Privacy Policy

1. Introduction and Definitions

This Privacy Policy ("Policy") governs the privacy practices of CodeCanary ("we," "us," "our") with respect to our website codecanaryhq.com and associated services (collectively, the "Service").

For the purposes of this Policy:

  • "User," "you," and "your" refer to any individual or entity using our Service.
  • "Personal Data" means any information relating to an identified or identifiable natural person.
  • "Processing" means any operation performed on Personal Data, whether or not by automated means.

2. Information We Collect

2.1 Account Information:

  • Email address
  • Full name
  • Password hash
  • IP address and other technical identifiers

2.2 GitHub Integration Data:

  • Names of repositories accessible to CodeCanary Collector
  • Latest commit hash scanned for each repository
  • OAuth tokens (stored securely and used solely for authentication purposes)

2.3 Vulnerability Data:

  • List of detected vulnerabilities
  • Metadata associated with each vulnerability
  • Severity ratings and potential impact assessments

2.4 Usage Data:

  • Access logs
  • Service utilization metrics
  • Feature interaction data
  • Performance and error logs

3. Legal Basis for Processing

We process your Personal Data on the following legal grounds:

  • Performance of a contract when we provide you with our Service
  • Your consent, which you can withdraw at any time
  • Legitimate interests pursued by us or a third party, except where such interests are overridden by your interests or fundamental rights and freedoms
  • Compliance with a legal obligation to which we are subject

4. How We Use Your Information

We use your information for the following purposes:

  • To provide, maintain, and improve our Service
  • To detect, prevent, and address technical issues and security vulnerabilities
  • To comply with legal obligations and enforce our terms of service
  • To communicate with you about service-related matters
  • To analyze usage patterns and optimize user experience
  • To protect our rights, property, or safety, and that of our users or others

5. GitHub Integration and Data Access

5.1 Our Service requires access to your GitHub repositories through the CodeCanary Collector integration. By installing this integration, you explicitly grant us permission to access and scan the repositories you select.

5.2 We do not store, process, or retain any source code from your repositories beyond the scanning process. Our access is limited to:

  • Reading repository contents for vulnerability scanning
  • Collecting metadata such as repository names and commit hashes
  • Analyzing dependencies and configuration files for security issues

5.3 You may revoke our access to your GitHub repositories at any time through your GitHub settings. Upon revocation, we will cease all data collection from the affected repositories and delete any associated metadata within 30 days, except where retention is required by law or for legitimate business purposes.

6. Data Retention and Deletion

6.1 We retain your Personal Data only for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements.

6.2 You may request deletion of your account and associated data at any time. Upon such request, we will delete your Personal Data within 30 days, unless:

  • Retention is required by applicable law
  • Retention is necessary for the establishment, exercise, or defense of legal claims
  • Anonymized or aggregated data derived from your Personal Data is retained for analytical purposes

7. Data Sharing and Third-Party Processors

7.1 We do not sell, trade, or rent your Personal Data to third parties. We may share your information with:

  • Service providers and subprocessors who assist in operating our Service, subject to contractual data protection obligations
  • Legal authorities when required by law or to protect our rights
  • Affiliated entities or successors in the event of a merger, acquisition, or business transfer

7.2 All third-party processors are contractually obligated to use any shared data solely for the purposes specified by us and in accordance with this Policy and applicable data protection laws.

8. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. These countries may have data protection laws that differ from those of your country. We implement appropriate safeguards, such as Standard Contractual Clauses, to ensure that any such transfers comply with applicable data protection laws.

9. Your Rights and Choices

Depending on your jurisdiction, you may have the following rights:

  • Right to access and receive a copy of your Personal Data
  • Right to rectify inaccurate Personal Data
  • Right to request deletion of your Personal Data
  • Right to restrict or object to our Processing of your Personal Data
  • Right to data portability
  • Right to withdraw consent at any time, where Processing is based on your consent

To exercise these rights, please contact us using the information provided in the "Contact Us" section. We may need to verify your identity before responding to your request.

10. Security Measures

We implement appropriate technical and organizational measures to protect your Personal Data against unauthorized or unlawful Processing and against accidental loss, destruction, or damage. These measures include, but are not limited to:

  • Encryption of data in transit and at rest
  • Regular security assessments and penetration testing
  • Access controls and authentication mechanisms
  • Employee training on data protection and security practices

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your Personal Data, we cannot guarantee its absolute security.

11. Children's Privacy

Our Service is not directed to children under the age of 16. We do not knowingly collect Personal Data from children under 16. If you become aware that a child has provided us with Personal Data without parental consent, please contact us, and we will take steps to remove such information and terminate the child's account.

12. Changes to This Policy

We may update this Policy from time to time. The updated version will be indicated by an updated "Revised" date and the updated version will be effective as soon as it is accessible. We encourage you to review this Policy frequently to be informed of how we are protecting your information.

13. Dispute Resolution

If you have any complaints regarding our compliance with this Policy, please contact us first. We will investigate and attempt to resolve complaints and disputes regarding use and disclosure of Personal Data in accordance with this Policy and applicable data protection laws.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

Email: [email protected]

Address: [Insert your company's physical address]

Data Protection Officer: [Insert DPO's name or contact information if applicable]

Last updated: 13/08/2024