Privacy Policy

Last updated: April 14, 2026

1. Introduction

This Privacy Policy describes how Complint ("Company," "we," "us," or "our") collects, uses, and shares information when you use our code analysis service ("Service"). By creating an account or using the Service, you agree to the collection, use, and retention of information in accordance with this policy.

2. Information We Collect

2.1 Account Information

  • Email address
  • Organization name
  • GitHub account identifiers (when using GitHub OAuth)
  • Payment information (processed and stored by Stripe; we do not store card numbers)
  • Terms of Service and Privacy Policy acceptance records (version, timestamp, IP address)

2.2 Repository and Code Data

  • Repository names and metadata
  • Pull request diffs, commit metadata, and webhook payloads received from GitHub
  • File paths, file contents, and line numbers accessed during analysis
  • Analysis results, findings, severity assessments, and suggested remediations

2.3 Usage and Analytics Data

  • Credit usage and transaction history
  • Number of pull requests analyzed and findings generated
  • Feature usage patterns and product interaction data collected via PostHog
  • Error and performance monitoring data collected via Sentry
  • Log data (IP addresses, browser type, user agent, timestamps)
  • Session recordings and interaction data for product improvement

3. How We Use Your Information

  • To provide, maintain, and improve the Service
  • To process pull request analyses and deliver findings
  • To process payments and manage subscriptions
  • To send transactional emails (account confirmation, password reset, billing)
  • To respond to support requests
  • To detect, prevent, and address technical issues and abuse
  • To analyze usage patterns and improve the Service using product analytics
  • To develop and improve our internal analysis models, algorithms, and methodologies
  • To create aggregated, de-identified datasets for product development, business intelligence, and research
  • To generate industry benchmarks and aggregated compliance insights

4. Code Data Processing

4.1 How We Access Code

Complint accesses your code through a GitHub App with read-only permissions. We access pull request diffs, file contents, and webhook payloads necessary to perform compliance analysis. We do not clone or store complete repositories.

4.2 AI Processing

Pull request diffs are sent to Anthropic (Claude AI) for analysis. Anthropic processes this data according to their API terms, which prohibit using API inputs for model training. We recommend reviewing Anthropic's privacy policy independently.

4.3 Data Retention

  • Webhook payloads and code data: GitHub webhook payloads, including pull request diffs and commit metadata, are stored in our database for audit logging, service operation, and analysis purposes. This data is retained for as long as commercially useful or as required by law.
  • Analysis findings: Retained for as long as commercially useful, including after account deletion in aggregated or de-identified form, to power the compliance dashboard, historical tracking, and product improvement.
  • Account data: Retained until you delete your account or request deletion. Following account deletion, we may retain de-identified or aggregated data derived from your usage indefinitely.
  • Billing records: Retained as required by applicable tax and financial regulations.
  • Analytics and usage data: Retained in accordance with our analytics providers' retention policies and for as long as commercially useful for product improvement.

5. Information Sharing

We do not sell your personal information. We share information only in these circumstances:

  • Service Providers: We use third-party services to operate the Service, including Supabase (database and authentication), Stripe (payment processing), Anthropic (AI analysis), Vercel (hosting), Inngest (job processing), Resend (email delivery), PostHog (product analytics), and Sentry (error and performance monitoring).
  • Legal Requirements: We may disclose information if required by law, regulation, legal process, or governmental request.
  • Business Transfers: In the event of a merger, acquisition, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of the Company's assets, your information may be transferred to the acquiring or successor entity as part of that transaction. No additional consent or opt-out will be required for such transfers, and the acquiring entity may continue to use your information as described in this policy.
  • Aggregated Data: We may share aggregated, de-identified data that cannot reasonably be used to identify you or your organization with third parties for industry analysis, benchmarking, research, or commercial purposes.

6. Aggregated and De-Identified Data

Complint may create aggregated, de-identified, or anonymized data from information collected through the Service. Such data does not identify any individual user or organization. Complint may use, share, and commercially exploit aggregated data for any lawful purpose without restriction, including but not limited to industry benchmarking, compliance pattern analysis, product development, and research. Our rights to aggregated data are perpetual and survive account termination. Aggregated data is not subject to individual deletion requests.

7. Data Security

We implement reasonable security measures to protect your information, including:

  • Encryption in transit (TLS/HTTPS) for all data
  • Encryption at rest for database storage
  • Row-level security (RLS) for multi-tenant data isolation
  • Webhook signature verification for GitHub and Stripe integrations
  • Least-privilege access controls

However, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security.

8. PHI Disclaimer

Complint is designed to analyze source code, not Protected Health Information (PHI). You should not submit source code that contains actual patient data, PHI, or ePHI to the Service. If your repositories contain PHI, you are responsible for remediating that condition before using the Service. Complint is not a HIPAA Business Associate and does not enter into Business Associate Agreements.

9. Your Rights

You have the right to:

  • Access the personal information we hold about you
  • Request correction of inaccurate information
  • Request deletion of your account and associated personal data
  • Export your analysis data
  • Opt out of non-essential communications

Please note that deletion requests apply to personal data only. Aggregated, de-identified data that has been derived from your usage is not subject to individual deletion requests.

To exercise these rights, contact us at privacy@complint.dev.

10. Cookies and Tracking

We use essential cookies for authentication and session management. We use PostHog for product analytics, which uses cookies and similar technologies to collect usage data including page views, feature interactions, and session data. We use Sentry for error and performance monitoring. We do not use advertising cookies. You can manage cookie preferences through your browser settings.

11. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children.

12. International Data Transfers

Your information may be transferred to and processed in the United States, where our service providers operate. By using the Service, you consent to this transfer.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the Service. Your continued use of the Service after changes constitutes acceptance of the updated policy.

14. Contact

For questions about this Privacy Policy, contact us at privacy@complint.dev.