Privacy Policy | Octokraft

Data Controller

Ciprian Alexandru Grigore
Sole proprietor (OSVČ)
IČO: 17947286
Prague, Czech Republic
contact@octokraft.com

This Privacy Policy describes how we ("Octokraft", "we", "us", "our") collect, use, and protect information when you use the Octokraft platform at app.octokraft.com and the marketing site at octokraft.com (collectively, the "Service").

1. Information We Collect

Account Information

When you sign in via GitHub, we receive your GitHub username, email address, and profile information as provided by GitHub and our authentication provider (Clerk). We do not store your GitHub password.

Repository and Code Data

Repository clones: We perform temporary shallow clones of repositories you connect. Clones are created in isolated directories, used for analysis, and deleted immediately after processing.
Code snippets: Small code snippets (typically 1-10 lines) are stored alongside detected issues to provide context for findings. Snippets are stored encrypted at rest in our database and are retained for as long as the associated issue exists. Snippets may inadvertently contain secrets or sensitive values present in source code at those lines.
Knowledge graph: We build a structured graph of symbols, dependencies, and relationships extracted from your code. This is derived metadata, not raw source code.
Analysis results: Health scores, detected issues, conventions, architecture dimensions, and PR review results are stored as described in the Data Retention section below.
Code diffs: PR diffs are fetched on-demand from GitHub when you view them and are not stored by Octokraft.

Usage Data

We collect analytics data through Google Analytics (GA4) and Apollo on the marketing site. This may include IP address, browser type, pages visited, and referral source. This data is collected only with your consent via our cookie banner.

Payment Information

Payments are processed by Stripe. We do not store credit card numbers or payment credentials. Stripe's privacy policy governs payment data handling.

2. Legal Basis for Processing (GDPR Art. 6)

We process your data under the following legal bases:

Performance of a contract (Art. 6(1)(b)): Account creation, repository analysis, health scoring, PR reviews, and all core Service functionality — these are necessary to deliver the Service you signed up for.
Legitimate interest (Art. 6(1)(f)): Security monitoring, abuse detection, and service improvement. Our legitimate interest is maintaining a secure and reliable platform.
Consent (Art. 6(1)(a)): Marketing site analytics (Google Analytics, Apollo) and non-essential cookies. You can withdraw consent at any time via the cookie settings on our site.
Legal obligation (Art. 6(1)(c)): Where we are required to retain data for tax, accounting, or regulatory purposes.

3. How We Use Your Information

To provide, maintain, and improve the Service
To analyze your code and generate health scores, PR reviews, and architecture insights
To communicate with you about your account and the Service
To process payments
To detect and prevent abuse

4. AI Model Processing

By default, code analysis is performed using open source models hosted on Ollama Cloud. We do not send code to commercial frontier model providers (such as OpenAI or Anthropic) unless you explicitly configure this via BYOK. We plan to transition to self-hosted models on infrastructure we fully control.

If you use the BYOK (Bring Your Own Key) feature, your code is sent to whichever model provider you configure. You are responsible for reviewing that provider's data handling practices.

Your code is never used to train or fine-tune any AI model.

5. Data Storage and Location

Our primary infrastructure runs on Hetzner Cloud in Germany. All stored data — including analysis results, health scores, and account information — resides in the European Union.

6. International Data Transfers

Some of our sub-processors operate outside the European Economic Area (EEA), including Stripe (US), Clerk (US), Google Analytics (US), and Apollo (US). Where data is transferred outside the EEA, we rely on:

European Commission adequacy decisions, where available
Standard Contractual Clauses (SCCs) approved by the European Commission
The sub-processor's compliance with equivalent safeguards (e.g., EU-US Data Privacy Framework certification)

Ollama Cloud processes code snippets for AI inference. We are evaluating the data residency of this provider and plan to transition to self-hosted models within the EU.

7. Data Retention

Repository clones: Deleted immediately after analysis completes.
Analysis data and code snippets: Retained while your account is active. Removing a repository from a project does not delete its analysis history. Deleting a project permanently removes all associated data.
Account data: Retained while your account is active.
Inactive accounts: If your account has no login or activity for 12 consecutive months, we will notify you by email. If there is no response within 30 days, we may permanently delete your account and all associated data.
Payment records: Retained as required by applicable tax and accounting law.

To request immediate deletion of your account and all associated data, contact us at contact@octokraft.com.

8. Data Sharing

We do not sell your data. We share information only with the following sub-processors:

Stripe (US) — payment processing
Clerk (US) — authentication
Ollama Cloud — AI model inference (code snippets sent for analysis)
Hetzner Cloud (Germany) — infrastructure hosting
Google Analytics (US) — marketing site analytics only, no code data, consent-based
Apollo (US) — marketing site visitor analytics only, no code data, consent-based

We may disclose information if required by law or to protect our legal rights.

9. Security

We implement reasonable technical measures to protect your data:

TLS encryption in transit
AES-256-GCM encryption for stored credentials (GitHub tokens, BYOK API keys)
API keys stored as SHA-256 hashes
Analysis jobs run in sandboxed containers with read-only code access and no network access

No system is 100% secure. While we take reasonable precautions, we cannot guarantee absolute security of your data.

10. Your Rights (GDPR)

Under the General Data Protection Regulation, you have the right to:

Access — request a copy of your personal data
Rectification — correct inaccurate data
Erasure — request deletion of your data
Portability — export your data in a machine-readable format
Restriction — restrict processing in certain circumstances
Objection — object to processing based on legitimate interest
Withdraw consent — where processing is based on consent (e.g., analytics cookies), you can withdraw at any time without affecting prior processing

To exercise these rights, email contact@octokraft.com. We will respond within 30 days.

You also have the right to lodge a complaint with a supervisory authority. In the Czech Republic, this is the Office for Personal Data Protection (ÚOOÚ) at www.uoou.cz.

11. Cookies

We use the following types of cookies:

Essential cookies: Session cookies for authentication in the application. These are necessary for the Service to function and do not require consent.
Analytics cookies: Google Analytics and Apollo cookies on the marketing site, used to understand site usage. These are set only with your consent.

We do not use advertising or tracking cookies. You can manage your cookie preferences via the cookie banner displayed on your first visit. You can change your preferences at any time by clearing your browser cookies and revisiting the site.

12. Children's Privacy

The Service is not directed at children under 16. We do not knowingly collect data from children.

13. Changes to This Policy

We may update this policy from time to time. We will notify you of material changes by posting the updated policy on this page with a new "Last updated" date. Continued use of the Service after changes constitutes acceptance.

14. Contact

Ciprian Alexandru Grigore
Sole proprietor (OSVČ), IČO: 17947286
Prague, Czech Republic
contact@octokraft.com