DepWarden is built to need as little of your data as possible. This page summarises how the service handles information; it is written to be read, not to hide behind jargon.
You don't create an account to scan. When you start, DepWarden issues an anonymous, session-isolated workspace identified only by a private cookie. There is no email, name or profile attached to it.
DepWarden receives only the dependency manifest text you paste or the lockfile you drop — for example a package-lock.json, requirements.txt or pom.xml. It does not receive, request or store your application source code or compiled binaries. When you scan a public GitHub repository, only its public manifest files are read.
The operator does not browse individual projects or findings. Administrative views expose only aggregate metrics — counts and trends across all sessions — never the contents of any one workspace.
Sessions and their scan data expire automatically, and you can clear your data at any time from within the app. After expiry, the associated records are purged.
If you choose to create a monitoring "watch", DepWarden stores the dependency manifest text you submit (never your source) together with a list of advisory identifiers, so it can re-scan it daily and alert you to newly-disclosed vulnerabilities. A watch is anonymous — it is identified only by a secret token, with no account or email required — and it is the one feature that retains data beyond a session. You can delete a watch at any time with its token, and watches are purged automatically after a period of inactivity. If you add a webhook URL, new-advisory notifications are sent to it; we do not otherwise share watch data.
DepWarden sets one functional cookie to maintain your anonymous, session-isolated workspace — without it the app cannot keep your scans separate from anyone else's. This cookie is essential to the service and carries no advertising or cross-site tracking identifier. Any additional analytics or advertising cookies are set only after you explicitly consent.
Analytics and any advertising are consent-gated: nothing that profiles you loads until you accept, in line with Google Consent Mode. You can decline and still use the scanner with no loss of functionality. We use privacy-respecting, aggregate analytics to understand which features are used and to keep the service reliable — never to build a profile of you as an individual.
When you run a scan, the dependency names and versions you submit are checked against public vulnerability and metadata sources — OSV.dev, CISA KEV, FIRST EPSS, deps.dev and endoflife.date — either from our local mirror or, as a fallback, by querying those services. These lookups contain package coordinates only; they never include your source code, your identity, or the contents of your project.
You can clear your session data at any time from within the app, decline non-essential cookies, and simply stop using the service to end any processing. Because sessions are anonymous there is no account to delete. If you have a privacy question, use the Contact link in the site footer to reach us.