Privacy Policy

We collect the following categories of information:

• Account information: Your GitHub username, email address, and profile image when you sign in via GitHub OAuth.
• Repository data: Repository names, installation IDs, and configuration for repos where you install CodeComments.
• Code diffs: Pull request diffs are temporarily processed for review. Code diffs are sent to Anthropic's Claude API for analysis and are not stored after review.
• Usage data: Review counts, comment counts, and aggregate statistics for your dashboard.
• Payment information: Billing is handled by Stripe. We store your Stripe customer ID but never store credit card numbers or payment details directly.

We use your information to:

• Provide and operate the code review service
• Authenticate your identity and manage your account
• Process pull request diffs and generate review comments
• Display usage statistics and review history on your dashboard
• Process payments and manage subscriptions
• Send important service notifications (security, billing, outages)
• Improve the Service and fix bugs

We do not sell your personal information. We share data only with the following categories of service providers, solely to operate the Service:

• AI analysis provider (Anthropic):Code diffs are sent to Anthropic's Claude API for review. Anthropic does not retain API input data for model training. See Anthropic's Privacy Policy.
• Payment processor (Stripe): Handles subscription billing. See Stripe's Privacy Policy.
• Source code platforms (GitHub / GitLab): We interact with these platforms via their APIs to fetch diffs and post review comments on your behalf.
• Cloud hosting and database providers: US-based infrastructure providers host the application and store account data under standard data-processing agreements. A current list of sub-processors is available on request at hello@codecomments.ai.

We implement industry-standard security measures to protect your data:

• All connections use TLS 1.3 encryption
• Webhook payloads are verified via HMAC-SHA256 signatures
• Secrets and tokens are stripped from code diffs before and after AI analysis
• Database access is encrypted and scoped per user
• OAuth tokens are stored encrypted and never exposed to the client

• Code diffs: Not stored. Processed in memory and discarded after review.
• Review metadata: PR title, review status, file count, and comment count are retained for your dashboard and analytics.
• Account data: Retained until you delete your account.
• Webhook logs: Retained for 30 days for debugging, then automatically deleted.

Under GDPR, CCPA, and other applicable privacy laws, you have the right to:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate personal data.
• Deletion: Request deletion of your account and all associated data. Use the account deletion feature in your dashboard or contact us.
• Portability: Request an export of your data in a machine-readable format.
• Opt-out: We do not sell personal information. California residents may exercise their right to opt out under the CCPA.

To exercise any of these rights, contact us at hello@codecomments.ai. We will respond within 30 days.

We use only essential cookies required for authentication and session management. We do not use advertising cookies, tracking pixels, or third-party analytics cookies. The session cookie is set by NextAuth and is required for the dashboard to function.

The Service is not intended for users under the age of 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, contact us and we will delete it.

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. Your continued use of the Service after changes constitutes acceptance of the updated policy.