introduce security policy

Author: RubenHalman

README.md

@@ -46,15 +46,16 @@ Customize the scan behavior using the following options:
 
   -p, --files <C:\..\flow1.flow, C:\..\flow2.flow>                  provide a space-separated list of flow paths to scan.
 
-  -u, --targetusername <username>                                   retrieve the latest metadata from the target before the scan.
-
   -d, --directory <C:\..\force-app\main\default\flows>              provide a directory to scan.
 
   --json                                                            set output format as json.
 
   --loglevel=(trace|debug|info|warn|error|fatal)                    [default: warn] logging level.
 ```
 
+**Privacy:** Zero user data collected. All processing is client-side.
+→ See Data Handling in our [Security Policy](https://github.com/Flow-Scanner/lightning-flow-scanner-cli?tab=security-ov-file).
+
 ## Configuration
 
 Create a .flow-scanner.json file in order to configure:

SECURITY.md

@@ -12,7 +12,9 @@ If you discover a security vulnerability, please report it using [GitHub vulnera
 
 ## Data Handling
 
-This project collects zero user data. No credentials, PII, payment info, or health data is ever stored, transmitted, or shared. All analysis runs 100% client-side with no network calls to any external services.
+This project collects zero user data. No credentials, PII, payment info, health data, or user content is ever stored, transmitted, or shared. All analysis runs 100% client-side with no network calls to external services.
+
+**Note:** We temporarily use metadata (e.g., Flow metadata, timestamps) in-memory only for real-time functionality during your session. This data is never stored, logged, or transmitted and is discarded immediately when the session ends.
 
 ## Dependencies