Privacy Policy

Last updated: March 17, 2026

Effective date: March 17, 2026

This Privacy Policy describes how CodeSentinel ("we", "us", "our") collects, uses, stores, shares, and protects your personal data when you use our Service. This policy is compliant with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the Italian Privacy Code (D.Lgs. 196/2003 as amended by D.Lgs. 101/2018), and the ePrivacy Directive (2002/58/EC).

1. Data Controller

The data controller responsible for your personal data is:

  • Titolare del trattamento: Masut Marco (Impresa Individuale)
  • Registered Office: Largo di Porta Cadore 5, 31029 Vittorio Veneto (TV), Italy
  • VAT Number (P.IVA): 05486240269
  • REA: TV - 447715
  • PEC: [email protected]
  • Privacy Contact: [email protected]

For any privacy-related inquiries, data access requests, or complaints, please contact us at [email protected].

2. Categories of Personal Data We Collect

2.1 Account & Identity Data

When you authenticate with GitHub OAuth, we receive and store:

  • GitHub username and user ID
  • Email address (as authorized by your GitHub OAuth consent)
  • Profile name and avatar URL
  • GitHub OAuth access token (encrypted at rest)

2.2 Repository & Code Data

When you connect repositories for review, we access:

  • Repository name, owner, and metadata
  • Pull request diffs, commit messages, and file contents (processed transiently for AI analysis)
  • Branch names and PR metadata (title, description, author)

Important: Source code diffs are processed in memory and transmitted to Anthropic's API for analysis. They are not persistently stored by CodeSentinel after the review is complete.

2.3 Review & Usage Data

  • Review Findings (severity, category, description, affected file paths)
  • Review timestamps, duration, and status
  • AI token usage and cost tracking data
  • Feature usage statistics (aggregated and anonymized)
  • Error logs (may contain file paths but not source code content)

2.4 Billing & Payment Data

  • Subscription plan, billing cycle, and payment status
  • Invoice history and amounts
  • Stripe customer ID and subscription ID

Note: We do NOT store or have access to your full credit card number, CVV, or banking details. All payment data is processed and stored by Stripe, our PCI-DSS compliant payment processor.

2.5 Technical & Device Data

  • IP address (for security, rate limiting, and fraud prevention)
  • Browser type, operating system, and device information
  • Referring URL and pages visited within the Service
  • Session identifiers (via secure, HTTP-only cookies)

2.6 Communication Data

  • Telegram chat ID (if you enable Telegram notifications)
  • Webhook URLs (if configured for notifications)
  • Email correspondence related to support requests

3. Legal Bases for Processing (Art. 6 GDPR)

We process your personal data on the following legal bases:

PurposeLegal Basis
Providing the code review ServicePerformance of contract (Art. 6(1)(b))
Processing payments and billingPerformance of contract (Art. 6(1)(b))
Account authentication via GitHub OAuthPerformance of contract (Art. 6(1)(b))
Sending service-related notificationsLegitimate interest (Art. 6(1)(f))
Security, fraud prevention, rate limitingLegitimate interest (Art. 6(1)(f))
Improving Service quality and AI agentsLegitimate interest (Art. 6(1)(f))
Compliance with tax/legal obligationsLegal obligation (Art. 6(1)(c))
Marketing communications (if opted in)Consent (Art. 6(1)(a))
Telegram/webhook notificationsConsent (Art. 6(1)(a))

4. How We Use Your Data

  • Service Delivery: To authenticate you, connect your repositories, analyze pull requests, generate review Findings, and post results to GitHub.
  • Billing: To manage your subscription, process payments, track usage against plan limits, and generate invoices.
  • Notifications: To send review results and alerts via email, Telegram, or webhooks based on your configuration.
  • Security: To detect and prevent unauthorized access, abuse, fraud, and cyberattacks. This includes IP logging, rate limiting, CSRF protection, and anomaly detection.
  • Service Improvement: To analyze aggregated, anonymized usage patterns to improve our AI agents, optimize performance, and develop new features. We do NOT use Your Code for training AI models.
  • Legal Compliance: To comply with applicable laws, regulations, and legal processes, including Italian tax law (retention of billing records) and responding to lawful requests from authorities.

5. Sub-Processors & Third-Party Data Sharing

We share your data with the following categories of third-party processors, each bound by data processing agreements:

Sub-ProcessorPurposeData SharedLocation
GitHub (Microsoft)OAuth authentication, repository access, PR comment postingOAuth tokens, review FindingsUSA
AnthropicAI-powered code analysisCode diffs and file context (transient)USA
StripePayment processingEmail, subscription data, payment infoUSA/EU
NeonDBDatabase hosting (PostgreSQL)All stored application dataEU (AWS eu-central-1)
VercelApplication hostingRequest logs, IP addressesUSA/EU
TelegramOptional notification deliveryChat ID, notification contentVarious

We do NOT sell, rent, or trade your personal data to third parties for marketing or advertising purposes.

6. International Data Transfers

Some of our sub-processors are located outside the European Economic Area (EEA), primarily in the United States. For these transfers, we rely on the following safeguards as required by Chapter V of the GDPR:

  • EU-US Data Privacy Framework (DPF): For sub-processors certified under the EU-US Data Privacy Framework (e.g., GitHub/Microsoft, Stripe, Vercel).
  • Standard Contractual Clauses (SCCs): For sub-processors not covered by the DPF, we enter into EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) to ensure adequate data protection.
  • Supplementary Measures: Where required by the risk assessment, we implement supplementary technical measures such as encryption in transit (TLS 1.2+) and at rest.

7. Data Retention

We retain your data for the following periods:

Data CategoryRetention Period
Source code diffs (transient processing)Not stored — processed in memory only
Account & identity dataDuration of account + 30 days after deletion
Review Findings & metadataDuration of account + 90 days after deletion
Billing records & invoices10 years (Italian tax law — Art. 2220 Codice Civile)
Server/access logs (IP, user agent)90 days
Security audit logs12 months
Support correspondence3 years after last interaction

After the applicable retention period, data is permanently deleted or irreversibly anonymized.

8. Your Rights Under GDPR

As a data subject, you have the following rights under the GDPR (Articles 15-22) and the Italian Privacy Code:

  • Right of Access (Art. 15): You have the right to obtain confirmation of whether we process your personal data and to receive a copy of that data in a structured, commonly used, machine-readable format.
  • Right to Rectification (Art. 16): You have the right to request correction of inaccurate personal data or completion of incomplete data.
  • Right to Erasure / "Right to be Forgotten" (Art. 17): You have the right to request deletion of your personal data when: the data is no longer necessary for the purpose it was collected; you withdraw consent; you object to processing; or the data was unlawfully processed. This right may be limited by legal retention obligations (e.g., billing records).
  • Right to Restriction of Processing (Art. 18): You have the right to request that we restrict processing of your data in certain circumstances, such as when you contest the accuracy of the data or when processing is unlawful but you oppose erasure.
  • Right to Data Portability (Art. 20): You have the right to receive your personal data in a structured, commonly used, machine-readable format (JSON or CSV) and to transmit that data to another controller.
  • Right to Object (Art. 21): You have the right to object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
  • Right to Withdraw Consent (Art. 7(3)): Where processing is based on consent, you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal. You can withdraw consent by disconnecting integrations, disabling notifications, or deleting your account.
  • Right Not to be Subject to Automated Decision-Making (Art. 22): CodeSentinel uses AI to generate code review Findings. These Findings are informational suggestions and do not constitute automated decisions that produce legal or similarly significant effects on you. No automated decision with legal effect is made based on your personal data.

How to Exercise Your Rights:

  • Email: [email protected]
  • Include your GitHub username and the specific right you wish to exercise.
  • We will verify your identity before processing any request.
  • We will respond within 30 days (extendable by 60 days for complex requests, with notice).
  • Exercising your rights is free of charge, except for manifestly unfounded or excessive requests.

If you believe that we have violated your data protection rights, you have the right to lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali) at www.garanteprivacy.it, or with the supervisory authority in your EU member state of residence.

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction, in accordance with Art. 32 GDPR:

  • Encryption in Transit: All data transmitted between your browser, our servers, and third-party APIs is encrypted using TLS 1.2 or higher (HTTPS).
  • Encryption at Rest: Sensitive data (OAuth tokens, API keys, TOTP secrets) is encrypted at rest using industry-standard encryption algorithms.
  • Authentication Security: JWT-based sessions with 7-day expiry, TOTP two-factor authentication, CSRF protection, and secure HTTP-only cookies.
  • Access Controls: Role-based access control (RBAC) with principle of least privilege. Access to production systems is restricted to authorized personnel.
  • Rate Limiting: API and authentication rate limiting to prevent brute-force attacks and abuse.
  • Input Validation: Server-side input validation and output encoding to prevent injection attacks (XSS, SQL injection).
  • Infrastructure Security: Managed hosting on Vercel and NeonDB with their respective security measures, including DDoS protection, automated backups, and network isolation.
  • Security Headers: Strict Content Security Policy (CSP), HSTS, X-Frame-Options, and other security headers are enforced.

Despite these measures, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security but commit to promptly addressing any security incidents.

10. Data Breach Notification

In the event of a personal data breach, we will:

  • Notify the Italian Data Protection Authority (Garante) within 72 hours of becoming aware of the breach, as required by Art. 33 GDPR, unless the breach is unlikely to result in a risk to your rights and freedoms.
  • Notify affected users without undue delay if the breach is likely to result in a high risk to your rights and freedoms, as required by Art. 34 GDPR.
  • Document all breaches, including their effects and remedial actions taken, in our internal breach register.

11. Cookies & Tracking Technologies

CodeSentinel uses cookies and similar technologies as follows:

11.1 Strictly Necessary Cookies

These cookies are essential for the Service to function and cannot be disabled:

  • Session cookie (next-auth.session-token): Maintains your authenticated session. Secure, HTTP-only, SameSite=Lax. Expires after 7 days.
  • CSRF token (next-auth.csrf-token): Prevents cross-site request forgery attacks. Secure, HTTP-only.
  • Callback URL (next-auth.callback-url): Stores the redirect URL during OAuth authentication. Session-only.

11.2 No Tracking Cookies

We do NOT use:

  • Third-party analytics cookies (no Google Analytics, Mixpanel, etc.)
  • Advertising or retargeting cookies
  • Social media tracking pixels
  • Cross-site tracking technologies

Because we only use strictly necessary cookies, no cookie consent banner is required under the ePrivacy Directive and GDPR.

12. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected personal data from a child under 18, we will take steps to delete such data promptly. If you believe a child has provided us with personal data, please contact us at [email protected].

13. Automated Decision-Making & Profiling

CodeSentinel uses AI models to analyze code and generate review Findings. This constitutes automated processing but does NOT constitute automated decision-making that produces legal or similarly significant effects on you within the meaning of Art. 22 GDPR. Specifically:

  • AI-generated Findings are informational suggestions only — they do not trigger automatic actions, block deployments, or make decisions about your employment, creditworthiness, or legal standing.
  • All final decisions about your code remain with you as the human developer.
  • We do not engage in profiling that produces legal effects.

14. Do Not Track Signals

We do not track users across third-party websites. Because we do not engage in cross-site tracking, we do not respond to Do Not Track (DNT) browser signals. Our practices are the same regardless of whether you have DNT enabled.

15. California Privacy Rights

If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), including:

  • The right to know what personal information is collected, used, and shared;
  • The right to delete personal information;
  • The right to opt-out of the "sale" or "sharing" of personal information.

We do NOT sell or share (as defined by CCPA/CPRA) your personal information. To exercise any of these rights, contact [email protected].

16. Changes to This Privacy Policy

  • We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.
  • For material changes, we will provide at least 30 days' notice via email to registered users and/or by posting a prominent notice on the Service.
  • Your continued use of the Service after the effective date of the updated policy constitutes your acceptance of the changes.
  • We encourage you to review this policy periodically. The "Last updated" date at the top of this page indicates when the policy was last revised.

17. Contact Information

For any privacy-related inquiries, data subject access requests, or complaints:

If you are not satisfied with our response, you have the right to lodge a complaint with:

← Back to HomeTerms of Service →