implement security policy

Author: RubenHalman

README.md

@@ -47,6 +47,9 @@ Also ensure the following:
 - Workflows have read and write permissions in the repository.
 - Allow GitHub Actions to create and approve pull requests.
 
+**Privacy:** Zero user data collected. All processing is client-side.
+→ See Data Handling in our [Security Policy](https://github.com/Flow-Scanner/lightning-flow-scanner-vsx?tab=security-ov-file).
+
 ### Run On Pull Requests
 
 `on:pull_request` will trigger Flow Scanner to scan changed flow files every time a pull request is opened.

SECURITY.md

@@ -13,7 +13,9 @@ If you discover a security vulnerability, please report it using [GitHub vulnera
 
 ## Data Handling
 
-This project collects zero user data. No credentials, PII, payment info, or health data is ever stored, transmitted, or shared. All analysis runs 100% client-side with no network calls to any external services.
+This project collects zero user data. No credentials, PII, payment info, health data, or user content is ever stored, transmitted, or shared. All analysis runs 100% client-side with no network calls to external services.
+
+**Note:** We temporarily fetch metadata (e.g., Flow metadata, timestamps) in-memory only for real-time functionality during your session. This data is never stored, logged, or transmitted and is discarded immediately when the session ends.
 
 ## Dependencies