Privacy Policy
Last updated: February 11, 2026
1. Information We Collect
We collect information you provide directly:
- Account Information — Name, email address, organization name, and role
- Authentication Data — OAuth tokens from GitHub, GitLab, Bitbucket, or Google
- Repository Metadata — Repository names, branches, and file structure (not code content at rest)
- Usage Data — Scan history, feature usage, and interaction patterns
- Payment Information — Processed securely via Stripe or Razorpay (we do not store card numbers)
2. How We Use Information
- Providing and improving the security scanning service
- Processing scan requests and generating vulnerability reports
- Sending scan completion notifications and weekly security digests
- Billing and subscription management
- Responding to support requests
- Analyzing usage patterns to improve the product (aggregated, anonymized)
3. Source Code & Scan Data
This is the most important section for security-conscious teams:
- Ephemeral Processing — Source code is cloned into isolated containers during scanning and deleted immediately after the scan completes
- No Persistent Storage — We do not store your source code on our servers at rest
- Scan Results — Vulnerability findings, severity ratings, and remediation suggestions are stored and associated with your organization
- AI Processing — Code snippets may be sent to AI providers (OpenAI, Google, Anthropic) for triage analysis. These providers do not retain your data for training
- Tenant Isolation — All scan data is strictly isolated per organization with enforced access controls
5. Data Security
We implement industry-standard security measures:
- TLS encryption for all data in transit
- AES-256 encryption for sensitive data at rest (OAuth tokens, API keys)
- Role-based access control (RBAC) with organization-level isolation
- Regular security audits and penetration testing
- SOC 2 Type II compliance (in progress)
6. Data Retention
Scan results and account data are retained for the duration of your subscription. Upon account deletion:
- Account data is deleted within 30 days
- Scan results and vulnerability data are permanently removed
- Anonymized, aggregated analytics may be retained
- Backup copies are purged within 90 days
7. Your Rights
Under GDPR (EU/EEA users), you have the right to:
- Right to Access — Download all personal data we hold about you in JSON format
- Right to Rectification — Correct inaccurate information in your account settings
- Right to Erasure — Request permanent deletion of your account and all associated data (30-day grace period)
- Right to Data Portability — Export your data in machine-readable JSON format
- Right to Object — Opt out of non-essential email communications at any time
Under CCPA (California users), you have the right to:
- Know what personal information is collected and how it is used
- Request deletion of personal information
- Opt out of the sale of personal information (we do not sell your data)
How to exercise your rights:
- Go to Settings → Privacy & Data in your dashboard to download your data or delete your account
- Email privacy@codestax.co for any data-related requests
- We respond to all requests within 30 days as required by law
9. Children's Privacy
CodeStax is not intended for users under the age of 16. We do not knowingly collect personal information from children.
10. International Transfers
Your data may be processed in countries other than your own. We ensure appropriate safeguards are in place for cross-border data transfers, including standard contractual clauses where required.
11. Policy Changes
We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notification at least 30 days before they take effect.
12. Contact
For privacy-related inquiries, contact us at privacy@codestax.co.