Privacy Policy

This Privacy Policy explains how [Your registered business name] (“CodeGuard”) handles information when you use CodeGuard. It is written to reflect how the Service is built to operate.

1. Information we collect

• Account data: your name, email address, plan, and a one-way hashed password (scrypt). We never store your password in plain text.
• Usage data: number of AI reviews used (for quotas), and basic request metadata used for rate-limiting and security.
• Uploaded code: the source archives you submit for review (see “Your code” below).
• Cookies / local storage: a signed session cookie (to keep you logged in) and a language-preference cookie. Your recent-review list is stored in your browser’s local storage, not on our servers.

2. Your code — how it is handled

Uploaded archives are unpacked and analyzed in memory for the duration of a review and are not written to disk or retained after your report is generated. We skip dependencies, binaries, and build artifacts. When the AI engine is enabled, only first-party source is sent to our model sub-processor over TLS to produce findings; that content is not used to train models, and zero-retention processing is used where available. The deterministic static engine can run with no outbound calls at all.

3. How we use information

• To provide and secure the Service (run reviews, generate reports, authenticate you).
• To enforce plan limits and prevent abuse.
• To process payments (via our payment processor) and provide support.
• To comply with legal obligations.

We do not sell your personal data or your code.

4. Sub-processors

We use a small set of vendors to operate the Service:

• Anthropic — AI model provider for the AI review engine (receives first-party source during AI reviews; does not train on API inputs).
• [Hosting provider, e.g. Vercel] — application hosting.
• [Key-value/database provider, e.g. Upstash / Vercel KV] — account storage.
• [Payment processor] and [payout provider] — billing and payouts (they receive billing details, not your code).

5. Legal bases & your rights

Where the GDPR applies, we process data to perform our contract with you, for our legitimate interests (securing and improving the Service), and to comply with law. We handle personal data in line with Hong Kong’s Personal Data (Privacy) Ordinance (PDPO) and, where applicable, the GDPR. Subject to law, you may request access, correction, deletion, export, or restriction of your personal data, and may object to certain processing. Contact us to exercise these rights.

6. Data retention

• Uploaded code: not retained after the review completes.
• Account data: kept while your account is active; deleted on request or a reasonable period after closure, subject to legal retention needs.

7. Security

We use TLS in transit, hashed passwords, signed session cookies, rate limiting, and in-memory processing of uploaded code. No method is perfectly secure, but we design to minimize exposure. See our Security overview.

8. International transfers

Your data may be processed in countries other than yours (e.g. where our sub-processors operate). Where required, we rely on appropriate safeguards for such transfers.

9. Children

The Service is not directed to children under 16, and we do not knowingly collect their data.

10. Enterprise & DPA

A Data Processing Addendum (DPA) is available for Enterprise customers on request at [privacy@yourdomain.com].

11. Changes & contact

We may update this policy; changes are posted here with a new date. Questions or requests: [privacy@yourdomain.com] (“[Your registered business name], [address]”).