|---|
| License Records | Lifetime of active license + 2 years |
| Support Tickets | 2 years from closure |
| Server Logs | 30 days (rolling) |
Compliance Officer
For data deletion requests or GDPR/CCPA inquiries:
[email protected]