Privacy Policy

How BaseImage collects, uses, and protects your data.

Last Updated: February 10, 2026

1. Introduction

BaseImage ("we", "us", or "our") respects your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website baseimage.io or use our container hardening services.

By using our Service, you consent to the data practices described in this policy.

2. Information We Collect

A. Personal Account Data

When you register, we collect identifiers such as:

  • Email address
  • Name or connected developer account usernames (e.g., GitHub)
  • Billing information (processed securely via third-party providers; we do not store full credit card numbers)

B. Operational & Security Data

To provide our automated security services, we process:

  • Container Metadata: Image tags, layers, and OS package lists (SBOMs).
  • Security Telemetry: Vulnerability scan results (CVEs) generated by our analysis engines.
  • Access Tokens: Temporary or scoped tokens required to interact with your container registries or CI/CD pipelines. These are strictly encrypted at rest and in transit.

Proprietary Code Guarantee

We do not extract, analyze, or permanently store your proprietary application source code. Our systems are designed to process only the container image artifacts and metadata required to perform hardening and vulnerability analysis.

3. How We Use Your Information

  • To provide, operate, and maintain the BaseImage platform and CLI tools.
  • To generate security reports, audit logs, and SBOMs for your compliance requirements.
  • To send critical security alerts and operational notifications.
  • To detect, prevent, and mitigate fraud or abuse of our infrastructure.
  • To improve the accuracy of our vulnerability scanning and hardening algorithms (using aggregated, anonymized metadata).

4. Data Retention

We retain personal data only for as long as necessary to provide our Services and fulfill the purposes outlined in this Policy.

  • Container Images: Target images are temporarily cached during the scanning process and are automatically purged from our ephemeral storage upon task completion.
  • Scan Results & SBOMs: Security reports are retained to provide historical tracking in your dashboard, but can be permanently deleted upon request.
  • Account Data: Retained until you request account deletion.

5. Third-Party Service Providers

We do not sell your data. We may share necessary data with trusted third-party vendors who assist us in operating our Service. These partners are strictly bound by confidentiality agreements. Categories of providers include:

Cloud Hosting ProvidersFor compute and secure storage
Payment ProcessorsFor secure subscription billing
Authentication ServicesFor secure login and identity management
Telemetry & AnalyticsFor monitoring platform health and usage

6. Data Security

We implement robust, industry-standard security measures to protect your information:

  • End-to-end encryption of data in transit (TLS 1.2/1.3) and encryption at rest (AES-256).
  • Strict Role-Based Access Control (RBAC) and zero-trust principles for our internal infrastructure.
  • Continuous vulnerability scanning and automated patching of our own deployment environments.

7. Your Data Rights

Depending on your jurisdiction (e.g., GDPR in Europe, CCPA in California), you may have the right to:

  • Access the personal data we hold about you.
  • Request rectification of inaccurate data.
  • Request deletion of your data ("Right to be Forgotten").
  • Export your data in a portable, machine-readable format.

To exercise any of these rights, please contact our privacy team at [email protected].

Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy, please contact us:

[email protected]

This document is a general template and does not constitute legal advice. Please consult with legal counsel for your specific compliance needs.