Privacy

Privacy Policy

Transparency about what data Codity.ai collects, how it is used, and the controls you have.

Last updated: March 10, 2026.

1. Introduction

Codity Inc. ("Codity", "Codity.ai", "we", "our", or "us") respects your privacy and is committed to protecting it through our compliance with this Privacy Policy ("Policy"). A core element of our mission is protecting your personal information and being transparent about the data we collect about you, how it is used, and with whom it is shared.

This Policy describes our practices for collecting, using, maintaining, protecting, and disclosing your information through codity.ai (our "Website"), our applications and integrations (our "Apps"), and our products, services, AI code review platform, and related applications (collectively, the "Services").

Please read this Policy carefully to understand our practices regarding your information and how we will treat it. If you do not agree with it, your choice is not to use our Services. By accessing or using our Services, you agree to this Policy. This Policy may change from time to time (see Changes to this Policy). Your continued use of our Services after we make changes is deemed acceptance of those changes, so please check the "Last updated" date at the top of this Policy to ensure you are viewing the most current version.

2. Information we collect and how we collect it

We collect only the minimum amount of information needed to provide you with our Services. For example, we collect basic contact information when you sign up for an account. You do not have to give us any information, but you will not be able to use our Services without registering for an account.

Information you provide to us

  • Account & personal information — When you register, we collect information that identifies you, such as your name and email address, along with company name, billing contacts, plan, and subscription metadata needed to operate your workspace.
  • Payment information — When you purchase a paid plan we process billing details such as billing address and the financial information needed for the transaction. We do not collect or store full card numbers; payment data is collected and stored by our PCI-compliant payment processors. By submitting payment information, you consent to our sharing it with those providers as reasonably necessary to process your transactions.
  • Support & communications — If you contact support, request a demo, or post to our forums or ticketing channels, we process the submitted contact details and request history. Content you post publicly is shared at your own risk; use caution when posting personal information online.

Information collected automatically

As you navigate and interact with our Website, we and our third-party service providers may automatically collect certain information whenever you access or interact with the Services.

  • Usage information — Details of your visits, including links you clicked, content response times, logs, feature usage, and statistics about your interactions.
  • Device information — Information about your computer and internet connection, including IP address, operating system, and browser type.
  • Non-identifying information — Aggregate or non-personal information such as approximate region, time zone, and general usage of the Services, which we may combine with other log information to improve our analytics and functionality.

Cookies and similar technologies

We and our partners use cookies, web beacons, and similar technologies to analyze trends, administer the Website, remember your preferences, and understand how our user base interacts with the Services. You can control cookies at the browser level. See Cookie controls below for the categories we use and how to change your choices.

Information received from third parties

  • Git provider details — When you connect GitHub, GitLab, Azure DevOps, or Bitbucket through OAuth, we collect the data needed for Codity to interface with your account, such as your access token, organization, username, and role. We integrate via each provider's API and OAuth system and do not have access to your Git provider credentials.
  • Single sign-on & social accounts — When you sign in through a third-party identity or social provider, we may receive limited profile information depending on the permissions you grant and the privacy settings you have configured with that provider.

3. Do Not Track signals

Do Not Track (DNT) is a preference you can set in some browsers to opt out of tracking by websites and online services. We do not track our users across third-party websites over time, and we do not allow third parties to track the personal information of our users on our Website.

4. Children's privacy

The Services are intended for business and professional use and are not directed toward children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us so we can delete it.

5. How we use your information

  • To provide you with an account and operate your workspace.
  • To analyze pull requests, perform code reviews, and generate actionable review suggestions with Codity AI models.
  • To deliver and process payment for the Services.
  • To personalize dashboards, alerts, and onboarding based on team behavior, and to improve our Services.
  • To address your inquiries and provide support.
  • To communicate with you about products, services, offers, and events, subject to your preferences.
  • To detect, prevent, and stop activity we consider illegal, fraudulent, unethical, or a security risk.
  • To comply with legal requirements and assist law enforcement where required.
  • For purposes disclosed at the time you provide your information, and as otherwise permitted with your consent.

6. Legal bases for processing

  • Contractual necessity — To provide AI code review, user accounts, billing, and support under your subscription agreement.
  • Legitimate interests — To secure the platform, prevent abuse, monitor reliability, analyze usage, and improve product quality.
  • Consent — For non-essential analytics cookies and demo-contact outreach where applicable. You may withdraw consent at any time.
  • Legal obligations — To meet tax, accounting, and mandatory security or legal disclosure duties.

7. AI processing of your code

Codity.ai uses a mix of proprietary models and approved third-party AI model providers to perform code reviews. Customer code is processed ephemerally. Source code submitted for review is not retained after review completion, except where storage is required to provide customer-enabled features such as review history, audit logs, repository indexing, or vector-based retrieval functionality. Where embeddings or other derived data are stored, they are logically isolated per customer workspace and are never used for model training.

Customer data ownership

Customers retain all rights, title, and interest in their repositories, pull requests, source code, comments, and other submitted content ("Customer Data"). Codity receives only the limited rights necessary to process such content for the purpose of providing the Services.

  • Customer Data is not used to train, fine-tune, improve, or otherwise develop public, shared, or customer-facing machine learning models. Codity does not permit subprocessors to use Customer Data for model training except where expressly authorized by the customer.
  • Codity maintains security and privacy controls designed to support GDPR compliance across all plans. Additional contractual commitments, including DPA execution and compliance documentation, are available for eligible enterprise customers.
  • Redaction and repository allowlists let you control exactly what Codity can inspect.

8. How we disclose and share your information

We do not sell personal information to third parties. We share the information we receive about you as follows:

  • With our service providers — We use third-party companies to perform service-related operations such as hosting, database management, payment processing, analytics, fraud detection, and email delivery. These providers may access personal information only to perform tasks on our behalf and are bound by confidentiality obligations.
  • For our service integrations — We integrate with Git providers (GitHub, GitLab, Azure DevOps, Bitbucket) for code containment, with infrastructure and hosting providers, and with approved third-party AI model providers to perform reviews. Your information is processed in accordance with the privacy policies of those integration companies. A current list is maintained at /subprocessors.
  • For corporate transactions — We may share information, including personal information, with current or future affiliates, or in connection with a merger, acquisition, financing, reorganization, sale of assets, or bankruptcy (including as part of due diligence).
  • If required by law — We may disclose information to government, law enforcement, or private parties when we believe it is necessary to comply with legal process, protect the rights or property of Codity or others, protect personal safety, or prevent activity we consider illegal or fraudulent.
  • With your consent — We may share information for other purposes disclosed to you at the time and with your consent.

Subprocessors

We engage vetted subprocessors and infrastructure providers to help deliver the Services. A current list of subprocessors and infrastructure providers is maintained at /subprocessors.

Government and legal requests

Where legally permitted, Codity will notify affected customers before disclosing Customer Data in response to governmental, regulatory, or law-enforcement requests. We disclose only the minimum information required by law.

9. Third-party websites and links

Our Services may contain links to, or features from, websites and online platforms operated by third parties. We do not control those platforms and are not responsible for their content, their privacy practices, or their use of your information. We encourage you to review the privacy policy of any third-party site you visit.

10. Data retention & security

We retain personal information for as long as needed to fulfill the purposes in this Policy, unless a longer retention period is required or permitted by law. Workspace data is stored in AWS with encryption at rest (AES-256). Backups are retained for 30 days to recover from disaster scenarios. A detailed Record of Processing Activities is available at /ropa.

  • Access to production systems is protected with MFA, hardware keys, and logging.
  • Audit logs for code reviews are retained for at least 12 months.
  • You may request deletion of identifiable data at any time by emailing privacy@codity.ai.

Upon account termination, Customer Data is deleted from active systems within 30 days unless retention is required by law. Backup copies are removed according to our backup retention schedule and are generally deleted within 30 additional days.

We use physical, technical, and organizational measures designed to protect your information against unauthorized access, theft, and loss, and restrict access to those who need it to perform their jobs. No system is completely secure, so any transmission of personal data is at your own risk. To improve and personalize future reviews, Codity may store certain data such as vector embeddings; this storage is compliant with SOC 2 Type II, GDPR, and HIPAA, and you can opt out at any time.

Security controls

  • TLS 1.2+ encryption in transit
  • AES-256 encryption at rest
  • Role-based access controls
  • Multi-factor authentication
  • Hardware security keys for privileged access
  • Audit logging and monitoring
  • Backup and disaster recovery procedures
  • Incident response processes

11. Cross-border transfers

When personal data is transferred outside your region, Codity applies appropriate safeguards such as Standard Contractual Clauses (SCCs), contractual data processing terms, and technical controls documented in our DPA.

12. Your rights and choices

You have several ways to exercise control over your information:

  • Account settings — Access, update, or delete your personal information from within your Codity workspace settings.
  • Contact us — Email privacy@codity.ai to access, update, or delete your personal information.
  • Email — Opt out of marketing emails using the unsubscribe instructions in those emails. We may still send transactional messages about your account or the Services.

European residents (GDPR)

To the extent Codity acts as a data controller, European residents may exercise the following rights by emailing privacy@codity.ai or using account settings:

  • Access — Request a copy of the personal data we hold about you and how it is processed.
  • Rectification — Request correction of inaccurate or incomplete personal data.
  • Erasure — Request deletion where data is no longer necessary or processing is unlawful.
  • Restriction — Request temporary restriction of processing while disputes are resolved.
  • Portability — Receive your personal data in a structured, machine-readable format.
  • Object — Object to processing based on legitimate interests, including direct marketing.
  • Withdraw consent — Withdraw consent at any time where processing relies on consent.
  • Complaint — Lodge a complaint with your local supervisory authority.

We respond to access requests within 30 days, extendable by up to two additional months for complex requests. We may ask you to verify your identity before fulfilling a request. Some residual information may persist where we are legally required or have compelling legitimate interests to retain it.

California residents (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) may provide you with additional rights regarding our collection, use, and disclosure of your personal information, including:

  • The right to know what personal information we have collected, used, and disclosed about you.
  • The right to request deletion of your personal information.
  • The right to opt out of the sale of personal information.
  • The right to be free from discrimination for exercising your privacy rights.

Codity does not sell personal information, nor do we share it with third parties for their own marketing purposes, and we have not done so in the past 12 months. To exercise your rights, contact privacy@codity.ai. We may verify your identity before responding, and we will honor authorized agent requests accompanied by valid authorization.

13. HIPAA and healthcare workloads

  • Codity supports HIPAA-aligned controls for enterprise healthcare customers.
  • Business Associate Agreements (BAA) are available for eligible plans.
  • Healthcare customers can request additional administrative, physical, and technical safeguard documentation.
  • Essential cookies — Required for core security, session integrity, and site functionality.
  • Analytics cookies — Optional and enabled only after affirmative consent via the cookie banner.
  • Consent changes — You can change your cookie decision by clearing site storage and setting a new preference when the banner reappears.

15. International jurisdictions

Our servers are located in the United States, and your personal information may be processed and stored there. If you access the Services from another country, you consent to the transfer, processing, and storage of your personal information in the United States in accordance with this Policy. You agree to abide by applicable laws concerning your use of the Services, and you may only use the Services in a manner lawful in your jurisdiction.

16. Changes to this Policy

Codity may update this Policy at any time, and changes are effective upon posting. If there are material changes to how we treat your personal information, we will update the "Last updated" date at the top of this Policy and may also notify you by email at our discretion.

17. How to contact us

For any questions about this Policy or our data practices, contact us at privacy@codity.ai. Our Data Protection Officer (DPO) is also available to address questions or concerns regarding our data processing practices.

We respond to privacy requests within 30 days. For GDPR requests, our standard timeline is one month from verification, extendable by up to two additional months for complex requests.