Privacy Policy

Last Updated: January 2025

Introduction

Hybrid Local AI Code Reviewer ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our software and services.

Our Data Sovereignty Pact

The Code Never Leaves. Period.

Unlike cloud-based "Copilots" that send your IP to OpenAI or Anthropic for training, CodeSentinal runs 100% on your hardware. We contractually guarantee:

• Zero Data Transmission: By default, all code analysis happens locally on your machine. No code is sent to external servers.
• No Telemetry: We do not collect usage analytics, error reports, or any telemetry data.
• Local Storage Only: All data (code analysis results, audit logs, configuration) is stored locally on your device.
• Air-Gapped Mode: The software can operate completely offline with no network connections.

When Data Leaves Your Machine

Data is only transmitted in the following scenarios:

1. Optional Cloud LLM: If you explicitly opt-in to use cloud LLM services (GPT-4, Claude), code snippets may be sent to those providers. This requires:
   • Explicit configuration in settings
   • Your own API keys (we never see your API keys)
   • You accept responsibility for data sent to third-party providers
2. Team Server (Enterprise): If you use Enterprise tier with team policy sync, analysis metadata (not code) may be sent to your team server for policy enforcement.
3. Payment Processing: When you purchase a subscription, payment information is processed by Paddle (our payment provider). See "Payment Information" section below.

Information We Collect

Information You Provide

• Account Information: If you use SSO or create an account, we collect email address and authentication tokens (stored locally in OS keychain).
• Payment Information: Processed by Paddle (see below). We do not store credit card information.
• Support Communications: If you contact us for support, we collect your email and message content.

Cryptographic Flight Recorder

• Auditability: Every decision made by the Autonomous AI is logged, hashed, and signed locally.
• Forensics: You can replay any automated edit to understand *why* the AI made the change.
• Ownership: This database resides in `%LOCALAPPDATA%` or your on-premise server. We never see it.

Information We Do NOT Collect

• Source code (unless you explicitly opt-in to cloud LLM)
• File contents or project structure
• Personal identifiable information from your code
• Usage analytics or telemetry
• Error reports (unless you manually send them)
• Network activity or browsing history

How We Use Your Information

Local Processing

• Code Analysis: All analysis runs locally using your device's resources.
• Configuration: Your settings are stored locally and never transmitted.
• Audit Logs: Generated locally for compliance purposes, stored in local SQLite database.

Payment Processing

Payment information is processed by Paddle (our Merchant of Record). Paddle handles:

• Payment card information
• Billing address
• Tax calculation and remittance
• Refund processing

We receive from Paddle:

• Subscription status (active/cancelled)
• Billing email address
• Subscription tier (Individual/Enterprise)
• Payment history (for accounting purposes)

Paddle's Privacy Policy: https://www.paddle.com/legal/privacy

Data Storage and Security

Local Storage

Location: All local data is stored on your device in:

• Windows: %LOCALAPPDATA%\hybrid-reviewer\
• macOS: ~/Library/Application Support/hybrid-reviewer/
• Linux: ~/.local/share/hybrid-reviewer/

Security Measures

• Signed Binaries: All executables are signed with EV Code Signing Certificate
• Localhost-Only: Daemon listens only on 127.0.0.1 (no external network access)
• No Outbound Connections: In local-only mode, no network connections are made
• Audit Trail: All actions are logged locally for security auditing

Data Sharing and Disclosure

We do not sell, trade, or rent your personal information to third parties.

Your Rights (GDPR Compliance)

If you are located in the European Economic Area (EEA), you have the following rights:

• Right to Access: Request a copy of your personal data (we store minimal data)
• Right to Rectification: Correct inaccurate information
• Right to Erasure: Request deletion of your account and data
• Right to Data Portability: Export your configuration and audit logs
• Right to Object: Object to processing (though we process minimal data)
• Right to Restrict Processing: Limit how we use your data

To exercise these rights, contact us at: visuvalingamvithushan@gmail.com

Data Retention

• Local Data: Retained on your device until you delete it
• Account Data: Retained while your account is active, deleted within 30 days of account closure
• Audit Logs: Stored locally, you control retention
• Payment Records: Retained per accounting requirements (7 years in some jurisdictions)

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by:

• Posting the new Privacy Policy on this page
• Updating the "Last Updated" date
• Sending an email notification (for material changes)

Contact Us

If you have questions about this Privacy Policy, please contact us:

• Email: visuvalingamvithushan@gmail.com
• Support: visuvalingamvithushan@gmail.com

Compliance Certifications

Our privacy practices align with:

• GDPR: European General Data Protection Regulation
• SOC2: Security and compliance standards
• CCPA: California Consumer Privacy Act (where applicable)

Note: This Privacy Policy applies to Hybrid Local AI Code Reviewer software and services. For Paddle's privacy practices, see Paddle's Privacy Policy.