Privacy

Privacy Policy

Transparency about what data Codity.ai collects, how it is used, and the controls you have.

Last updated: November 25, 2025.

Information we collect

  • Workspace & billing data — Company name, email addresses, payment method, and usage metadata needed to operate your subscription.
  • Repository context — When you connect Git providers we ingest pull request diffs, comments, and metadata required for automated reviews. We never index entire repositories outside of the scopes you approve.
  • Product analytics — We log feature usage, performance metrics, and crash reports to improve reliability. You can opt out of analytics at the workspace level.

How we use your data

  • To analyze pull requests and generate review suggestions with Codity AI models.
  • To personalize dashboards, alerts, and onboarding based on team behavior.
  • To detect abuse, spam, or behavior that violates our Terms of Use.
  • To comply with legal obligations, including tax reporting and security disclosures.

AI processing

Codity.ai uses a mix of proprietary and partner LLMs. Customer code is encrypted in transit, processed ephemerally, and deleted once a response is returned.

  • We do not use your code to train public versions of foundational models.
  • Enterprise plans include SOC 2 and GDPR-compliant data handling commitments.
  • Redaction and repository allowlists let you control exactly what Codity can inspect.

Data retention & security

Workspace data is stored in AWS with encryption at rest (AES-256). Backups are retained for 30 days to recover from disaster scenarios.

  • Access to production systems is protected with MFA, hardware keys, and logging.
  • Audit logs for code reviews are retained for at least 12 months.
  • You may request deletion of identifiable data at any time by emailing privacy@codity.ai.

Your rights & controls

  • Export your workspace activity and billing history from the dashboard.
  • Request corrections or deletion of personal data via privacy@codity.ai.
  • Execute Data Processing Agreements (DPA) for GDPR and HIPAA compliance.
  • Appeal automated decisions related to account suspensions.
We respond to all privacy requests within 30 days, or sooner when mandated by local regulations.