Privacy

Privacy Policy

Transparency about what data Codity.ai collects, how it is used, and the controls you have.

Last updated: March 10, 2026.

Information we collect

  • Workspace & billing data — Company name, email addresses, billing contacts, plan, invoices, and subscription metadata needed to operate your account.
  • Repository context — When you connect Git providers we ingest pull request diffs, comments, and metadata required for automated reviews. We never index entire repositories outside of the scopes you approve.
  • Product analytics — We log feature usage, performance metrics, and crash reports to improve reliability. Non-essential analytics cookies are optional and controlled through cookie consent.
  • Support and communications — If you contact support or request a demo, we process the submitted contact details and request history.

Legal bases for processing (GDPR)

  • Contract performance — To provide AI code review, user accounts, billing, and support under your subscription agreement.
  • Legitimate interests — To secure the platform, prevent abuse, monitor reliability, and improve product quality.
  • Consent — For non-essential analytics cookies and demo-contact outreach where applicable.
  • Legal obligations — To meet tax, accounting, and mandatory security/legal disclosure duties.

How we use your data

  • To analyze pull requests and generate review suggestions with Codity AI models.
  • To personalize dashboards, alerts, and onboarding based on team behavior.
  • To detect abuse, spam, or behavior that violates our Terms of Use.
  • To comply with legal obligations, including tax reporting and security disclosures.

AI processing

Codity.ai uses a mix of proprietary and partner LLMs. Customer code is encrypted in transit, processed ephemerally, and deleted once a response is returned.

  • We do not use your code to train public versions of foundational models.
  • Enterprise plans include SOC 2 and GDPR-compliant data handling commitments.
  • Redaction and repository allowlists let you control exactly what Codity can inspect.

Data retention & security

Workspace data is stored in AWS with encryption at rest (AES-256). Backups are retained for 30 days to recover from disaster scenarios. A detailed Record of Processing Activities is available at /ropa.

  • Access to production systems is protected with MFA, hardware keys, and logging.
  • Audit logs for code reviews are retained for at least 12 months.
  • You may request deletion of identifiable data at any time by emailing privacy@codity.ai.

Cross-border transfers

When personal data is transferred outside your region, Codity applies appropriate safeguards such as Standard Contractual Clauses (SCCs), contractual data processing terms, and technical controls documented in our DPA.

Your GDPR rights

  • Access — Request a copy of the personal data we hold about you and how it is processed.
  • Rectification — Request correction of inaccurate or incomplete personal data.
  • Erasure — Request deletion where data is no longer necessary or processing is unlawful.
  • Restriction — Request temporary restriction of processing while disputes are resolved.
  • Portability — Receive your personal data in a structured, machine-readable format.
  • Object — Object to processing based on legitimate interests, including direct marketing.
  • Withdraw consent — Withdraw consent at any time where processing relies on consent.
  • Complaint — Lodge a complaint with your local supervisory authority.

HIPAA and healthcare workloads

  • Codity supports HIPAA-aligned controls for enterprise healthcare customers.
  • Business Associate Agreements (BAA) are available for eligible plans.
  • Healthcare customers can request additional administrative, physical, and technical safeguard documentation.
  • Essential cookies — Required for core security, session integrity, and site functionality.
  • Analytics cookies — Optional and enabled only after affirmative consent via the cookie banner.
  • Consent changes — You can change your cookie decision by clearing site storage and setting a new preference when the banner reappears.

How to exercise your rights

Email privacy@codity.ai with the subject line “Privacy Request”. For security, we may ask for identity verification before fulfilling requests.

We respond to privacy requests within 30 days. For GDPR requests, our standard timeline is one month from verification, extendable by up to two additional months for complex requests.