Privacy Policy

Last updated: February 21, 2026

CodeTrust ("we", "us", "our") is committed to protecting your privacy. This policy explains how we collect, use, and protect your data when you use the CodeTrust platform, including our CLI, VS Code extension, Chrome extension, GitHub Action, MCP server, and API.

1. What We Collect

• Code Snippets — When you scan code, the snippet is sent to our API (api.codetrust.ai) for analysis. Code is processed in memory and not stored on our servers after analysis completes.
• API Keys — Stored locally on your device (VS Code Secret Storage, Chrome sync storage, or environment variables). Never transmitted except as authentication headers to our API.
• Usage Metrics — Anonymous, aggregated usage statistics (scan counts, languages used, rule trigger frequency). No code content is included.
• Account Information — Email address and organization name for paid plans.

2. How We Use Your Data

• Analyze code snippets and return security findings
• Verify package imports against public registries (PyPI, npm, crates.io, etc.)
• Generate Trust Scores and drift tracking
• Improve our detection rules and service quality
• Process billing for paid plans

3. Data Retention

Code snippets are processed in real-time and not persisted after analysis. Scan metadata (timestamps, finding counts, Trust Scores) may be retained for 90 days for analytics. Account data is retained for the duration of your subscription.

4. Data Sharing

We do not sell, rent, or share your data with third parties. We use the following services:

• Railway — Hosting infrastructure (EU/US regions)
• Stripe — Payment processing (PCI-compliant)
• Upstash — Redis cache for temporary data (encrypted at rest)

5. Security

• All API communication is encrypted via TLS 1.3
• API keys are hashed and never stored in plaintext
• Infrastructure follows SOC 2 controls
• Regular security audits and penetration testing

6. Chrome Extension Specifics

• The Chrome extension only accesses pages you explicitly scan or that match content script patterns (GitHub, GitLab, Stack Overflow, etc.)
• Code is extracted from visible page content only when you initiate a scan
• Settings are stored in Chrome sync storage and follow your Chrome profile
• No browsing history, cookies, or personal data is collected

7. Your Rights

• Access — Request a copy of your data at any time
• Deletion — Request deletion of your account and associated data
• Portability — Export your scan history and Trust Score data
• Opt-out — Disable usage metrics in settings

8. GDPR Compliance

For EU users: We process data under legitimate interest (service provision) and consent (usage metrics). You may exercise your GDPR rights by contacting us. Data processing occurs in the EU and US with appropriate safeguards.

9. Children's Privacy

CodeTrust is not intended for users under 13. We do not knowingly collect data from children.

10. Changes

We may update this policy periodically. Significant changes will be communicated via email or in-app notification. Continued use constitutes acceptance.

11. Contact

For privacy questions or data requests:

• Email: [email protected]
• Website: codetrust.ai
• GitHub: github.com/S-Borna/codetrust