Privacy Policy

1. Introduction

Polyglyph Analytica ("Company", "we", "us", or "our") is committed to protecting the privacy and security of your personal information. This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you use our Bugrit code quality analysis platform (the "Service"), including our website, applications, and related services.

This Privacy Policy has been drafted in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the California Consumer Privacy Act ("CCPA"), and other applicable data protection legislation. By accessing or using our Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy.

If you do not agree with the terms of this Privacy Policy, please do not access or use the Service.

2. Data Controller

For the purposes of applicable data protection legislation, the data controller is:

3. Information We Collect

3.1 Information You Provide Directly

We collect information that you voluntarily provide when using our Service, including:

• Account Information: Name, email address, password (encrypted), organization name, and billing information when you create an account or subscribe to our Service.
• Profile Information: Professional details, preferences, and settings you choose to provide.
• Payment Information: Credit card details, billing address, and transaction history processed through our payment processor, Stripe, Inc.
• Communications: Correspondence when you contact our support team, provide feedback, or participate in surveys.
• Source Code and Repository Data: Code repositories, configuration files, and related metadata that you submit for analysis through our Service.

3.2 Information Collected Automatically

When you access our Service, we automatically collect certain information, including:

• Device Information: Device type, operating system, browser type and version, unique device identifiers, and mobile network information.
• Log Data: IP address, access times, pages viewed, referring URL, and actions taken within the Service.
• Usage Data: Features used, scan frequency, report generation patterns, and interaction with our Service.
• Cookies and Similar Technologies: Information collected through cookies, pixel tags, and similar tracking technologies as described in Section 8.

3.3 Information from Third Parties

We may receive information about you from third-party sources, including:

• Authentication Providers: If you choose to link or sign in using a third-party service (e.g., GitHub, Google), we receive your name, email address, and profile information from that service.
• Repository Hosting Services: When you connect your repositories (e.g., GitHub, GitLab, Bitbucket), we access repository metadata, commit history, and code content as authorised by you.
• Business Partners: Information from partners who refer you to our Service or with whom we offer co-branded services.

4. Legal Basis for Processing

We process your personal information on the following legal bases under applicable data protection law:

• Performance of Contract: Processing necessary for the performance of our contract with you, including providing the Service, processing payments, and managing your account.
• Legitimate Interests: Processing necessary for our legitimate interests, including improving our Service, preventing fraud, ensuring security, and conducting business analytics, provided such interests are not overridden by your rights.
• Consent: Where you have provided explicit consent for specific processing activities, such as receiving marketing communications or participating in optional features.
• Legal Obligations: Processing necessary to comply with applicable laws, regulations, or legal processes.

5. How We Use Your Information

We use the information we collect for the following purposes:

5.1 Service Provision and Improvement

• Providing, maintaining, and improving our code analysis Service
• Processing and analysing your source code to generate quality reports
• Personalising your experience and providing tailored recommendations
• Developing new features, products, and services
• Conducting research and analytics to improve our algorithms and tools

5.2 Communications

• Sending transactional communications regarding your account and Service usage
• Responding to your enquiries and support requests
• Sending marketing communications (with your consent where required)
• Providing important notices about changes to our Service or policies

5.3 Security and Compliance

• Protecting against fraud, abuse, and security threats
• Enforcing our Terms of Service and other agreements
• Complying with legal obligations and responding to lawful requests
• Maintaining audit trails and records as required by law

6. Your Intellectual Property and Data Sharing

6.1 Your Code Remains Yours — We Do Not Retain It

6.2 Automatic Deletion Policy

To ensure your intellectual property never resides on our systems longer than absolutely necessary:

• Source code repositories: Deleted immediately after analysis is complete;
• Mobile applications (APK, IPA): Deleted immediately after scanning;
• Desktop installers and executables: Deleted immediately after scanning;
• Configuration files and assets: Deleted immediately after scanning;
• No backups: We do not create copies, backups, or archives of your uploaded content;
• Irreversible: Once deleted, your content cannot be recovered by us or anyone else.

Only the generated scan reports (containing findings, recommendations, and metadata — but never your actual source code or binaries) are retained according to your subscription tier's retention period.

6.3 We Take Care of Your Data

We understand that your source code represents significant intellectual investment and may contain proprietary business logic, trade secrets, and sensitive information. We treat this responsibility with the utmost seriousness:

• All data is encrypted in transit using TLS 1.3 and at rest using AES-256;
• Access to user data is strictly limited to essential personnel on a need-to-know basis;
• We maintain comprehensive audit logs of all data access;
• We conduct regular security assessments and penetration testing;
• Our staff are bound by strict confidentiality obligations.

6.4 Limited Licence for Service Provision

By using our Service, you grant us a limited, non-exclusive, revocable licence solely to:

• Access and analyse your code to provide the security and quality scanning services you have requested;
• Generate and deliver reports based on that analysis;
• Temporarily store your code for the duration necessary to perform the analysis.

This licence terminates automatically upon completion of the analysis or deletion of your content.

6.5 We Do Not Sell Your Information

We do not sell, rent, or trade your personal information or your code to any third party. Period.

6.6 Limited Disclosure Circumstances

We may disclose limited information only in the following narrow circumstances:

Service Providers

We engage trusted third-party service providers (such as cloud infrastructure, payment processing, and email delivery) who may process certain data on our behalf. These providers:

• Are contractually bound by strict data protection and confidentiality obligations;
• May only use data for the specific purposes for which we engage them;
• Do not have access to your source code;
• Are subject to our vendor security assessment process.

Legal Requirements

We may disclose information only if strictly required by law, such as in response to a valid court order, subpoena, or binding legal process. We will, to the extent permitted by law, provide you with notice of any such requirement before disclosure.

Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. Any successor entity will be bound by the terms of this Privacy Policy.

With Your Consent

We may share information with third parties when you have given us your explicit, informed consent to do so.

7. Data Storage Location and GDPR Compliance

7.1 Western European Data Centres

All user data, including personal information, account data, and any source code or content you submit to the Service, is stored and processed exclusively in data centres located in Western Europe. Our primary infrastructure is hosted in the European Union, ensuring that your data benefits from the robust protections afforded by European data protection law.

7.2 GDPR Compliance

We are fully committed to compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"). Our data processing activities are designed to meet the highest standards of data protection, including:

• Processing personal data only for specified, explicit, and legitimate purposes;
• Ensuring data minimisation and storage limitation;
• Implementing appropriate technical and organisational security measures;
• Facilitating the exercise of data subject rights;
• Maintaining records of processing activities;
• Conducting data protection impact assessments where required.

7.3 Geographic Data Segregation Disclaimer

If you have specific data residency, localisation, or sovereignty requirements arising from applicable laws in your jurisdiction (such as sector-specific regulations or national data protection laws), you are responsible for determining whether our Service is appropriate for your needs prior to use.

7.4 Transfers Outside the EEA

In limited circumstances, certain third-party service providers we engage may process data outside the European Economic Area. Where such transfers occur, we ensure appropriate safeguards are in place, including European Commission-approved Standard Contractual Clauses and supplementary technical measures, to maintain the protection of your data.

8. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to collect and store information about your interactions with our Service. These technologies include:

8.1 Types of Cookies

• Essential Cookies: Required for the operation of our Service, including authentication, security, and session management.
• Functional Cookies: Enable enhanced functionality and personalisation, such as remembering your preferences.
• Analytics Cookies: Help us understand how visitors interact with our Service, allowing us to improve performance and user experience.
• Marketing Cookies: Used to track visitors across websites to display relevant advertisements (only with your consent).

8.2 Managing Cookies

You can manage your cookie preferences through your browser settings. Please note that disabling certain cookies may affect the functionality of our Service. For more information about cookies and how to manage them, visit www.allaboutcookies.org.

9. Data Retention

We retain your personal information for as long as necessary to fulfil the purposes for which it was collected, including:

• Account Data: Retained for the duration of your account and for a period of 30 days following account deletion to allow for recovery.
• Scan Data and Reports: Retained according to your subscription tier (30 days for Free, 90 days for Pro, 1 year for Business) unless you request earlier deletion.
• Source Code: Processed for analysis purposes only and not retained after report generation, unless you opt into repository monitoring features.
• Transaction Records: Retained for 7 years to comply with financial and tax regulations.
• Communications: Support correspondence retained for 3 years for quality assurance and dispute resolution.

Following the applicable retention period, your information will be securely deleted or anonymised in accordance with our data destruction procedures.

10. Your Rights and Choices

Depending on your location, you may have the following rights regarding your personal information:

10.1 Access and Portability

You have the right to request access to the personal information we hold about you and to receive a copy of your data in a structured, commonly used, and machine-readable format.

10.2 Rectification

You have the right to request correction of any inaccurate or incomplete personal information we hold about you.

10.3 Erasure

You have the right to request deletion of your personal information, subject to certain exceptions required for legal compliance or legitimate business purposes.

10.4 Restriction and Objection

You have the right to request restriction of processing or object to processing of your personal information in certain circumstances.

10.5 Withdrawal of Consent

Where processing is based on consent, you have the right to withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

10.6 Exercising Your Rights

To exercise any of these rights, please contact us at privacy@bugrit.com. We will respond to your request within 30 days. You also have the right to lodge a complaint with a supervisory authority if you believe your rights have been violated.

11. California Privacy Rights

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you.
• Right to Delete: You may request deletion of your personal information, subject to certain exceptions.
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.
• Right to Opt-Out: We do not sell personal information, but you may opt out of any future sales.

To exercise your California privacy rights, contact us at privacy@bugrit.com or call us at our designated toll-free number.

12. Data Security

We implement appropriate technical and organisational measures to protect your personal information against unauthorised access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit using TLS 1.3 and at rest using AES-256
• Regular security assessments and penetration testing
• Access controls and authentication mechanisms
• Employee training on data protection and security practices
• Incident response procedures and breach notification protocols
• SOC 2 Type II compliance (in progress)

While we strive to protect your information, no method of transmission over the Internet or electronic storage is completely secure. We cannot guarantee absolute security but are committed to maintaining industry-standard protections.

13. Children's Privacy

Our Service is not directed to individuals under the age of 16, and we do not knowingly collect personal information from children. If we become aware that we have inadvertently collected personal information from a child under 16, we will take steps to delete such information promptly. If you believe we may have collected information from a child, please contact us at privacy@bugrit.com.

14. Third-Party Links

Our Service may contain links to third-party websites or services that are not operated by us. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services. We encourage you to review the privacy policies of any third-party sites you visit.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the "Last updated" date at the top of this policy
• Notify you by email or through a prominent notice on our Service
• Obtain your consent where required by applicable law

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.