CodeDig
Analyze a PR free

Privacy Policy

Last updated: May 17, 2026

1. Information We Collect

When you use CodeDig, we collect information you provide directly (account details, repository access tokens) and information generated through your use of the service (analysis results, usage metrics). We access your source code solely to perform the analysis you request — we do not store raw source code after analysis is complete.

2. How We Use Your Information

We use your information to provide and improve the CodeDig service, including generating analysis reports, detecting security vulnerabilities, and computing risk scores. We do not sell your data to third parties.

3. Data Retention

Analysis results are retained according to your plan tier (30 days for Free, 90 days for Team, 1 year for Business). You may request deletion of your data at any time by contacting us.

4. Third-Party Services

CodeDig integrates with third-party services (GitHub, GitLab, Stripe) to provide its functionality. Your use of these services is governed by their respective privacy policies. See our subprocessors list for the complete inventory. AI-specific data handling is detailed in Section 5 below.

5. AI Processing

Some CodeDig features use large language model (LLM) inference to generate code analysis, guided tours, and documentation. This section explains which providers we use, what data is sent, and your options.

Providers we use

  • OpenAI — used for AI-powered code archaeology, guided tours, and documentation features. Data is processed in the United States.
  • Anthropic — used for narrative generation and automated documentation. Data is processed in the United States.

Self-hosted customers who configure their own LLM endpoint via Settings → Integrations are using a provider of their own choosing; that vendor's privacy terms govern those interactions, not ours.

What data is sent to AI providers

We send code snippets, file paths, and symbol names (function/class names) from the repositories you explicitly submit for analysis. We do not send customer credentials, account information, billing data, or any personally identifiable information to AI providers.

Model training

Your code is not used to train any AI model — by CodeDig, OpenAI, or Anthropic. Both OpenAI's and Anthropic's API terms explicitly prohibit using API inputs to train their models. CodeDig does not perform any model training on customer data.

Data retention at providers

OpenAI retains API inputs and outputs for up to 30 days for abuse-monitoring purposes before deletion, after which they are deleted. API inputs are not used to train OpenAI's models under their standard API terms. This is a binding contractual commitment from OpenAI, not an account-level setting we toggle. Anthropic's API terms similarly prohibit retaining inputs beyond the request lifecycle for training purposes.

Opt-out

Organization administrators can disable all AI-powered features for their organization via Settings → Privacy. When AI features are disabled, CodeDig will still index your repositories but will not send any data to OpenAI or Anthropic. Self-hosted customers may also opt out by leaving the OPENAI_API_KEY and ANTHROPIC_API_KEY environment variables unset.

Tracking issue: #496.

6. GDPR Compliance

CodeDig is designed for GDPR compliance. This section describes our lawful bases for processing personal data, how we handle international transfers, and the rights available to individuals in the European Economic Area and United Kingdom.

Lawful basis for processing

  • Contractual necessity (Article 6(1)(b)) — processing your account details, repository access tokens, and analysis results is necessary to perform the CodeDig service under our Terms of Service.
  • Legitimate interest (Article 6(1)(f)) — we use aggregate, privacy-preserving analytics (Plausible Analytics, a cookieless tool) to understand product usage and improve the service. No individual-level tracking or profiling is performed.
  • Consent (Article 6(1)(a)) — for any optional marketing communications. You may withdraw consent at any time via the unsubscribe link in any email or by contacting privacy@codedig.ai.

EU representative

We will designate an EU representative under GDPR Article 27 prior to onboarding our first EU customer. Details will be published here and in our Data Processing Addendum once confirmed.

International data transfers

CodeDig and its subprocessors are based in the United States. Where personal data originating in the EEA or UK is transferred to the US, we rely on the European Commission's Standard Contractual Clauses (SCCs) as the transfer mechanism, supplemented by a Schrems II transfer impact assessment addendum. The executed SCCs are incorporated into our binding Data Processing Addendum. See our subprocessors list for the full inventory of third-party processors and their transfer mechanisms.

Data subject rights (EEA / UK)

If you are located in the EEA or UK, you have the following rights under the GDPR:

  • Right of access (Art. 15) — obtain a copy of your personal data.
  • Right to rectification (Art. 16) — correct inaccurate data.
  • Right to erasure (Art. 17) — request deletion of your data.
  • Right to data portability (Art. 20) — receive your data in a machine-readable format.
  • Right to object (Art. 21) — object to processing based on legitimate interest.
  • Right to restriction of processing (Art. 18) — restrict how we process your data in certain circumstances.

Many of these rights can be exercised directly via Settings → Compliance in the CodeDig product. To exercise any right not available in-product, or to escalate a concern, contact our data protection contact at dpo@codedig.ai. We will acknowledge your request within one business day and fulfil it within 30 calendar days, as required by GDPR Article 12.

7. California Privacy Rights (CCPA / CPRA)

This section applies to residents of California and is provided pursuant to the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA).

Categories of personal information collected

In the past 12 months we have collected the following CCPA categories:

  • Identifiers — name, email address, GitHub/GitLab username, IP address.
  • Commercial information — subscription plan, billing history (managed by Stripe).
  • Internet or other electronic network activity — aggregate usage metrics, feature interactions (via Plausible Analytics, cookieless).
  • Professional or employment-related information — organization name, job role (if provided during onboarding).
  • Inferences — product usage patterns used to improve the service (never sold or shared).

Your rights as a California resident

  • Right to know — request disclosure of the categories and specific pieces of personal information we have collected about you.
  • Right to delete — request deletion of your personal information, subject to certain exceptions.
  • Right to correct — request correction of inaccurate personal information.
  • Right to opt out of sale or sharing — see below; CodeDig does not sell or share personal information.
  • Right to limit use of sensitive personal information — we do not use sensitive personal information beyond what is necessary to provide the service.
  • Right to non-discrimination — we will not deny service, charge different prices, or provide a different level of service because you exercised a CCPA right.

No sale or sharing of personal information

CodeDig does not sell personal information and does not share personal information for cross-context behavioral advertising, as those terms are defined under the CCPA/CPRA.

How to exercise your rights

California residents may exercise their rights via Settings → Compliance in the CodeDig product, or by emailing privacy@codedig.ai with subject line “California Privacy Request”.

Verification

To protect your personal information, we will verify your identity before fulfilling a CCPA request. Verification is performed by confirming your email address and account ownership. We may request additional information if the initial verification is insufficient.

Authorized agents

You may designate an authorized agent to submit a CCPA request on your behalf. Authorized agent requests must include written permission signed by you, or a power of attorney executed under California Probate Code. Contact privacy@codedig.ai with the appropriate documentation.

8. Your Rights

You have the right to access, correct, or delete your personal data. You may export your analysis data at any time. To exercise these rights, contact us at privacy@codedig.ai.

9. Contact

For questions about this privacy policy, contact us at privacy@codedig.ai.