Privacy

Privacy Policy

Transparency about what data Codity.ai collects, how it is used, and the controls you have.

Last updated November 25, 2025

Information we collect

Workspace & billing data

Company name, email addresses, payment method, and usage metadata needed to operate your subscription.

Repository context

When you connect Git providers we ingest pull request diffs, comments, and metadata required for automated reviews. We never index entire repositories outside of the scopes you approve.

Product analytics

We log feature usage, performance metrics, and crash reports to improve reliability. You can opt out of analytics at the workspace level.

How we use your data

  • To analyze pull requests and generate review suggestions with Codity AI models.
  • To personalize dashboards, alerts, and onboarding based on team behavior.
  • To detect abuse, spam, or behavior that violates our Terms of Use.
  • To comply with legal obligations, including tax reporting and security disclosures.

AI processing

Codity.ai uses a mix of proprietary and partner LLMs. Customer code is encrypted in transit, processed ephemerally, and deleted once a response is returned.

  • We do not use your code to train public versions of foundational models.
  • Enterprise plans include SOC 2 and GDPR-compliant data handling commitments.
  • Redaction and repository allowlists let you control exactly what Codity can inspect.

Data retention & security

Workspace data is stored in AWS with encryption at rest (AES-256). Backups are retained for 30 days to recover from disaster scenarios.

  • Access to production systems is protected with MFA, hardware keys, and logging.
  • Audit logs for code reviews are retained for at least 12 months.
  • You may request deletion of identifiable data at any time by emailing privacy@codity.ai.

Your rights & controls

  • Export your workspace activity and billing history from the dashboard.
  • Request corrections or deletion of personal data via privacy@codity.ai.
  • Execute Data Processing Agreements (DPA) for GDPR and HIPAA compliance.
  • Appeal automated decisions related to account suspensions.

We respond to all privacy requests within 30 days, or sooner when mandated by local regulations.