Privacy Policy
Last updated: March 6, 2026
codesentinal AI ("codesentinal", "we", "us", or "our") operates the codesentinal.com platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.
1. Information We Collect
Account Information
When you sign up via GitHub or Google OAuth, we receive your name, email address, profile picture URL, and a unique provider identifier. We do not receive or store your OAuth password.
Repository Metadata
When you connect repositories via our GitHub App, we access repository names, default branch, language, and file tree structure. We request read-only access to file contents solely for audit analysis.
Source Code
Source code is fetched from GitHub during an audit, analyzed in memory by our AI agents, and never stored permanently. Code is purged from our systems immediately after audit completion. Only the resulting findings (file paths, line numbers, descriptions, and code snippets relevant to findings) are retained.
Usage Data
We collect anonymized usage analytics (pages visited, features used, audit frequency) via PostHog. This data is only collected if you have accepted analytics cookies.
Payment Information
Payment processing is handled entirely by Stripe. We never see or store your credit card details. We retain your Stripe customer ID and subscription status.
2. How We Use Your Information
- To provide, operate, and maintain the code audit service
- To process your transactions and manage your subscription
- To send transactional emails (audit results, critical findings, payment confirmations)
- To improve our service through anonymized usage analytics
- To detect and prevent abuse, fraud, and security threats
- To comply with legal obligations
3. Sub-Processors
We use the following third-party services to operate codesentinal:
| Service | Purpose | Data Processed |
|---|---|---|
| Anthropic (Claude) | AI code analysis | Source code (in transit, not stored) |
| Neon | Database | Account data, audit findings |
| Upstash | Cache & queues | Session tokens, job metadata |
| AWS S3 | Report storage | Generated audit reports (encrypted) |
| Stripe | Payments | Billing information |
| Resend | Email delivery | Email address, notification content |
| Sentry | Error tracking | Error traces (no PII) |
| PostHog | Analytics | Anonymized usage events (with consent) |
| Vercel | Hosting | HTTP requests, server logs |
4. Data Retention
- Source code: Never stored. Processed in memory only during audit execution.
- Audit findings: Retained for the lifetime of your account.
- Generated reports: Stored in encrypted S3 for 90 days, then automatically deleted.
- Account data: Retained until you delete your account.
- Analytics data: Anonymized and retained for up to 12 months.
5. Your Rights (GDPR)
If you are located in the European Economic Area (EEA), United Kingdom, or a jurisdiction with similar data protection laws, you have the following rights:
- Access: Request a copy of all personal data we hold about you.
- Rectification: Request correction of inaccurate data.
- Erasure: Request deletion of your account and all associated data. Use Settings > Danger Zone > Delete Account, or email us.
- Data Portability: Export your data in JSON format via Settings > Export My Data.
- Objection: Object to processing of your data for analytics purposes by rejecting analytics cookies.
- Withdraw Consent: Withdraw cookie consent at any time via the cookie settings on our site.
6. Security
We implement industry-standard security measures including: AES-256 encryption for stored tokens, TLS 1.3 for all data in transit, encrypted S3 storage for reports, GitHub App installation tokens (not stored OAuth tokens) for repository access, and isolated ephemeral processing environments for code analysis. We do not log personally identifiable information.
7. International Transfers
Your data may be transferred to and processed in the United States and European Union, where our infrastructure providers operate. We ensure appropriate safeguards are in place for international transfers in compliance with applicable data protection laws.
8. Children's Privacy
codesentinal is not directed to individuals under the age of 16. We do not knowingly collect personal information from children.
9. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a prominent notice on our website. Your continued use of the service after changes become effective constitutes acceptance of the updated policy.
10. Contact Us
For privacy-related inquiries, data subject requests, or concerns, contact us at: privacy@codesentinal.com