Privacy Policy

This Policy applies to (a) visitors to our marketing site, (b) account holders of the Service, and (c) end users whose data is processed by an account holder through the Service. If you are an end user, the account holder is the controller of your data and codingassist.bot is the processor; address requests to the account holder first.

Account data

When you sign up at app.codingassist.bot we collect your name, work email, organization name, and authentication identifiers from your SSO provider (e.g., GitHub, Google, Microsoft).

Repository and ticket content

With your explicit authorization, the Service reads (a) diffs and metadata from the repositories you connect, and (b) acceptance criteria from the issue trackers you link (Jira, Linear, GitHub Issues). This is the substantive content the Service reasons against. We process it; we do not own it.

Telemetry

We collect aggregated metrics about how the Service is used: counts of verdicts, latency, error rates, and feature adoption. Telemetry is not joined with the contents of your diffs or tickets.

Billing

Card data is collected directly by Stripe; we receive only a tokenized reference plus the last four digits of your card and the billing address you provide. We never see your full card number.

Cookies and similar technologies

On the marketing site we use cookies for: (i) session continuity, (ii) language preference, (iii) privacy-respecting analytics (Plausible or PostHog, configured to anonymize IPs and disable cross-site tracking). We do not use third-party advertising cookies. You can opt out via your browser settings.

• Deliver the Service — reason over your diffs and produce verdicts.
• Operate the platform — authenticate sessions, route traffic, prevent abuse, debug errors.
• Improve the Service — analyze aggregated telemetry to find slow paths and prioritize features. We do not train shared models on your Customer Data.
• Communicate — send service notices (mandatory) and product updates (opt-out via the unsubscribe link or in-app settings).
• Comply with law — respond to lawful requests, enforce our Terms, protect rights and safety.

We share personal data only with the subprocessors needed to run the Service. The current list is published at /docs/security/subprocessors; representative subprocessors include:

• Stripe, Inc. — payment processing (PCI-DSS Level 1). See Stripe's privacy policy.
• Amazon Web Services — hosting, in regions you select at order time (default: us-east-1; EU customers may request eu-west-1).
• Cloudflare — edge delivery, DDoS protection, WAF.
• An LLM provider of our choosing — the reasoning engine. We have a Data Processing Agreement that forbids training on Customer Data. The list of providers we currently use is in our subprocessors page.

We disclose data to law enforcement only when compelled by valid legal process, and we challenge requests that overreach. We will, where lawful, notify affected customers before disclosure.

• Account data: while your account is active, plus 30 days after termination.
• Diffs and ticket content: processed in-memory; persisted only as needed for replay/audit (default 30 days, configurable on Business and Enterprise).
• Verdicts and audit trails: retained per your plan's compliance settings (up to 7 years for SOC 2 audit chains).
• Telemetry: aggregated metrics retained for 24 months in non-personal form.
• Billing records: retained as required by tax law (typically 7 years).

We hold a SOC 2 Type II report covering Security, Availability, and Confidentiality. Customer Data in transit is protected by TLS 1.2+. Customer Data at rest is encrypted with AES-256. Access is scoped to least privilege and logged. The full security overview and the most recent report (under NDA) are at /security.

Depending on where you live, you may have the right to:

• Access the personal data we hold about you;
• Request correction of inaccurate data;
• Request deletion ("right to be forgotten");
• Restrict or object to certain processing;
• Port your data to another service;
• Withdraw consent where processing relies on consent;
• Lodge a complaint with your supervisory authority (EU/UK), the CPPA (California), or your local data-protection regulator.

Send rights requests to privacy@codingassist.bot. We respond within 30 days. We will not discriminate against you for exercising these rights.

codingassist.bot is headquartered in the United States. If you are located outside the US, your data may be transferred to and processed in the US or other countries where our subprocessors operate. Where required, we rely on the EU Standard Contractual Clauses (SCCs), UK Addendum, and equivalent transfer mechanisms; copies are available on request.

The Service is not directed at children under 16. We do not knowingly collect their personal data. If you believe a child has provided us personal data, contact us and we will delete it.

We may update this Policy from time to time. Material changes will be announced at least 30 days in advance via email to account owners and an in-app notice. The "Last updated" date at the top of this page always reflects the current version.

For privacy questions, including rights requests and DPA execution, write to privacy@codingassist.bot.

For EU and UK data-protection matters, our Data Protection Officer can be reached at dpo@codingassist.bot.