Privacy
Effective 2026-05-13 · Mid-Atlantic AI · [email protected]
PreFlight is a static security audit that runs entirely in your browser tab. The privacy story below isn’t a promise. It’s a description of how the app is built. There is no backend that could leak your data because there is no backend.
What we don’t do
- No account, no signup, no login.
- No analytics SDK. No tracking pixels. No fingerprinting.
- No remote telemetry. No “anonymous usage” beacons.
- No advertising. No third-party trackers.
- No cookies set by PreFlight.
- No upload of your source code to Mid-Atlantic AI infrastructure. Ever.
What stays in your browser
PreFlight uses your browser’s localStorage to remember the following between visits. It never leaves your machine.
- Your last few scan results (up to 10, so you can view or re-run).
- Your suppression decisions (false-positive / wont-fix / accepted-risk tags).
- Your AI provider configuration if you set one up (provider name, model, API key).
- Your GitHub personal access token if you set one up for private repo scanning.
- A counter of local actions (scans started, exports clicked) used only to populate the Diagnostics panel you can view yourself in Settings.
You can clear all of it at any time by clearing site data for preflight.midatlantic.ai in your browser. The Settings → Diagnostics tab also has a Reset Counters control for the local action counter.
When AI features run
PreFlight ships two optional AI surfaces. Both use your own credentials and run entirely in your browser.
- Copy Agent Prompt: formats a prompt and writes it to your clipboard. You paste it into whatever AI tool you already use. PreFlight does not execute the prompt and does not know whether you used it.
- Explain & Verify: if you’ve configured an AI provider in Settings, clicking this button sends a single finding to your chosen provider using your API key. The request goes from your browser directly to your provider (api.openai.com, api.anthropic.com, etc.). PreFlight’s origin never sees the request, the response, or your API key. Whatever the AI provider does with the request is governed by their terms.
When you scan a GitHub URL
Your browser fetches the repository contents from raw.githubusercontent.com directly. PreFlight’s origin never sees the URL or the source code. GitHub’s servers see the request the same way they would for any browser visiting a public repo.
What our infrastructure does see
PreFlight is hosted on Cloudflare Pages. At the edge, Cloudflare records standard server-access data for every static asset request (your IP address, the file path you requested, the user agent, a timestamp). This logging happens for every site hosted on Cloudflare and exists for reliability, abuse prevention, and DDoS mitigation. We do not operate or have direct access to the raw logs; they live with Cloudflare under their own operational controls.
Cloudflare aggregates that data into a site-metrics dashboard the PreFlight maintainers can view. The dashboard shows aggregate counts: page views per path (e.g., how many people opened /learn/glossary last week), bandwidth used, country- level geographic distribution, top referring domains, HTTP status codes. We use it to answer questions like "is the site being used" and "which Learn pages do people actually open." We do not use it, and cannot use it, to identify individual users, follow sessions, build behavior funnels, or correlate visits across time.
PreFlight has not added any analytics JavaScript to the page. There is no Google Analytics, no Plausible, no Fathom, no third-party tracking SDK, no fingerprinting library. The aggregation in the paragraph above happens at Cloudflare’s edge from the access logs they already generate. Your browser does not run any tracking code that PreFlight installed.
Changes and audit trail
PreFlight is open source. Every change to the application, including changes to this policy, is publicly tracked in the git history at github.com/midatlanticAI/PreFlight. If you want to verify any claim on this page, check the source.
Children
PreFlight does not collect any data about anyone, including children. We don’t target the service to children specifically. If you are under 13, the privacy controls above apply to you the same way they apply to every other visitor.
Contact
Questions, corrections, or a request to remove access-log data: email [email protected]. We typically respond within a week.