Privacy Policy

1. Information We Collect

Account Data: When you create an account, we collect your name, email address, profile picture, and authentication credentials through our identity provider (Clerk). If you sign in via GitHub OAuth, we receive your GitHub username, avatar, and email address.

Repository Data: When you connect a repository for analysis, we access repository metadata (name, structure, file paths, language composition) and source code content via the GitHub API. We process source code to generate analysis results but do not permanently store raw source code (see Section 12).

Usage Data: We automatically collect information about how you interact with the Service, including pages visited, features used, queries submitted, analysis reports generated, timestamps, session duration, and interaction patterns.

Payment Data: When you subscribe to a paid plan, Dodo Payments collects and processes your payment information (credit/debit card and other methods supported in your region). We receive only a payment reference ID and subscription status. We never receive your full payment credentials.

Device & Browser Data: We collect your IP address, browser type and version, operating system, device type, screen resolution, referring URL, and general geographic location (country/region level) for security, analytics, and service optimization purposes.

2. How We Use Information

• Service Delivery: To provide codebase analysis, generate reports, power AI chat, create architecture diagrams, and deliver security audits.
• Account Management: To create and maintain your account, authenticate sessions, and manage access permissions.
• Billing & Subscriptions: To process payments, manage subscription tiers, enforce usage limits, and send billing-related communications.
• Service Improvement: To understand usage patterns, identify bugs, optimize performance, and develop new features based on aggregated analytics.
• Communication: To send transactional emails (account verification, password resets, billing receipts), service announcements, and, with your consent, product updates.
• Security & Fraud Prevention: To detect and prevent unauthorized access, abuse, rate limit violations, and other malicious activity.
• Legal Compliance: To comply with applicable laws, regulations, legal processes, or enforceable governmental requests.

3. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data under the following lawful bases:

• Performance of Contract (Art. 6(1)(b) GDPR): Processing necessary to provide the Service you have subscribed to, including account creation, repository analysis, and subscription management.
• Consent (Art. 6(1)(a) GDPR): Where you have given explicit consent, such as opting in to marketing communications or enabling optional analytics tracking.
• Legitimate Interest (Art. 6(1)(f) GDPR): Processing necessary for our legitimate interests, including service improvement, security monitoring, fraud prevention, and product analytics, balanced against your rights and freedoms.
• Legal Obligation (Art. 6(1)(c) GDPR): Processing necessary to comply with legal obligations, such as tax reporting and responding to lawful data access requests.

4. Data Sharing & Third-Party Services

We do not sell your personal data. We share data with the following third-party service providers solely to operate and improve the Service:

• Clerk (authentication & user management): Receives your email, name, profile picture, OAuth tokens, and session data to manage authentication and user identity.
• Dodo Payments (payment processing): Receives your payment method details and email to process payments and manage subscriptions.
• GitHub API (repository access): Receives your OAuth access token to fetch repository metadata and source code content on your behalf. Access is scoped to permissions you explicitly grant.
• OpenRouter (AI inference): Receives code snippets and contextual data from your repositories to generate analysis results, answer queries, and produce insights. No personally identifiable information is sent beyond the code content.
• Additional AI providers (when configured): May receive the same code analysis data as OpenRouter when used as fallback inference providers.
• Neon (PostgreSQL database hosting): Stores your account data, analysis results, architecture maps, indexed metadata, subscription records, and usage data in encrypted databases hosted in the United States.
• Sentry (error monitoring & session replay): Receives error logs, stack traces, browser metadata, session replay data, and performance metrics to help us identify and fix bugs.
• PostHog (product analytics): Receives anonymized usage events, page views, feature interactions, session recordings, and device metadata to help us understand product usage and improve the Service.
• Upstash Redis (rate limiting & caching): Stores temporary rate limit counters and cached data keyed by user identifiers to enforce usage limits and improve performance.
• Resend (transactional email): Receives your email address and name to deliver account notifications, billing receipts, and service communications.
• Vercel (hosting & infrastructure): Processes all HTTP requests through their edge network and CDN. Receives IP addresses, request headers, and serves the application. Logs are retained per Vercel's data retention policies.
• CheckDisposable Email (email validation): Receives the domain portion of your email address during sign-up to verify it is not a disposable/temporary email provider. No full email addresses are stored by this service.

Each third-party provider is contractually obligated to process data only as instructed by us and to maintain appropriate security measures. We conduct periodic reviews of our sub-processors' privacy and security practices.

5. Data Retention

• Account Data: Retained for the duration of your account. Upon account deletion, most personal data and analysis results are purged within 30 days, except where retention is required by law.
• Account Deletion Feedback: If you delete your account, we ask for a short reason why you are leaving. We store only that text (and your plan tier at deletion time), with no email, name, or user identifier, so we can improve the product. You cannot be identified from this feedback.
• Analysis Results: Retained while your account is active. Deleted within 30 days of account deletion or upon your explicit request.
• Raw Source Code: Processed transiently during analysis and not permanently stored. Temporary caches are purged within 24 hours.
• Payment Records: Retained for 7 years as required by tax and financial regulations.
• Usage & Analytics Data: Retained in anonymized/aggregated form for up to 24 months for product improvement purposes.
• Error Logs: Retained for 90 days for debugging purposes, then automatically deleted.
• Email Communications: Transactional email logs are retained for 30 days.

6. Data Security

We implement industry-standard technical and organizational measures to protect your data:

• Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher.
• Encryption at Rest: Database contents and backups are encrypted using AES-256 encryption.
• Access Controls: Internal access to production data is restricted to authorized personnel using role-based access controls and multi-factor authentication.
• Infrastructure Security: Our hosting infrastructure (Vercel, Neon) maintains SOC 2 Type II compliance and undergoes regular security audits.
• Incident Response: We maintain an incident response plan and will notify affected users within 72 hours of discovering a data breach that poses a risk to their rights and freedoms, as required by GDPR Article 33.
• Regular Reviews: We conduct periodic security assessments and update our practices in response to emerging threats.

7. International Data Transfers

Our Service is primarily hosted in the United States. If you access the Service from outside the United States, your data may be transferred to, stored, and processed in the United States or other countries where our service providers operate.

For transfers of personal data from the EEA, UK, or Switzerland to countries not deemed to provide an adequate level of data protection, we rely on:

• Standard Contractual Clauses (SCCs): We enter into EU-approved Standard Contractual Clauses with our sub-processors to ensure appropriate safeguards for cross-border data transfers.
• EU-US Data Privacy Framework: Where applicable, we rely on service providers that have certified under the EU-US Data Privacy Framework.
• Supplementary Measures: We implement additional technical and organizational measures (encryption, access controls, data minimization) to supplement transfer mechanisms where necessary.

8. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Right of Access: Request a copy of the personal data we hold about you.
• Right to Rectification: Request correction of inaccurate or incomplete personal data.
• Right to Erasure: Request deletion of your personal data (“right to be forgotten”), subject to legal retention requirements.
• Right to Data Portability: Receive your personal data in a structured, commonly used, machine-readable format.
• Right to Restriction: Request that we limit the processing of your personal data in certain circumstances.
• Right to Object: Object to processing based on legitimate interests, including profiling and direct marketing.
• Right to Withdraw Consent: Where processing is based on consent, withdraw your consent at any time without affecting the lawfulness of prior processing.
• Right to Lodge a Complaint: File a complaint with your local data protection authority if you believe your rights have been violated.

To exercise any of these rights, contact us at support@grepit.co. We will respond to verified requests within 30 days (or within the timeframe required by applicable law). We may request additional information to verify your identity before processing your request.

UK GDPR:If you are a UK resident, you have equivalent rights under the UK General Data Protection Regulation and may lodge complaints with the Information Commissioner's Office (ICO).

PIPEDA (Canada): Canadian residents have the right to access, correct, and challenge the accuracy of their personal information under the Personal Information Protection and Electronic Documents Act. Contact our Privacy Officer to exercise these rights.

Australian Privacy Act: Australian residents may access and correct their personal information under the Australian Privacy Principles. If you believe we have breached the APPs, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC).

9. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

• Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected, the sources of collection, the business purposes for collection, and the categories of third parties with whom we share data.
• Right to Delete: You may request deletion of your personal information, subject to certain exceptions (e.g., legal obligations, ongoing transactions).
• Right to Correct: You may request correction of inaccurate personal information.
• Right to Opt-Out of Sale/Sharing: We do not sell your personal information. We do not share personal information for cross-context behavioral advertising. Therefore, there is no need to opt out of sale or sharing.
• Right to Limit Use of Sensitive Personal Information: We do not use or disclose sensitive personal information for purposes beyond what is necessary to provide the Service.
• Non-Discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights.

To submit a verifiable consumer request, email support@grepit.cowith the subject line “CCPA Request.” We will verify your identity and respond within 45 days.

Categories of personal information collected in the preceding 12 months: Identifiers (name, email, IP address), commercial information (subscription history), internet activity (usage data, browsing history within the Service), and professional information (GitHub profile data).

10. Cookies & Tracking Technologies

We use the following cookies and tracking technologies:

• Essential Cookies: Required for authentication (Clerk session tokens), security (CSRF protection), and starter Service functionality. These cannot be disabled.
• Analytics Cookies (PostHog): Used to collect anonymized usage data including page views, feature interactions, session recordings, and user flows. These help us understand how the Service is used and identify areas for improvement.
• Performance Cookies: Used to monitor application performance and error rates (Sentry).

Managing Cookies:You can control cookies through your browser settings. Disabling essential cookies may prevent you from using the Service. You may opt out of PostHog analytics by enabling “Do Not Track” in your browser or by contacting us. We honor Global Privacy Control (GPC) signals.

We do not use third-party advertising cookies or participate in ad networks.

11. Children's Privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal data from a child under 16 without parental consent, we will take steps to delete that information promptly. If you believe a child under 16 has provided us with personal information, please contact us at support@grepit.co.

12. Code & Repository Data

We take the privacy of your source code seriously. Here is how we handle repository data:

• No Permanent Storage of Raw Source Code: We do not permanently store your raw source code. Code is fetched from GitHub, processed for analysis, and discarded. We retain generated analysis results (summaries, architecture maps, Start Here paths, insights, metrics, diagrams) and searchable indexed metadata derived from your repository.
• Indexed Metadata & Embeddings: To power grounded answers and semantic search, we store structural metadata and vector embeddings derived from your code. These are not full file copies but mathematical representations used to retrieve relevant context when you ask questions.
• Temporary Processing: During analysis, code may be temporarily held in memory or short-lived caches (Upstash Redis) for processing efficiency. These caches are automatically purged within 24 hours.
• No Sharing with Third Parties: Your repository content is never shared with, sold to, or made accessible to third parties beyond the AI inference providers necessary to generate analysis results (see Section 13).
• Access Scope: We only access repositories you explicitly authorize. We request the minimum GitHub permissions necessary to perform analysis.
• Deletion: When you disconnect a repository or delete your account, associated analysis results and operational data are permanently deleted. Account deletion removes your Clerk identity and all linked data in our database; only anonymized exit feedback may remain as described above.

13. AI Processing

Our Service uses artificial intelligence to analyze your code and generate insights. Here is how AI processing works:

• How Code is Sent to AI Providers: Relevant code snippets, file structures, and contextual information are sent to our configured AI inference providers (e.g. OpenRouter) via encrypted API calls to generate analysis results, answer your queries, and produce reports.
• No Training on Your Data: Your code and data are NOT used to train, fine-tune, or improve any AI models. Our AI providers process your data solely for inference (generating responses) and do not retain it for model training purposes. We have contractual agreements with our AI providers prohibiting the use of customer data for model training.
• Data Minimization: We send only the minimum code context necessary to generate accurate analysis results. We do not send your entire repository to AI providers in a single request.
• No Human Review: Your code is not reviewed by humans at our AI providers as part of the analysis process, except in cases where required to investigate abuse or comply with legal obligations.
• Accuracy Disclaimer: AI-generated analysis results are provided for informational purposes only. They may contain inaccuracies and should not be relied upon as definitive security, legal, or architectural advice.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. If we make material changes, we will notify you by email (using the address associated with your account) or by posting a prominent notice on the Service at least 30 days before the changes take effect. Your continued use of the Service after the effective date of the revised policy constitutes your acceptance of the changes. We encourage you to review this page periodically.

15. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• Email: support@grepit.co
• General Inquiries: support@grepit.co
• Website: grepit.co

Data Protection Officer (DPO): For GDPR-related inquiries, you may contact our Data Protection Officer at support@grepit.co. Our DPO is responsible for overseeing our data protection strategy and ensuring compliance with applicable data protection laws.

EU Representative: If you are located in the EEA and wish to exercise your rights or have concerns about our processing of your data, you may also contact our EU representative at support@grepit.co.

We aim to respond to all legitimate inquiries within 30 days. If your request is particularly complex or you have made multiple requests, we may need up to 60 days, in which case we will notify you of the extension and the reasons for it.