Privacy Policy

Summary (read this first)

• We scan the source code you point us at, produce a quality report, and store that report for 90 days. Then we delete it.
• We do not use your code to train AI models. Not ours, not anyone else's.
• We do not sell your data. We do not share it with advertisers.
• Your code is sent to our AI provider (Anthropic) only to generate your scan — under a commercial agreement that prohibits training on your content.
• You can delete your data and revoke the GitHub App at any time.

The rest of this page is the full detail. If anything here contradicts the summary above, the summary wins.

Who we are

AI Vyuh Code QA ("Code QA", "we", "us") is a service operated by AI Vyuh, a venture of Atin Agarwal, based in India. You can reach us at codeqa@aivyuh.com.

What this policy covers

This policy applies to:

• The website at codeqa.aivyuh.com
• The Vibe Code QA GitHub App
• The Code QA API at codeqa-api.aivyuh.com
• Any scan reports we generate and deliver to you

What we collect, and why

1. Your source code (when you run a scan)

When you install our GitHub App on a repository and trigger a scan (automatically on push/PR, or manually via our API), we temporarily access the source code in that repository. We need this to run the scan — it is the product.

How long we keep it:

• While a scan is running, your repository is cloned into ephemeral Lambda storage (/tmp) and, for pipeline reliability, an encrypted copy may be staged in an access-controlled AWS S3 bucket. This staged copy is automatically deleted within 24 hours by an S3 lifecycle rule.
• After the scan completes, we keep the scan report — findings, severity, summaries, and a quality score. Reports may quote short code snippets where needed to illustrate a finding.
• Scan reports are retained for 90 days in the same access-controlled, encrypted S3 bucket (public access blocked, S3-managed encryption), then automatically deleted.
• We do not maintain long-term copies of your source code anywhere else.

Who can access it:

• The user or team who installed the GitHub App on the repository.
• Our AI provider (Anthropic), briefly, during scan execution only. See "Subprocessors" below.
• Authorised AI Vyuh personnel for operational support, on a need-to-know basis.
• Nobody else. We do not share your source code with advertisers, data brokers, or third parties outside this list.

2. GitHub App installation data

When you install our GitHub App, GitHub shares with us:

• Your GitHub installation ID (how we know which org/user the scan belongs to)
• The list of repositories you granted access to
• GitHub user/org identifiers for the installer

We store this as long as the installation is active, plus up to 90 days after uninstall for operational audit logs. Uninstalling the GitHub App revokes our access immediately.

3. Scan metadata and usage

For each scan we record:

• Scan ID, timestamp, repository identifier, tier selected
• Number of files analysed, lines of code scanned, language breakdown
• Duration, cost (for our accounting), findings count by severity

We use this for rate limiting, free-tier enforcement, billing (where applicable), aggregate product analytics, and cost monitoring. We may publish aggregated statistics (e.g. "teams scanned 50K LOC on average") but never anything that identifies your repository or team.

4. Website analytics

The marketing site codeqa.aivyuh.com uses Google Analytics 4 to understand visitor behaviour (pages viewed, approximate location, referrer). Analytics is disabled for authenticated scan dashboards — we do not track your scan activity for advertising purposes.

5. Account and billing data

If you become a paid customer in the future, we will collect billing contact information and process payments via a third-party payment processor (e.g. Stripe or Razorpay). We do not store your card details ourselves.

6. Communications

If you email us, fill in the intake form, or contact support, we keep that correspondence as long as needed to respond and for reasonable operational records (typically up to 2 years).

How your code is used during a scan

This is the part most teams care about, so we are explicit.

1. Your repository is cloned using the short-lived installation token granted by the GitHub App.
2. The clone is processed by our analysis engine (AWS Lambda, running in region ap-south-1, Mumbai). For pipeline reliability, intermediate artifacts may be staged in an encrypted, access-controlled S3 bucket and are auto-deleted within 24 hours.
3. The engine forwards portions of your code to our AI provider, Anthropic (Claude API), purely to generate the findings.
4. Findings are assembled into a report and stored in S3 for 90 days. You are notified via a GitHub PR comment with a link.
5. Ephemeral Lambda storage is cleared at the end of the invocation. No long-term copy of your source code is kept.

Training. Neither AI Vyuh nor Anthropic uses your code to train foundation models. Anthropic's commercial API terms contractually prohibit training on customer inputs. We have no mechanism to train any model on your code and no intention to build one.

Subprocessors

We use the following third parties ("subprocessors") to run Code QA. Each handles specific categories of data under its own terms:

We will update this list when it changes. If we add a new subprocessor with access to your code, we will announce it on this page.

Legal basis for processing

Depending on which law applies to you:

• GDPR (EU/UK): We process your data to perform our contract with you (running scans you requested), for our legitimate interest in operating and securing the service, and to comply with legal obligations.
• DPDP Act (India): We process personal data with your consent and as necessary to provide the service you have signed up for.
• Other jurisdictions: We rely on the equivalent contract-performance and legitimate-interest basis.

Your rights

Whatever jurisdiction you are in, you can ask us to:

• Access a copy of the data we hold about you
• Correct data that is wrong
• Delete your data (we will honour this unless we are legally required to keep something)
• Export your scan reports before deletion
• Withdraw consent by uninstalling the GitHub App or emailing us

Email codeqa@aivyuh.com with "Data request" in the subject. We aim to respond within 30 days.

Security

We take reasonable measures to protect your data:

• All traffic to our API and website is TLS-encrypted
• Secrets (API keys, GitHub App private key) are stored in AWS Secrets Manager, not in code
• S3 buckets holding scan reports are access-controlled; report URLs are presigned and time-limited
• Source code is never written to persistent storage during analysis
• Access to production systems is limited to authorised AI Vyuh personnel

No security measure is perfect. If you believe your account or data may have been compromised, email codeqa@aivyuh.com immediately.

International data transfers

We process data primarily in AWS Mumbai (ap-south-1). The Anthropic API processes data in the United States. If you are in the EU/UK, your code may therefore cross borders — this is a standard arrangement for AI-powered services and relies on the subprocessor's own compliance posture (Anthropic publishes its legal terms for reference).

Children

Code QA is a developer tool. It is not intended for anyone under 16. We do not knowingly collect data from children.

Changes to this policy

If we make material changes, we will update the "Last updated" date at the top and, for paid customers, notify the account email. Continuing to use Code QA after a change means you accept the updated policy.

Contact

Questions, data requests, or concerns:

• Email: codeqa@aivyuh.com
• Subject line tip: "Privacy" or "Data request"

This policy is written in plain English and is the authoritative version. If we produce translated versions in future, the English version controls in case of conflict.