Back to Home

Privacy Policy

Last updated: February 21, 2026

1. Introduction

CodeCritic ("the Service") is committed to protecting your privacy. This Privacy Policy explains what data we collect, how we use it, and your rights regarding your information. This policy applies to the CodeCritic website (code-critic.com), the CodeCritic API, and the CodeCritic GitHub Action.

2. Data We Collect

2.1 Account Information

  • Email address
  • Username
  • Name (optional)
  • GitHub profile information (when authenticating via GitHub OAuth)

2.2 Code Review Data

When you submit code for review, we process:

  • Source code and code diffs
  • Repository name and metadata
  • Pull request information (title, description, branch names, commit SHAs)
  • Programming language information

2.3 Usage and Technical Data

  • API key usage and request metadata
  • Review history and scores
  • Session information (IP address, browser type, timestamps)
  • Billing and subscription status

3. How We Use Your Data

  • Code analysis: Your code is sent to AI model providers to generate review feedback. Submitted code is encrypted at rest using AES-256-GCM and stored alongside review results for your access.
  • Review results: AI-generated review results (scores, issues, suggestions, summaries) are stored in our database to display in your dashboard and review history.
  • Account management: To authenticate you, manage your subscription, and provide customer support.
  • Billing: To track usage against your subscription limits and process payments.
  • Service improvement: Aggregated, anonymized usage statistics may be used to improve the Service.

4. Third-Party Data Processing

To perform AI-powered code analysis, your code is transmitted to third-party AI model providers through OpenRouter. These providers may include but are not limited to:

  • Google (Gemma models)
  • Other model providers available through OpenRouter

We select providers that maintain reasonable data handling practices. However, we cannot guarantee how third-party providers process data internally. Code submitted for review is sent to these providers solely for the purpose of generating review feedback.

We do not sell, rent, or share your personal information or code with third parties for marketing purposes.

5. Data Retention

  • Source code: Submitted code is encrypted at rest using AES-256-GCM authenticated encryption and stored alongside review results for your access.
  • Review results: Stored as long as your account is active, so you can access your review history.
  • Account data: Retained while your account exists. Deleted upon account deletion request.
  • Billing records: Retained as required by applicable tax and financial regulations.

6. Data Security

We implement reasonable technical and organizational measures to protect your data, including:

  • Encrypted data transmission (HTTPS/TLS)
  • AES-256-GCM authenticated encryption at rest for all code submissions
  • API key masking in logs
  • Secure authentication (JWT tokens, OAuth 2.0)
  • Regular security reviews

No method of transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

7. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access: Request a copy of the personal data we hold about you
  • Correction: Request correction of inaccurate personal data
  • Deletion: Request deletion of your account and associated data
  • Export: Request a portable copy of your data
  • Objection: Object to certain types of data processing

To exercise any of these rights, contact us at support@code-critic.com.

8. GDPR and CCPA Compliance

For EU/EEA residents (GDPR): We process your data based on your consent (provided at account creation) and our legitimate interest in providing the Service. You have the right to withdraw consent at any time by deleting your account. Data transfers outside the EU are conducted with appropriate safeguards.

For California residents (CCPA): You have the right to know what personal information we collect, request deletion, and opt out of the sale of personal information. We do not sell personal information.

9. GitHub Action Specific Data

When using the CodeCritic GitHub Action (CodeCritic-Reviews/review-action), the following data is collected and transmitted to our API:

  • Repository full name (e.g., "owner/repo")
  • Pull request metadata (title, description, number, branch names)
  • Commit SHA identifiers
  • Code diffs (fetched via GitHub API using your OAuth token)
  • Your CodeCritic API key (transmitted securely, masked in logs)

The GitHub Action does not access files beyond what is needed for the code review. Your GitHub token (GITHUB_TOKEN) is used only to post review comments back to your pull request and is never transmitted to CodeCritic servers.

10. Cookies

We use essential cookies and local storage for authentication (JWT tokens) and session management. We do not use third-party tracking cookies or advertising cookies.

11. Children's Privacy

The Service is not intended for use by individuals under 16 years of age. We do not knowingly collect personal data from children.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify users of material changes by updating the "Last updated" date at the top of this page. Your continued use of the Service after changes constitutes acceptance of the updated policy.

13. Contact

For privacy-related questions or data requests, contact us at support@code-critic.com.

Terms of Service|Home