Trojan
Log inGet started

Legal

Privacy Policy

Last updated: May 25, 2026

1. Who we are

Trojan is operated by Chizulu Zephaniah, an individual based in Nova Scotia, Canada ("Trojan", "we", "us", or "our"). We offer a local-first security scanning CLI and an associated web platform at trojancli.com.

For privacy questions, contact us at hi@trojancli.com.

2. What we collect and why

Account information

When you create an account we collect your email address and a hashed password. We use this to authenticate you, send transactional emails (receipts, password resets), and identify your subscription status.

Payment information

Payments are processed by Stripe, Inc. We never see or store your full card number, CVC, or banking details. Stripe provides us with a token, the last four digits of your card, and billing metadata (country, postal code) for fraud prevention. Stripe's privacy policy governs how they handle your payment data: stripe.com/privacy.

Cookies

We use strictly necessary cookies to maintain your login session. We do not use advertising cookies or cross-site tracking cookies. If we add analytics in the future, we will update this policy and obtain your consent where required by law.

3. What we do not collect

The Trojan CLI runs entirely on your local machine. Your source code, file contents, and project files never leave your device during a scan. Scan results are stored locally at ~/.trojan/ and are never transmitted to our servers.

4. AI-powered explanations

When you use the AI explanation feature (trojan ai-explainor the "Explain" button in the report), a summary of the security finding — including the affected file path, the scanner rule that triggered, and a short code snippet — is sent to a third-party AI provider for processing. This data is used solely to generate a human-readable explanation and is not used to train AI models.

This feature is only activated by your explicit action. It is never triggered automatically during a standard scan. You can use Trojan without ever invoking this feature.

Our current AI provider is DeepSeek (DeepSeek AI, China). Finding metadata sent to DeepSeek is subject to DeepSeek's privacy policy. If you are uncomfortable with data being processed outside Canada or the EU, do not use the AI explanation feature.

5. How we share your data

We share your data only with the following sub-processors:

  • Stripe — payment processing
  • DeepSeek — AI explanations, on demand only, finding metadata only

We do not sell your data. We do not share your data with advertisers, data brokers, or any other third party not listed above.

6. Data retention

We retain your account information for as long as your account is active. If you delete your account, we will delete or anonymize your personal data within 30 days, except where we are required to retain it for legal or tax purposes (typically up to 7 years for financial records under Canadian law).

7. Your rights

Depending on where you are located, you may have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Request deletion of your data ("right to be forgotten")
  • Export your data in a portable format
  • Object to or restrict how we process your data
  • Withdraw consent at any time (where processing is based on consent)

To exercise any of these rights, email hi@trojancli.com. We will respond within 30 days.

8. Canadian residents (PIPEDA)

We collect, use, and disclose personal information in accordance with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA). You have the right to access your personal information and to challenge its accuracy. To make a request, contact us at hi@trojancli.com.

9. European residents (GDPR)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have rights under the General Data Protection Regulation (GDPR) and equivalent laws. Our legal basis for processing your personal data is:

  • Contract — to provide the service you signed up for
  • Legal obligation — to comply with tax and financial regulations
  • Legitimate interest — fraud prevention and service security

You have the right to lodge a complaint with your local data protection authority.

10. Security

We use industry-standard measures to protect your data: HTTPS for all data in transit, hashed passwords (never stored in plaintext), and restricted access to production systems. Auth tokens stored by the CLI are written with owner-only file permissions (0600).

11. Children

Trojan is not directed at children under 13. We do not knowingly collect personal information from children. If you believe a child has provided us with their information, contact us at hi@trojancli.com and we will delete it promptly.

12. Changes to this policy

We may update this policy from time to time. If we make material changes, we will notify you by email or by displaying a notice on the website before the changes take effect. The "Last updated" date at the top of this page reflects when the policy was last revised.