Privacy Policy

1. What we collect

  • Account data: name, email address, organization name, and role.
  • Repository metadata: GitLab instance URL, project identifiers, and webhook configuration required to operate the integration.
  • Code diffs processed for reviews: commit and merge request diffs retrieved from your Git provider at review time. Diffs are processed in memory and are not persistently stored.
  • Review findings and reports: structured findings from security and code review, severity verdicts, affected file paths, line references, and review timestamps.
  • Acceptance decisions and audit logs: records of findings marked as accepted, the rationale provided, author attribution, and timestamp. These form the audit trail accessible from the dashboard.
  • Billing and account data: subscription plan, usage metrics (completed review counts), and payment information processed via our payment provider.
  • Technical data: IP address, browser type, and basic usage analytics used to operate and improve the service.

2. How we use data

  • Provide and operate the CodeGuards.io repository-aware review platform.
  • Process review requests, generate findings and reports, and deliver verdicts to merge requests and the dashboard.
  • Maintain review history, audit logs, and evidence trails for compliance purposes.
  • Process billing, track usage, and prevent fraud or abuse.
  • Improve detection quality, platform performance, and reliability.
  • Send transactional communications (review results, billing notices, security alerts).

3. Code diffs and source code

CodeGuards.io requests commit and merge request diffs from your Git provider using the access token you provide. These diffs are used solely to perform the enabled review products. We do not clone repositories, copy full source files, or store raw diff content after the review completes. Only structured findings derived from the review are retained.

4. Data sharing

We do not sell personal data. We may share data with trusted sub-processors — including cloud infrastructure, monitoring, payment, and email providers — only to the extent needed to operate the service. A list of sub-processors is available on request.

5. Data retention

Account and billing data is retained as required by applicable law. Review findings, audit logs, and acceptance records are retained while your workspace is active and for a period after cancellation to support any pending billing or compliance requests. Raw diff data is not retained after a review completes. You may request deletion of your workspace data by contacting us; some records may be retained where required by law or for legitimate operational purposes.

6. Data residency and transfers

All review processing and data storage takes place within the European Union. We do not transfer personal data outside the EU/EEA except where a sub-processor operates under an approved transfer mechanism (Standard Contractual Clauses or equivalent).

7. Security

We use standard technical and organizational measures to protect data, including TLS 1.3 for data in transit and AES-256 encryption for data at rest. Access tokens are never logged. No security measure can be guaranteed to be 100% effective; we will notify affected customers of any breach as required by applicable law.

8. Your rights (GDPR)

If you are located in the EU/EEA, you have the right to access, correct, delete, restrict, or port your personal data, and to object to certain processing. To exercise any of these rights, contact us at team@codeguards.io. You also have the right to lodge a complaint with your local data protection authority.