Privacy Policy
Effective date: July 14, 2025
Last updated: March 28, 2026
Coderhelm ("we", "us", "our") operates the coderhelm.com website and the Coderhelm GitHub App (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service. Please read this policy carefully. By using the Service, you acknowledge the practices described herein.
1. Information We Collect
1.1 Account & Authentication Data
When you install the Coderhelm GitHub App, we receive the following via the GitHub API:
- GitHub username and associated email address
- GitHub user ID and avatar URL
- Organization name (if installed on an organization)
- GitHub App installation ID
- Repository names, default branches, and visibility settings for repos you grant access to
We store your installation ID, organization name, and user identifiers in our database to manage your tenant and authenticate dashboard sessions.
1.2 Source Code & Repository Content
When Coderhelm processes a GitHub issue, it reads repository files, directory structures, and CI configurations via the GitHub API to understand your codebase. Source code is processed entirely in-memory and is never persisted — it is not written to databases, object storage, log files, or any durable medium. Once a run completes, all in-memory code data is discarded.
1.3 Run & Usage Metadata
For each run, we record:
- Run ID, status, and timestamps
- Issue/PR identifiers and titles
- Token counts (input/output) and estimated cost
- Number of files modified and pass durations
- Branch names and PR URLs
This metadata powers the dashboard and usage tracking. It does not include source code content.
1.4 Jira Integration Data
If you connect a Jira workspace to Coderhelm, we receive the following via the Atlassian API:
- Jira OAuth access and refresh tokens (stored encrypted)
- Jira Cloud site ID and site URL
- Project keys, issue keys, and issue metadata (titles, descriptions, status)
- Atlassian account ID of the authorizing user
Jira tokens are used solely to read and create issues on your behalf. They are stored encrypted at rest and can be revoked at any time from your Jira settings.
1.6 Google Authentication Data
If you sign in with Google, we receive the following via Google OAuth:
- Email address and email verification status
- Display name and profile picture URL
We use this information solely to create and authenticate your dashboard account. We do not access your Google Drive, Gmail, Calendar, or any other Google services.
1.7 MCP Tool Integrations
Coderhelm supports user-configured Model Context Protocol (MCP) tool servers. When you configure an MCP server, the AI agent may send contextual data (such as file paths, code snippets, or issue metadata) to that server during a run. MCP servers are configured and controlled by you, and data is sent only at your direction. We do not operate or control third-party MCP servers, and their use is subject to their own privacy policies.
1.8 Automatically Collected Data
When you visit coderhelm.com, we may automatically collect:
- IP address and approximate geographic location
- Browser type, operating system, and device information
- Pages visited, referral URLs, and time spent on pages
2. How We Use Your Information
We use the information we collect to:
- Provide, operate, and maintain the Service
- Process GitHub webhook events and perform the coding tasks you request
- Authenticate you and manage your dashboard sessions
- Display run history, usage statistics, and billing information
- Send transactional emails (run completions, billing receipts, security alerts)
- Enforce rate limits and prevent abuse
- Respond to support requests and communicate with you about the Service
- Improve and optimize the Service's performance and user experience
- Comply with legal obligations
3. Legal Bases for Processing (GDPR)
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data on the following legal bases:
- Performance of a contract: Processing necessary to deliver the Service you signed up for (Article 6(1)(b) GDPR)
- Legitimate interests: Processing necessary for our legitimate business interests, such as fraud prevention, security, and improving the Service, where these interests are not overridden by your rights (Article 6(1)(f) GDPR)
- Consent: Where you have given consent for specific processing activities, such as marketing communications (Article 6(1)(a) GDPR)
- Legal obligation: Processing necessary to comply with applicable laws (Article 6(1)(c) GDPR)
4. Disclosure & Sharing of Information
We do not sell, rent, or trade your personal data. We may share information only in the following circumstances:
- Service providers: With third-party vendors who assist in operating the Service (see Section 5), bound by data processing agreements
- Legal requirements: When required by law, regulation, legal process, or governmental request
- Safety & security: To protect the rights, property, or safety of Coderhelm, our users, or the public
- Business transfers: In connection with a merger, acquisition, or sale of all or a portion of our assets, with notice to affected users
5. Sub-Processors & Third-Party Services
We use the following third-party services to operate the Service:
| Provider | Purpose | Data Processed |
|---|---|---|
| Amazon Web Services (AWS) | Infrastructure hosting, compute, data storage, and transactional email delivery | All service data |
| Anthropic | AI model inference for code generation and analysis | Source code (in-memory only), issue metadata |
| GitHub | Authentication, repository access, webhook delivery | Account data, repository metadata |
| Google (OAuth) | User authentication via Google Sign-In | Email, display name, profile picture |
| Atlassian (Jira) | Issue tracking integration | Jira OAuth tokens, project/issue metadata |
Each sub-processor operates under its own privacy policy and is bound by data processing agreements where applicable.
User-configured MCP servers: If you configure third-party MCP tool servers, data may be sent to those servers at your direction during runs. These are not Coderhelm sub-processors — you are responsible for evaluating their privacy practices.
6. International Data Transfers
Our Service infrastructure is located in the United States. If you access the Service from outside the United States, your information may be transferred to, stored, and processed in the United States. We ensure appropriate safeguards are in place for international transfers, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Data processing agreements with all sub-processors
- Encryption of data in transit and at rest
7. Data Retention
- Run metadata: Retained for 90 days, then automatically deleted
- Account/tenant data: Retained while your GitHub App installation is active. Upon uninstallation, tenant records are deactivated and all associated data is deleted within 30 days
- Billing records: Retained as required by tax and accounting laws (typically 7 years for financial records)
- Source code: Never persisted — discarded from memory immediately after each run
8. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify affected users without undue delay and no later than 72 hours after becoming aware of the breach, as required by applicable law. Notification will be sent to the email address associated with your account and will include: the nature of the breach, the categories of data affected, the likely consequences, and the measures taken or proposed to address the breach.
9. Data Security
We implement industry-standard technical and organizational measures to protect your data, including:
- All data in transit encrypted via TLS 1.2+
- All data at rest encrypted using AES-256
- Secrets (API keys, webhook secrets, private keys) stored in a managed secrets vault
- Infrastructure access restricted via IAM policies and least-privilege principles
- Web Application Firewall (WAF) protecting all public endpoints
- Regular security reviews of application code and dependencies
No method of transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.
10. Cookies & Tracking
The coderhelm.com website uses a session cookie (coderhelm_session) to maintain your authenticated dashboard session. This is a strictly necessary cookie and does not require consent under ePrivacy regulations.
We do not use advertising cookies, third-party tracking pixels, or analytics services that track you across other websites. We do not participate in ad networks or cross-site tracking.
11. AI & Automated Processing
Coderhelm uses large language models (LLMs) to analyze code and generate pull requests. This processing is automated and occurs on your behalf when you assign an issue. Key points:
- Your source code is sent to an AI model provider for inference only — it is not used for model training
- No human reviews your source code during normal operation of the Service
- You retain full control over whether to merge any AI-generated changes
- You may request information about how automated decisions affect your data by contacting us
12. Your Rights
Depending on your location, you may have the following rights:
All Users
- Access: Request a copy of the personal data we hold about you
- Correction: Request correction of inaccurate personal data
- Deletion: Request deletion of your personal data
- Uninstall: Revoke all repository access at any time by uninstalling the GitHub App
EEA / UK / Swiss Residents (GDPR)
- Restriction: Request restriction of processing in certain circumstances
- Portability: Receive your data in a structured, machine-readable format
- Objection: Object to processing based on legitimate interests
- Withdraw consent: Where processing is based on consent, withdraw it at any time without affecting prior processing
- Lodge a complaint: File a complaint with your local data protection authority
California Residents (CCPA / CPRA)
- Right to know: Request the categories and specific pieces of personal information collected about you
- Right to delete: Request deletion of personal information
- Right to correct: Request correction of inaccurate personal information
- Right to opt-out of sale: We do not sell personal information. No opt-out is necessary
- Non-discrimination: We will not discriminate against you for exercising your CCPA rights
To exercise any of these rights, email us at privacy@coderhelm.com. We will respond within 30 days (or as required by applicable law).
13. Children's Privacy
The Service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that a child under 16 has provided us with personal data, we will take steps to delete such information promptly.
14. Do Not Track
We do not track users across third-party websites and therefore do not respond to Do Not Track (DNT) signals. As noted in Section 10, we do not use third-party tracking technologies.
15. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and, where required by law, notify you by email or through the Service. Your continued use of the Service after any changes constitutes acceptance of the updated policy.
16. Contact Us
If you have questions or concerns about this Privacy Policy or our data practices:
- Email: privacy@coderhelm.com
- General support: support@coderhelm.com