Skip to main content

Privacy Policy

Last updated: June 1, 2026

Effective date: June 1, 2026

1. Introduction and Scope

This Privacy Policy ("Policy") describes how CodePeel, a product of Forinit Tech Private Limited, a company incorporated under the laws of India ("we," "us," "our," or the "Company") collects, uses, processes, stores, shares, and protects information obtained from users ("you," "your," or "User") of the CodePeel platform, including but not limited to the web application located at codepeel.com, the CodePeel GitHub App, the CodePeel VS Code Extension, the CodePeel MCP Server, the CodePeel CLI, and any associated APIs, services, tools, or features (collectively, the "Service").

By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with any part of this Policy, you must discontinue use of the Service immediately. Your continued use of the Service following the posting of changes to this Policy constitutes your acceptance of those changes.

This Policy applies to all information collected through the Service, as well as any related services, sales, marketing, or events. It does not apply to information collected by third parties, including any third-party websites, services, or applications that may be accessible through links on our Service.

We reserve the right to modify this Privacy Policy at any time. Changes will be effective immediately upon posting to the Service. We will make reasonable efforts to notify users of material changes via email or through the Service interface, but it is your responsibility to review this Policy periodically.

2. Information We Collect

2.1 Information You Provide Directly

When you create an account or use the Service, we may collect the following information that you provide directly:

  • Account Information: Your GitHub username, display name, email address, and profile avatar, obtained through GitHub OAuth authentication. This information is retrieved via the GitHub OAuth 2.0 authorization flow when you first sign in to the Service, and is used to create and maintain your user profile within our system. We store this data in Google Cloud Firestore and use it to identify your account, personalize your experience, and communicate with you regarding Service-related matters. Under GDPR Article 6(1)(b), this processing is necessary for the performance of the contract between you and CodePeel, as we cannot provide the Service without establishing your identity.
  • Payment Information: Billing details processed through our payment provider (Polar.sh), including your subscription tier, billing cycle dates, payment method type, and transaction history. We do not directly store credit card numbers, bank account details, CVV codes, or other sensitive financial instrument data on our servers, all payment card processing is handled exclusively by Polar.sh, which is PCI-DSS compliant. In the event of a payment dispute, chargeback, or refund request, we may receive limited transaction identifiers from Polar.sh necessary to resolve the matter, but at no point do we have access to your full payment card details. This arrangement complies with the Reserve Bank of India's guidelines on storage of payment system data and DPDPA Section 6 regarding purpose limitation.
  • Communication Data: Information you provide when contacting support, submitting feedback, or communicating with us through any channel including email, in-app chat, social media platforms, or community forums. This includes the content of your messages, any attachments you provide, your contact details, and metadata such as timestamps and communication channel identifiers. We retain communication data to maintain a record of support interactions, improve our response quality, identify recurring issues, and fulfill any commitments made during the exchange. Under GDPR Article 6(1)(f), we process this data based on our legitimate interest in providing effective customer support and improving the Service.
  • Preferences and Settings: Configuration choices you make within the Service, including review preferences (such as severity thresholds, language-specific rules, and file exclusion patterns), notification settings (email frequency, GitHub comment preferences, in-app alert configurations), API token configurations, and repository-specific settings stored in .codepeel.yml files. These preferences are stored in association with your user account and applied automatically during subsequent code reviews to ensure consistent behavior aligned with your expectations. We process this data under GDPR Article 6(1)(b) as it is necessary to deliver the personalized service you have configured, and under DPDPA Section 4 as processing for a lawful purpose directly related to the function for which the data was provided.
  • Learned Rules and Knowledge Base: Preferences, conventions, coding standards, and rules you teach to the Service through @codepeel chat interactions, learn: commands, dashboard configuration interfaces, or .codepeel.yml rule definitions. This includes custom regex patterns for detecting project-specific issues, team coding conventions (such as naming standards, architectural patterns, or forbidden API usage), and contextual preferences that improve review accuracy over time. The learned knowledge base is stored per-repository and per-user, is editable and deletable through the dashboard at any time, and is never shared with other users or organizations without your explicit consent. Processing of this data is based on GDPR Article 6(1)(a) (consent) as you actively choose to teach the system, and DPDPA Section 6 regarding purpose limitation, the data is used solely to improve the relevance of reviews for your specific repositories.

2.2 Information Collected Automatically

When you access or use the Service, we automatically collect certain information:

  • Usage Data: Review counts, credit consumption, API call frequency, feature usage patterns, timestamps of interactions, session duration, and interaction sequences within the Service interface. This data is collected to enforce plan quotas (e.g., 30 reviews/month for Free tier, 500 for Pro), calculate billing, identify usage anomalies that may indicate abuse or unauthorized access, and generate aggregated analytics that inform product development decisions. We do not use usage data to build individual behavioral profiles for advertising purposes. This processing is conducted under GDPR Article 6(1)(b) (contract performance for quota enforcement) and Article 6(1)(f) (legitimate interest for service improvement and security monitoring).
  • Repository Metadata: Repository names, organization names, pull request numbers, branch names, file paths, commit SHAs, and pull request titles necessary to perform code reviews and display results in context. This metadata is received through GitHub webhook payloads when pull request events are triggered, and is used to route reviews to the correct repository, display findings in the appropriate file context, and maintain an audit trail of review activity. We do not access or store the full contents of your repositories, only the specific metadata fields required for review orchestration. Under the Information Technology Act, 2000, Section 43A, this constitutes reasonable collection limited to the purpose of service delivery.
  • Code Diffs: The content of pull request diffs (additions and deletions) transmitted to our servers for the purpose of AI analysis, including changed lines of source code, configuration files, documentation, and any other file types included in the pull request. See Section 4 for comprehensive details on how code is processed, which third-party providers receive it, retention periods, and the technical safeguards in place. The diff content is fetched using the GitHub API with the permissions granted through your GitHub App installation, and only includes the changed lines, not the entire file or repository contents. This processing is conducted under GDPR Article 6(1)(b) as it is the core contractual obligation of the Service.
  • Device and Browser Information: IP address, browser type and version (e.g., Chrome 125, Firefox 128), operating system and version, device identifiers, screen resolution, language preferences, time zone, and referring URLs when accessing the web application. This information is collected automatically through standard HTTP headers and is used for security purposes (detecting suspicious login patterns, preventing brute-force attacks, identifying geographic anomalies), optimizing the Service for different devices and browsers, and complying with legal requirements for access logging. IP addresses are not used for precise geolocation tracking and are retained only in server logs for 30 days as described in Section 6. This processing is based on GDPR Article 6(1)(f) (legitimate interest in security and service optimization).
  • Log Data: Server logs including request timestamps, HTTP methods, request paths, response status codes, response times, error messages, stack traces (with sensitive data redacted), and performance metrics necessary for maintaining service reliability and diagnosing issues. These logs are generated automatically by our Firebase Cloud Functions infrastructure and are essential for identifying and resolving service disruptions, monitoring system health, detecting security incidents, and meeting our obligations under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. Log data is retained for 30 days and then automatically purged through Google Cloud's log retention policies.
  • Analytics Data: Anonymized usage analytics collected through Vercel Web Analytics and Firebase Analytics to understand how users interact with the Service interface, including page views, navigation patterns, feature adoption rates, and performance metrics (page load times, time to interactive). This data is aggregated and does not include personally identifiable information, individual users cannot be identified from analytics data alone. We use this information to prioritize feature development, identify usability issues, optimize performance, and measure the impact of changes to the Service. Analytics processing is based on GDPR Article 6(1)(f) (legitimate interest in service improvement) and complies with DPDPA Section 4 regarding lawful processing for a specified purpose.

2.3 Information from Third Parties

We may receive information about you from third-party sources:

  • GitHub: Repository access permissions, organization membership details, pull request events (opened, synchronized, reopened), issue comment events, installation events, and comment data transmitted via GitHub webhooks configured during the GitHub App installation process. This information is received in real-time when relevant events occur in your repositories and is used to trigger automated reviews, verify that you have authorized access to the repositories being reviewed, and deliver review findings as pull request comments. The scope of data received is determined by the permissions you grant during GitHub App installation, which you can review and modify at any time through GitHub Settings > Applications > Installed GitHub Apps. This data sharing is governed by GitHub's Terms of Service and our GitHub App's privacy policy disclosure.
  • Payment Providers: Subscription status (active, cancelled, past_due, trialing), payment success/failure notifications, billing cycle start and end dates, plan tier changes, and refund/chargeback events from Polar.sh. This information is received through Polar.sh webhooks and is used to maintain accurate subscription state in our system, enforce plan-appropriate quotas and feature access, send billing-related notifications, and resolve payment disputes. We do not receive or store your payment card details through these webhooks, only subscription lifecycle events and identifiers. This processing is necessary for contract performance under GDPR Article 6(1)(b) and complies with DPDPA Section 4(1) regarding processing for a lawful purpose.
  • AI Service Providers: Response data from language model providers used to generate code review findings, including structured JSON responses containing identified issues, severity classifications, explanations, and suggested code fixes. These providers do not return personally identifiable information about you, and the responses contain only the analytical output generated from the code diff submitted for review. The AI providers we use (Groq, Mistral, Google Gemini, MiniMax, NVIDIA, Cerebras, OpenRouter, LLM7) operate under their respective terms of service and data processing agreements, and we select providers that contractually commit to not training on customer-submitted data. However, we cannot independently audit or guarantee the internal data handling practices of these third-party providers.

3. How We Use Your Information

We use the information we collect for the following purposes:

  • Service Delivery: To provide, maintain, and improve the core functionality of the Service, including performing AI-powered code reviews, posting findings to your pull requests, and generating fix suggestions. This encompasses the entire review pipeline from receiving GitHub webhook events, fetching pull request diffs via the GitHub API, routing code to appropriate AI language model providers, parsing and structuring the AI response, and posting formatted review comments back to your pull request. Service delivery also includes the IDE review functionality (VS Code Extension and MCP Server), which processes code snippets submitted directly from your development environment through our secure API endpoints. Under GDPR Article 6(1)(b), this processing is necessary for the performance of the contract between you and CodePeel.
  • Account Management: To create and manage your account, authenticate your identity through GitHub OAuth, maintain your subscription and billing status, enforce plan-appropriate access controls, and provide account recovery mechanisms. Account management includes verifying your identity when you log in, maintaining session state, synchronizing your subscription tier with feature access permissions, and processing account deletion requests within the 30-day timeframe specified in Section 6. This processing is necessary for contract performance under GDPR Article 6(1)(b) and complies with DPDPA Section 6 regarding purpose limitation, account data is used solely for the purposes of maintaining your relationship with the Service.
  • Personalization: To store and apply your learned preferences, review rules, and repository-specific configurations to improve the relevance and accuracy of future reviews. Personalization includes applying custom regex rules defined in your .codepeel.yml configuration file, incorporating learned conventions from @codepeel chat interactions (such as preferred naming conventions, architectural patterns to enforce, or deprecated APIs to flag), and adjusting review behavior based on your severity threshold preferences. This processing ensures that the Service becomes more valuable over time as it adapts to your team's specific coding standards and practices. Under GDPR Article 6(1)(a), personalization based on learned rules is processed with your explicit consent, as you actively choose to teach the system.
  • Billing and Payments: To process subscription payments through Polar.sh, track usage against your plan quota (30 reviews/month for Free, 500 for Pro, unlimited for Max), manage billing cycles and renewal dates, handle plan upgrades and downgrades, process refunds or disputes, and generate invoices or payment receipts. Billing data is shared with Polar.sh only to the extent necessary to process transactions, and we retain billing records for 7 years after account closure as required by Indian tax regulations under the Income Tax Act, 1961, and the Goods and Services Tax Act, 2017. This processing is necessary for contract performance under GDPR Article 6(1)(b) and legal obligation under GDPR Article 6(1)(c).
  • Communication: To send transactional emails (review completion notifications, billing confirmations, payment receipts, security alerts, account verification), marketing communications (product updates, feature announcements, tips and best practices, promotional offers), respond to support requests, and provide service-related announcements such as scheduled maintenance or policy changes. Transactional communications are sent via Brevo from notifications@codepeel.com and cannot be opted out of while your account is active, as they are necessary for Service operation. Marketing communications are sent only with your consent and include a one-click unsubscribe mechanism in every email, as required by the CAN-SPAM Act, GDPR Article 7(3), and India's DPDPA Section 6(6) regarding withdrawal of consent. You may also manage your communication preferences through the Settings page in your dashboard.
  • Security and Fraud Prevention: To detect, prevent, and respond to security incidents, unauthorized access attempts, abuse of the Service (such as automated scraping, rate limit circumvention, or credential stuffing attacks), and violations of our Terms of Service. Security measures include monitoring for anomalous API usage patterns, validating GitHub webhook signatures using HMAC-SHA256 to prevent spoofed events, implementing rate limiting per user and per IP address, and maintaining audit logs of administrative actions. This processing is based on our legitimate interest under GDPR Article 6(1)(f) in protecting the Service and its users, and complies with the Information Technology Act, 2000, Section 43A regarding implementation of reasonable security practices.
  • Analytics and Improvement: To analyze usage patterns, identify bugs and performance bottlenecks, measure feature adoption rates, conduct A/B testing of interface improvements, and improve the overall quality, reliability, and performance of the Service. Analytics data is aggregated and anonymized wherever possible to minimize privacy impact while still providing actionable insights for product development. We do not use analytics data to build individual behavioral profiles for advertising or to make automated decisions that have legal or similarly significant effects on users. This processing is based on our legitimate interest under GDPR Article 6(1)(f) in continuously improving the Service.
  • Legal Compliance: To comply with applicable laws, regulations, legal processes, or governmental requests, including responding to court orders, subpoenas, or regulatory inquiries, and to establish, exercise, or defend legal claims. This includes maintaining records required by Indian tax law (Income Tax Act, 1961; GST Act, 2017), complying with data protection authorities' requests under GDPR Article 58 or DPDPA Section 27, and preserving evidence in connection with potential or actual litigation. We will notify you of legal requests for your data unless prohibited by law or court order from doing so. This processing is based on legal obligation under GDPR Article 6(1)(c) and compliance with the Information Technology Act, 2000.

We process your information based on the following legal bases: (a) performance of a contract (providing the Service you subscribed to), (b) legitimate interests (improving the Service, preventing fraud), (c) consent (where explicitly provided), and (d) legal obligations (compliance with applicable laws).

4. Code Processing and AI Analysis

4.1 How Code is Processed

When a pull request event triggers a review, the Service fetches the diff (changed lines only) from GitHub using the permissions granted through the GitHub App installation. This diff is transmitted to third-party AI language model providers for analysis. The AI providers process the code to identify bugs, security vulnerabilities, performance issues, and best practice violations.

4.2 Third-Party AI Providers

Code diffs may be processed by one or more of the following AI providers, depending on availability and routing: Groq, Mistral, Google (Gemini), MiniMax, NVIDIA, Cerebras, Bytez, OpenRouter, and LLM7. Each provider operates under its own privacy policy and data processing terms. We select providers that commit to not training on customer data, but we cannot guarantee the internal practices of third-party providers.

4.3 Code Retention

Raw code diffs are not persistently stored on our servers after the review is complete. The diff is held in memory during processing (typically 15-90 seconds) and discarded after the AI analysis returns results. We retain only the generated findings (severity, explanation, file path, line number, suggested fix) and review metadata (health score, finding counts, timestamps).

4.4 No Model Training

We do not use your code, diffs, or repository content to train, fine-tune, or improve AI models. Your code is used solely for the purpose of generating the specific review you requested. However, we cannot control whether third-party AI providers retain or use data transmitted to their APIs, you should review their respective privacy policies for details on their data handling practices.

5. Data Sharing and Disclosure

We do not sell your personal information or code to third parties. We may share information in the following limited circumstances:

  • AI Service Providers: Code diffs are transmitted to AI language model providers solely for the purpose of generating code review analysis. These providers include Groq, Mistral, Google (Gemini), MiniMax, NVIDIA, Cerebras, Bytez, OpenRouter, and LLM7, and they process data according to their own terms of service and privacy policies. The transmission occurs over encrypted HTTPS connections, and we select providers that contractually commit to not retaining customer data beyond the immediate processing window or using it for model training purposes. Under GDPR Article 28, these providers act as data processors on our behalf, and we maintain data processing agreements with providers where available to ensure appropriate safeguards for your code.
  • Payment Processors: Billing information is shared with Polar.sh to process subscription payments, manage your account status, handle plan changes, and facilitate refunds or dispute resolution. The information shared includes your email address, subscription tier, billing cycle dates, and transaction identifiers, but never your source code, review findings, or repository data. Polar.sh is PCI-DSS compliant and processes payment card data in accordance with Payment Card Industry standards, ensuring that sensitive financial information is handled with appropriate security controls. This sharing is necessary for contract performance under GDPR Article 6(1)(b) and complies with DPDPA Section 8 regarding disclosure to data processors.
  • Infrastructure Providers: We use Google Cloud Platform (Firebase) for hosting, data storage (Firestore), serverless compute (Cloud Functions), authentication (Firebase Auth), and cloud messaging (FCM). Vercel is used for web application hosting, edge functions, and static asset delivery. These providers have access to data stored on their infrastructure as part of their service delivery, including encrypted database records, server logs, and application state. Both Google Cloud and Vercel maintain SOC 2 Type II compliance and implement industry-standard security measures. Data processing by these providers is governed by their respective data processing agreements, which include Standard Contractual Clauses for international transfers as required by GDPR Chapter V.
  • Email Services: We use Brevo for transactional and marketing email delivery from the notifications@codepeel.com domain. Your email address, display name, and notification content (such as review summaries, billing confirmations, and security alerts) are shared with Brevo for the sole purpose of delivering communications you have opted into or that are necessary for Service operation. Brevo processes this data in accordance with their privacy policy and data processing agreement, and does not use recipient data for their own marketing purposes. This sharing is based on contract performance under GDPR Article 6(1)(b) for transactional emails and consent under Article 6(1)(a) for marketing communications.
  • Legal Requirements: We may disclose information if required by law, subpoena, court order, or governmental regulation issued by a court of competent jurisdiction or regulatory authority, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others, prevent fraud, or respond to a government request. This includes compliance with orders from Indian courts under the Code of Civil Procedure, 1908, requests from the Data Protection Board of India under DPDPA Section 27, and lawful interception requests under the Information Technology Act, 2000, Section 69. We will make reasonable efforts to notify affected users of legal requests for their data unless we are legally prohibited from doing so or the request relates to an ongoing criminal investigation where notification could compromise the investigation.
  • Business Transfers: In the event of a merger, acquisition, reorganization, bankruptcy, asset sale, or other corporate transaction involving Forinit Tech Private Limited, your information may be transferred to the acquiring entity as part of the business assets. We will provide at least 30 days advance notice to affected users before any such transfer takes effect, and the acquiring entity will be bound by the terms of this Privacy Policy until a new policy is communicated to you. You will have the opportunity to delete your account and request data erasure before the transfer is completed if you do not wish your data to be transferred. This provision complies with GDPR Article 13(1)(e) regarding disclosure of recipients and DPDPA Section 8(8) regarding transfer of personal data in connection with business transactions.
  • With Your Consent: We may share information with third parties when you have given explicit, informed, and freely-given consent to do so, such as when you authorize a third-party integration, participate in a joint promotion, or request that we share specific data with a designated recipient. Consent-based sharing will always be preceded by a clear explanation of what data will be shared, with whom, and for what purpose, and you may withdraw your consent at any time by contacting us at business@forinit.com or through the Settings page in your dashboard. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal, in accordance with GDPR Article 7(3) and DPDPA Section 6(6).

6. Data Retention

We retain different categories of data for different periods:

  • Account Information: Retained for the lifetime of your account and deleted within 30 days of receiving a verified account deletion request. Account information includes your GitHub username, email address, display name, profile avatar, and account creation date. Upon deletion, we remove your account record from Firestore, revoke any active API tokens, and purge associated data from our backup systems within the 30-day window. This retention period complies with GDPR Article 17 (right to erasure) and DPDPA Section 12(3) regarding erasure of personal data upon withdrawal of consent or when the specified purpose has been fulfilled.
  • Review Findings and Metadata: Retained for the lifetime of your account to provide review history, analytics dashboards, trend analysis, and historical reference functionality. Review metadata includes health scores, finding counts by severity, timestamps, repository identifiers, pull request numbers, and individual finding records (severity, explanation, file path, line number, suggested fix). This data enables features such as the review history timeline, code health trends, and team performance analytics. Upon account deletion, all review findings and metadata are permanently deleted within 30 days. We do not retain anonymized versions of individual review findings after account deletion.
  • Code Diffs: Not retained on our servers or in any persistent storage medium. Code diffs are processed exclusively in memory (RAM) within our Firebase Cloud Functions execution environment and are discarded immediately after the AI analysis returns results, typically within 15-90 seconds of receipt. At no point are raw code diffs written to disk, stored in a database, cached in a CDN, or persisted in any form that survives the function execution lifecycle. This zero-retention approach ensures that your source code is never at rest on our infrastructure, minimizing the risk of data breach exposure. This practice exceeds the requirements of GDPR Article 5(1)(e) regarding storage limitation and aligns with the principle of data minimization under DPDPA Section 4(2).
  • Learned Rules: Retained until you manually delete them through the dashboard interface, modify them via .codepeel.yml configuration changes, or request complete account deletion. Learned rules include custom regex patterns, coding conventions, architectural preferences, and any other knowledge you have explicitly taught to the Service through chat interactions or configuration. You have full control over your learned rules at all times, you can view, edit, or delete individual rules through the dashboard without affecting other account data. Upon account deletion, all learned rules are permanently removed within 30 days. This processing complies with GDPR Article 17 and DPDPA Section 12 regarding the right to erasure.
  • Usage and Billing Data: Retained for the lifetime of your account plus an additional 7 years after account closure for tax compliance, financial auditing, and legal purposes. This extended retention is required by the Indian Income Tax Act, 1961 (Section 44AA regarding maintenance of books of account), the Goods and Services Tax Act, 2017 (Section 36 regarding period of retention of accounts), and general commercial law requirements for maintaining financial records. Usage and billing data includes review counts, subscription payment records, plan change history, invoice data, and credit consumption logs. After the 7-year retention period expires, this data is permanently deleted or irreversibly anonymized. This retention is based on legal obligation under GDPR Article 6(1)(c) and Article 17(3)(b) regarding exceptions to the right to erasure for legal compliance.
  • Server Logs: Retained for 30 days for debugging, performance monitoring, security incident investigation, and abuse detection, then automatically purged through Google Cloud's log retention policies. Server logs include request timestamps, HTTP methods, request paths, response codes, response times, IP addresses, user agent strings, and error details. The 30-day retention period balances our legitimate need for operational visibility and security monitoring against the principle of storage limitation. Logs older than 30 days are irrecoverably deleted and cannot be restored. This retention period complies with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, which require maintenance of security logs for a reasonable period.
  • Analytics Data: Aggregated and anonymized analytics are retained indefinitely as they cannot be linked back to individual users and therefore do not constitute personal data under GDPR Article 4(1) or DPDPA Section 2(t). Individual session data (page views, navigation paths, feature interactions attributed to a session identifier) is retained for 90 days to enable short-term trend analysis and then automatically purged. The anonymization process removes all direct and indirect identifiers, ensuring that the retained aggregate data cannot be re-identified through combination with other datasets. This approach complies with GDPR Recital 26 regarding the inapplicability of data protection principles to anonymous information and DPDPA Section 2(t) which excludes anonymized data from the definition of personal data.

Upon account deletion, we will delete or anonymize your personal information within 30 days, except where retention is required by law or for legitimate business purposes (such as resolving disputes or enforcing agreements).

7. Data Security

We implement appropriate technical and organizational measures to protect your information against unauthorized access, alteration, disclosure, or destruction. These measures include:

  • Encryption in Transit: Encryption of data in transit using TLS 1.2 or higher (with TLS 1.3 preferred where supported) for all API communications, webhook payloads, and web application traffic. This ensures that all data exchanged between your browser, GitHub, our servers, and AI providers is protected against interception, man-in-the-middle attacks, and eavesdropping during transmission. Our TLS configuration follows industry best practices including strong cipher suites, HTTP Strict Transport Security (HSTS) headers, and certificate transparency logging. This measure complies with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, Rule 8 regarding encryption of sensitive personal data during transit.
  • Encryption at Rest: Encryption of data at rest using AES-256 encryption for all stored data in Google Cloud Firestore, including account information, review findings, learned rules, and billing records. AES-256 is a symmetric encryption standard approved by the U.S. National Institute of Standards and Technology (NIST) and is considered computationally infeasible to break with current technology. Encryption keys are managed by Google Cloud's Key Management Service (KMS) with automatic key rotation, and we do not have direct access to the raw encryption keys. This measure exceeds the requirements of DPDPA Section 8(4) regarding reasonable security safeguards and complies with ISO/IEC 27001 standards for information security management.
  • Webhook Signature Verification: GitHub webhook signature verification using HMAC-SHA256 to ensure the authenticity and integrity of incoming webhook events, preventing unauthorized parties from triggering reviews or injecting malicious payloads. Every incoming webhook request is validated against a shared secret configured during GitHub App installation, and requests that fail signature verification are immediately rejected with a 401 Unauthorized response and logged for security monitoring. This cryptographic verification ensures that only legitimate GitHub-originated events can trigger code review processing on our infrastructure. This measure aligns with OWASP API Security Top 10 recommendations and the Information Technology Act, 2000, Section 43A regarding reasonable security practices.
  • API Token Authentication: API token authentication for all programmatic access to the Service, including the VS Code Extension, MCP Server, CLI, and direct API calls. Tokens are generated using cryptographically secure random number generators, stored as salted hashes in our database (never in plaintext), and can be revoked instantly through the Settings page in your dashboard. Each token is scoped to a specific user account and inherits that account's plan-level permissions and rate limits. Failed authentication attempts are rate-limited and logged for security monitoring, and accounts experiencing repeated failed attempts may be temporarily locked as a protective measure.
  • Role-Based Access Controls: Role-based access controls (RBAC) limiting internal access to production data to authorized personnel only, with the principle of least privilege applied to all access grants. Production database access requires multi-factor authentication, is logged in an immutable audit trail, and is restricted to specific operational needs such as incident response, customer support escalation, or system maintenance. No employee has standing access to production data, access is granted on a just-in-time basis with automatic expiration. This measure complies with ISO/IEC 27001 Annex A.9 (Access Control) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.
  • Security Reviews and Dependency Auditing: Regular security reviews of our codebase, including automated dependency vulnerability scanning using tools such as npm audit and GitHub Dependabot, static analysis for common vulnerability patterns, and periodic manual security assessments of critical code paths (authentication, authorization, webhook processing, and payment handling). Dependencies are pinned to specific versions and updated promptly when security advisories are published, with critical vulnerabilities patched within 72 hours of disclosure. We maintain a responsible disclosure policy and welcome security researchers to report vulnerabilities through our contact channels. This practice aligns with OWASP Secure Development Lifecycle guidelines and the Information Technology Act, 2000, Section 43A.
  • Session Management: Automatic session expiration after periods of inactivity, token rotation policies that periodically invalidate and reissue authentication tokens, and secure session storage using HTTP-only, Secure, and SameSite cookies that cannot be accessed by client-side JavaScript or transmitted over unencrypted connections. Sessions are invalidated immediately upon password change, account deletion, or explicit logout, and concurrent session limits prevent unauthorized access from going undetected. Token rotation ensures that even if a token is compromised, its useful lifetime is limited, reducing the window of opportunity for unauthorized access. These measures comply with OWASP Session Management guidelines and NIST SP 800-63B Digital Identity Guidelines.

Despite these measures, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security of your data. You acknowledge and accept that you transmit information to the Service at your own risk, and you are responsible for maintaining the security of your account credentials, API tokens, and access to your GitHub account.

8. Your Rights and Choices

Depending on your jurisdiction, you may have the following rights regarding your personal information:

  • Right of Access: Request a copy of the personal information we hold about you, including the categories of data collected, the purposes of processing, the recipients or categories of recipients to whom data has been disclosed, and the envisaged retention periods. Under GDPR Article 15, you are entitled to receive this information in a commonly used, machine-readable format within 30 days of a verified request. Under DPDPA Section 11, you have the right to obtain a summary of your personal data being processed and the processing activities being carried out, including information about any other data fiduciaries with whom your data has been shared. We will provide this information free of charge for the first request in any 12-month period; subsequent requests may be subject to a reasonable administrative fee.
  • Right to Rectification: Request correction of inaccurate, incomplete, or misleading personal information held about you, including updating your email address, display name, or other account details that may have become outdated. Under GDPR Article 16, we are obligated to rectify inaccurate personal data without undue delay upon receiving a verified request. Under DPDPA Section 12(1), you have the right to correction of inaccurate or misleading personal data, and we will process such requests within 15 days of receipt. Where we have disclosed the inaccurate data to third parties, we will take reasonable steps to inform those parties of the rectification, unless this proves impossible or involves disproportionate effort.
  • Right to Erasure: Request deletion of your personal information, subject to legal retention requirements and legitimate grounds for continued processing (such as compliance with tax law or defense of legal claims). Under GDPR Article 17, you have the right to obtain erasure of personal data without undue delay where the data is no longer necessary for the purpose for which it was collected, you withdraw consent, or the data has been unlawfully processed. Under DPDPA Section 12(3), you may request erasure when the specified purpose has been fulfilled or consent has been withdrawn. We will process erasure requests within 30 days and confirm completion, noting any data that must be retained under legal obligation (such as billing records required by Indian tax law for 7 years).
  • Right to Restrict Processing: Request that we limit how we use your personal information in certain circumstances, such as when you contest the accuracy of the data (restriction applies while we verify accuracy), when processing is unlawful but you prefer restriction over erasure, or when we no longer need the data but you require it for legal claims. Under GDPR Article 18, restricted data may only be processed with your consent, for legal claims, for protection of another person's rights, or for reasons of important public interest. During the restriction period, we will continue to store the data but will not process it for any other purpose without your explicit consent. We will inform you before any restriction is lifted.
  • Right to Data Portability: Request a machine-readable copy of your personal data in a structured, commonly used format (such as JSON or CSV) for transfer to another service provider. Under GDPR Article 20, this right applies to data you have provided to us and that is processed based on consent or contract performance through automated means. Portable data includes your account information, review history, learned rules, and configuration settings. We will provide the exported data within 30 days of a verified request, and where technically feasible, we can transmit the data directly to another controller at your request. This right does not adversely affect the rights and freedoms of others, and does not apply to data processed for compliance with legal obligations.
  • Right to Object: Object to processing of your personal information for certain purposes, including processing based on legitimate interests (GDPR Article 6(1)(f)), direct marketing, and profiling. Under GDPR Article 21, where you object to processing based on legitimate interests, we must cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is necessary for the establishment, exercise, or defense of legal claims. Where you object to processing for direct marketing purposes, we will cease such processing immediately and without exception. You may exercise this right by contacting us at business@forinit.com or through the unsubscribe mechanism in marketing communications.
  • Right to Withdraw Consent: Where processing is based on your consent (such as marketing communications, learned rules, or optional analytics), you may withdraw that consent at any time without affecting the lawfulness of processing carried out before the withdrawal. Under GDPR Article 7(3), withdrawal of consent must be as easy as giving consent, you can withdraw by clicking unsubscribe links, deleting learned rules through the dashboard, adjusting settings, or contacting us directly. Under DPDPA Section 6(6), you have the right to withdraw consent at any time, and we will cease processing based on that consent within a reasonable timeframe (typically 48 hours for automated systems, 30 days for manual processes). Withdrawal of consent may result in reduced functionality of the Service where the withdrawn consent was necessary for specific features.

To exercise any of these rights, contact us at business@forinit.com or through our contact page. We will respond to verified requests within 30 days.

You may also revoke the CodePeel GitHub App's access to your repositories at any time through your GitHub Settings > Applications > Installed GitHub Apps. Revoking access immediately stops all webhook events and prevents further code analysis.

9. Cookies and Tracking Technologies

The Service uses the following cookies and tracking technologies:

  • Authentication Cookies: Session cookies to maintain your logged-in state across page navigations and browser sessions. These are essential first-party cookies that are strictly necessary for the Service to function and cannot be disabled without losing access to authenticated features. Authentication cookies are HTTP-only (inaccessible to client-side JavaScript), marked as Secure (transmitted only over HTTPS), and use the SameSite=Lax attribute to prevent cross-site request forgery (CSRF) attacks. These cookies expire upon session termination or after a defined inactivity period, and do not track your activity across other websites. Under GDPR Recital 30 and the ePrivacy Directive Article 5(3), strictly necessary cookies are exempt from consent requirements as they are essential for providing the service explicitly requested by the user.
  • Preference Cookies: First-party cookies to remember your settings and preferences such as theme selection (light/dark mode), sidebar collapse state, dashboard layout preferences, and notification dismissal states. These cookies enhance your user experience by persisting your interface customizations across sessions, eliminating the need to reconfigure the interface each time you visit. Preference cookies are stored locally in your browser, are not transmitted to third parties, and can be cleared at any time through your browser settings without affecting your account data (preferences will simply reset to defaults). Under the ePrivacy Directive, these cookies are considered functionality cookies and may require consent in certain jurisdictions, we obtain this consent through our cookie notice where applicable.
  • Analytics: Vercel Web Analytics for understanding page views, user flows, navigation patterns, and performance metrics (page load times, time to interactive, core web vitals). This analytics data is aggregated at the page level and does not include personally identifiable information, individual users cannot be identified or tracked across sessions through this mechanism. Vercel Web Analytics does not use cookies for tracking and instead relies on anonymized, aggregated event data that is processed in compliance with GDPR without requiring individual consent. We do not use Google Analytics, Facebook Pixel, or any other third-party analytics platform that creates cross-site tracking profiles. This approach aligns with the data minimization principle under GDPR Article 5(1)(c) and DPDPA Section 4(2).

We do not use advertising cookies, retargeting pixels, or cross-site tracking technologies. We do not participate in ad networks or sell data to advertisers.

10. International Data Transfers

The Service is operated from infrastructure located in the United States (Google Cloud us-central1 region). If you access the Service from outside the United States, your information will be transferred to, stored, and processed in the United States.

By using the Service, you consent to the transfer of your information to the United States and acknowledge that data protection laws in the United States may differ from those in your jurisdiction. We implement appropriate safeguards for international transfers, including reliance on standard contractual clauses where applicable.

Third-party AI providers may process data in various jurisdictions depending on their infrastructure. We do not control the geographic location of processing by these providers.

11. Children's Privacy

The Service is designed for professional software developers and is not directed to individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16, we will take steps to delete that information promptly. If you believe we have inadvertently collected information from a child under 16, please contact us immediately at business@forinit.com.

12. Third-Party Links and Services

The Service may contain links to third-party websites, services, or applications that are not operated by us. This Privacy Policy does not apply to third-party services. We are not responsible for the privacy practices, content, or security of any third-party service. We encourage you to review the privacy policies of any third-party service before providing personal information or granting access permissions.

13. Limitation of Liability

To the maximum extent permitted by applicable law, CodePeel shall not be liable for any indirect, incidental, special, consequential, or punitive damages arising from or related to your use of the Service, including but not limited to:

  • Loss of Data, Revenue, or Opportunities: Loss of data, revenue, profits, business opportunities, goodwill, or anticipated savings resulting from your use of or inability to use the Service. This includes but is not limited to losses arising from service downtime, data corruption, accidental deletion, or failure of the Service to detect critical issues in your code. You acknowledge that the Service is a supplementary tool and that you maintain independent backups and quality assurance processes for your critical business operations. Under the Indian Consumer Protection Act, 2019, and the Information Technology Act, 2000, Section 43A, our liability is limited to the extent permitted by applicable law.
  • Unauthorized Access or Data Alteration: Unauthorized access to or alteration of your data or transmissions, including but not limited to breaches resulting from vulnerabilities in third-party infrastructure (Google Cloud, Vercel, GitHub), compromised API tokens due to your failure to maintain token security, or interception of data during transmission despite our implementation of industry-standard encryption. While we implement comprehensive security measures as described in Section 7, we cannot guarantee absolute security against all possible attack vectors, including zero-day exploits, advanced persistent threats, or state-sponsored attacks. You are responsible for maintaining the security of your own systems, credentials, and access controls that interact with the Service.
  • Third-Party AI Provider Actions: Actions or inactions of third-party AI providers processing your code, including but not limited to data retention by providers contrary to their stated policies, unauthorized use of submitted code for model training, service outages affecting review availability, or generation of harmful or incorrect code suggestions. We select AI providers based on their stated data handling commitments and contractual obligations, but we cannot independently audit, monitor, or control the internal operations of these third-party services. You acknowledge that the use of third-party AI services introduces inherent risks that are outside our direct control, and you accept these risks as a condition of using the Service.
  • Inaccurate Review Findings: Inaccurate, incomplete, misleading, or false-positive code review findings, suggestions, or recommendations generated by the AI analysis, including failure to detect critical security vulnerabilities, incorrect severity classifications, suggestions that introduce new bugs or security issues, or recommendations that conflict with your project's requirements or constraints. AI-powered code analysis is inherently probabilistic and operates on pattern recognition rather than formal verification, it may miss context-dependent issues, produce false positives for unconventional but correct code patterns, or generate suggestions that are syntactically valid but semantically incorrect for your specific use case. You are solely responsible for evaluating, testing, and validating all suggestions before applying them to your codebase, and the Service does not replace professional security auditing, comprehensive testing, or human code review.
  • Third-Party Infrastructure Vulnerabilities: Security breaches, data loss, or service disruptions resulting from vulnerabilities, outages, or failures in third-party infrastructure including Google Cloud Platform, Vercel, GitHub, Polar.sh, Brevo, or any AI service provider. While we select infrastructure providers with strong security track records and compliance certifications (SOC 2, ISO 27001, PCI-DSS), we do not control their internal security practices, patch management timelines, or incident response procedures. In the event of a third-party infrastructure incident affecting your data, we will notify you as promptly as possible and cooperate with the affected provider to mitigate impact, but our liability is limited to the fees you have paid for the Service during the affected period.
  • Service Interruptions: Service interruptions, downtime, degraded performance, or complete unavailability resulting from scheduled maintenance, unscheduled outages, infrastructure failures, network issues, DDoS attacks, or force majeure events (natural disasters, pandemics, government actions, or other circumstances beyond our reasonable control). While we strive to maintain high availability and will make reasonable efforts to minimize downtime, we do not guarantee any specific uptime percentage or service level agreement (SLA) unless separately agreed in writing. We will make reasonable efforts to provide advance notice of scheduled maintenance and to communicate promptly during unscheduled outages through our status page and notification channels.

You acknowledge that the Service provides automated code analysis as a supplementary tool and does not replace professional code review, security auditing, or quality assurance processes. You are solely responsible for evaluating and implementing any suggestions, fixes, or recommendations provided by the Service. CodePeel does not guarantee the accuracy, completeness, or fitness for purpose of any review findings or generated code.

14. User Responsibilities

By using the Service, you acknowledge and agree that:

  • Legal Right to Submit Code: You are responsible for ensuring you have the legal right to submit code for analysis through the Service, including any code authored by third parties, code subject to open source licensing restrictions (GPL, LGPL, AGPL, MIT, Apache, BSD, or other licenses), proprietary code owned by your employer, or code subject to non-disclosure agreements or confidentiality obligations. This responsibility extends to ensuring that submitting code to a third-party AI service does not violate any contractual obligations you have with clients, employers, or collaborators, including but not limited to employment agreements, contractor agreements, or client service agreements that may restrict the sharing of source code with external services. Violation of third-party intellectual property rights or contractual obligations through use of the Service is solely your responsibility, and you agree to indemnify CodePeel against any claims arising from unauthorized code submission as described in Section 15.
  • Validation of Suggestions: You are responsible for reviewing, testing, and validating all suggestions, fixes, auto-generated code, and recommendations before applying them to your codebase, including verifying that suggested changes do not introduce new bugs, security vulnerabilities, performance regressions, or compatibility issues. AI-generated suggestions are produced through probabilistic language models that may generate code that is syntactically correct but semantically flawed, that works in isolation but fails in the context of your specific application architecture, or that inadvertently introduces security vulnerabilities such as injection flaws, authentication bypasses, or data exposure. You should treat all AI-generated suggestions as untested proposals that require the same level of scrutiny as any other code change, including code review by qualified team members, automated testing, and integration testing before deployment to production environments.
  • Account Security: You are responsible for maintaining the confidentiality of your account credentials, API tokens, GitHub access tokens, and any other authentication material associated with your use of the Service. This includes using strong, unique passwords, enabling two-factor authentication on your GitHub account, storing API tokens securely (never in source code, public repositories, or unencrypted configuration files), and revoking compromised tokens immediately through the Settings page. You must notify us immediately at business@forinit.com if you become aware of any unauthorized use of your account or any security breach affecting your credentials, and you are liable for all activity conducted through your account until such notification is received and processed.
  • Prohibited Content: You will not use the Service to process code that contains classified information (as defined by applicable government classification systems), export-controlled technology (subject to the U.S. Export Administration Regulations, the International Traffic in Arms Regulations, or equivalent regulations in your jurisdiction), legally restricted information (such as protected health information under HIPAA without a BAA, or payment card data in violation of PCI-DSS), or content that violates applicable laws or regulations without appropriate authorization and safeguards. You acknowledge that the Service transmits code to third-party AI providers located in various jurisdictions, and that such transmission may constitute an export or transfer of controlled information under applicable export control laws. It is your sole responsibility to determine whether your code contains controlled or restricted information and to obtain any necessary authorizations before submitting it to the Service.
  • Understanding AI Limitations: You understand that AI-generated code review findings may contain errors, false positives (flagging correct code as problematic), false negatives (failing to detect actual issues), incomplete analysis (missing context-dependent bugs), or recommendations that are inappropriate for your specific use case, technology stack, or architectural constraints. You acknowledge that the Service operates on pattern recognition and statistical inference rather than formal verification or mathematical proof, and that its accuracy varies depending on programming language, code complexity, domain-specific patterns, and the quality of the AI models available at the time of review. You will not rely solely on the Service for security compliance decisions, regulatory compliance verification, safety-critical system validation, or any other purpose where incorrect analysis could result in significant harm to persons, property, or business operations.
  • Legal Compliance: You are responsible for compliance with all applicable laws and regulations in your jurisdiction regarding the processing, transmission, storage, and cross-border transfer of code and data through the Service. This includes but is not limited to data protection regulations (GDPR, CCPA, DPDPA, LGPD, PIPA, and other applicable privacy laws), export control regulations, intellectual property laws, employment laws regarding employer-owned code, industry-specific regulations (such as HIPAA for healthcare, PCI-DSS for payment processing, SOX for financial reporting, or ITAR for defense-related technology), and any contractual obligations that may restrict your use of third-party code analysis services. CodePeel does not provide legal advice regarding your compliance obligations, and you should consult qualified legal counsel if you are uncertain whether your use of the Service complies with applicable laws and regulations in your jurisdiction.

15. Indemnification

You agree to indemnify, defend, and hold harmless CodePeel, Forinit Tech Private Limited, its officers, directors, employees, agents, contractors, licensors, and affiliates from and against any and all claims, damages, losses, liabilities, costs, and expenses (including reasonable attorneys' fees and legal costs) arising from or related to: (a) your use of the Service in violation of this Privacy Policy, our Terms of Service, or applicable law; (b) your violation of any applicable law, regulation, or third-party right, including intellectual property rights, privacy rights, or contractual obligations; (c) any content, code, or data you submit to the Service, including claims that submitted code infringes third-party intellectual property rights or violates confidentiality obligations; (d) your failure to maintain adequate security of your account credentials, API tokens, or access controls; or (e) any dispute between you and a third party arising from your use of the Service or the application of AI-generated suggestions to your codebase. This indemnification obligation survives termination of your account and continues for a period of 2 years after your last use of the Service, or longer where required by applicable law.

16. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

  • Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you in the preceding 12 months, including the categories of sources from which the information was collected, the business or commercial purpose for collecting the information, and the categories of third parties with whom we share the information. Under CCPA Section 1798.110, we will provide this information in a readily usable format within 45 days of receiving a verifiable consumer request, with the possibility of a 45-day extension for complex requests. This right may be exercised up to twice in any 12-month period, and we will not charge a fee for processing these requests unless they are manifestly unfounded or excessive.
  • Right to Delete: You may request deletion of personal information we have collected from you, subject to certain exceptions permitted under CCPA Section 1798.105, including where retention is necessary to complete a transaction, detect security incidents, comply with legal obligations, or exercise free speech rights. Upon receiving a verified deletion request, we will delete your personal information from our records and direct our service providers to do the same within 45 days, and we will confirm the deletion in writing. Where we cannot delete certain data due to legal retention requirements (such as billing records required by tax law), we will inform you of the specific categories of data retained and the legal basis for retention.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights, including by denying you the Service, charging different prices or rates, providing a different level or quality of service, or suggesting that you will receive a different price or quality of service. Under CCPA Section 1798.125, this protection ensures that exercising your privacy rights does not result in any adverse treatment, retaliation, or degradation of service quality. However, if you request deletion of data that is necessary for Service functionality (such as account information), we may be unable to provide certain features that depend on that data, which does not constitute discrimination.
  • Right to Opt-Out of Sale: We do not sell personal information as defined under CCPA Section 1798.140(ad), and therefore no opt-out mechanism is necessary. We do not share personal information for cross-context behavioral advertising, do not disclose personal information to third parties for monetary or other valuable consideration, and do not participate in data broker activities. If our practices change in the future to include any activity that could constitute a "sale" under the CCPA, we will update this Policy, provide a "Do Not Sell or Share My Personal Information" link on our website, and notify affected users before any such change takes effect.
  • Right to Correct: Under CPRA Section 1798.106, you may request that we correct inaccurate personal information that we maintain about you. Upon receiving a verified request, we will use commercially reasonable efforts to correct the inaccurate information, taking into account the nature of the personal information and the purposes of processing.
  • Right to Limit Use of Sensitive Personal Information: Under CPRA Section 1798.121, you have the right to limit our use of sensitive personal information to purposes necessary to provide the Service. We do not use sensitive personal information (such as precise geolocation, racial or ethnic origin, or biometric data) for purposes beyond what is strictly necessary for service delivery, and therefore no limitation request is necessary.

To exercise your CCPA rights, contact us at business@forinit.com. We will verify your identity before processing requests using a two-step verification process that may include confirming your email address and matching account information.

17. European Economic Area (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have rights under the General Data Protection Regulation (GDPR) and equivalent local legislation:

  • Legal Bases for Processing: The legal bases for our processing are described in Section 3 of this Policy, including contract performance (GDPR Article 6(1)(b)) for core service delivery, legitimate interests (GDPR Article 6(1)(f)) for security, analytics, and service improvement, consent (GDPR Article 6(1)(a)) for marketing communications and optional features, and legal obligation (GDPR Article 6(1)(c)) for tax and regulatory compliance. Where we rely on legitimate interests, we have conducted balancing tests to ensure our interests do not override your fundamental rights and freedoms, taking into account the nature of the data, the purpose of processing, and the safeguards in place. You may request details of our legitimate interest assessments by contacting our data protection point of contact.
  • Data Subject Rights: You have the rights described in Section 8 of this Policy, including the right to access (Article 15), rectification (Article 16), erasure (Article 17), restriction of processing (Article 18), data portability (Article 20), and objection (Article 21). Additionally, you have the right to lodge a complaint with your local supervisory authority (such as the ICO in the UK, CNIL in France, or BfDI in Germany) if you believe our processing of your personal data violates the GDPR, without prejudice to any other administrative or judicial remedy. We encourage you to contact us first to resolve any concerns, but you are not required to do so before filing a complaint with a supervisory authority.
  • International Transfers: International transfers of your personal data outside the EEA are addressed in Section 10 of this Policy. We rely on Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914) as the primary transfer mechanism for data transferred to the United States and other third countries that have not received an adequacy decision. Where applicable, we also rely on the EU-U.S. Data Privacy Framework for transfers to certified U.S. organizations. We conduct Transfer Impact Assessments (TIAs) to evaluate the legal framework of recipient countries and implement supplementary measures where necessary to ensure an essentially equivalent level of protection.
  • Data Retention: Our data retention practices are described in Section 6 of this Policy and comply with GDPR Article 5(1)(e) regarding storage limitation, personal data is kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed. We have implemented automated data lifecycle management to ensure that data is deleted or anonymized when retention periods expire, and we conduct periodic reviews of our retention schedules to ensure they remain proportionate and justified. You may request information about the specific retention period applicable to your data by contacting our data protection point of contact.

For GDPR-specific inquiries, data subject access requests, or complaints, contact our data protection point of contact at business@forinit.com. We will acknowledge your request within 72 hours and provide a substantive response within 30 days as required by GDPR Article 12(3).

18. Service Availability and Disclaimer

The Service is provided on an "as is" and "as available" basis without warranties of any kind, either express or implied, including but not limited to implied warranties of merchantability, fitness for a particular purpose, non-infringement, or course of performance.

We do not warrant that: (a) the Service will be uninterrupted, timely, secure, or error-free; (b) the results obtained from the Service will be accurate, reliable, or complete; (c) any errors in the Service will be corrected; or (d) the Service will meet your specific requirements or expectations.

You acknowledge that AI-powered code analysis is inherently probabilistic and may produce false positives, false negatives, or inaccurate recommendations. The Service is intended as a supplementary tool to assist in code review and does not replace human judgment, professional security auditing, or comprehensive testing.

19. Governing Law and Dispute Resolution

This Privacy Policy shall be governed by and construed in accordance with the laws of India, including the Information Technology Act, 2000 (Section 43A, Section 69, Section 72A), the Digital Personal Data Protection Act, 2023 (all applicable sections), and the Indian Contract Act, 1872, without regard to conflict of law provisions.

Any disputes arising from or relating to this Privacy Policy or the Service shall be subject to the exclusive jurisdiction of the courts in India. You agree to waive any right to participate in class action lawsuits or class-wide arbitration against CodePeel or Forinit Tech Private Limited, except where prohibited by law.

20. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

  • Update the Date: Update the "Last updated" date at the top of this page to reflect the date of the most recent revision, ensuring that you can always determine when the Policy was last modified. The effective date indicates when the revised terms take effect, which may be the same as the update date or a future date to provide a notice period. We maintain an archive of previous versions of this Policy that can be requested by contacting business@forinit.com, allowing you to compare changes between versions.
  • Notify Users: Make reasonable efforts to notify you via email to the address associated with your account or through a prominent notice within the Service interface (such as a banner, modal dialog, or dashboard notification). For material changes that significantly affect your rights or our data processing practices, we will provide at least 14 days advance notice before the changes take effect, giving you time to review the changes and decide whether to continue using the Service. Under DPDPA Section 6(1), we will ensure that any changes to the purposes of processing are communicated clearly and that fresh consent is obtained where the original consent does not cover the new purpose.
  • Summarize Changes: Provide a summary of material changes where practicable, highlighting the key differences between the previous and updated versions of the Policy in plain language that is accessible to non-legal professionals. This summary will be included in the notification email and/or displayed within the Service interface, and will identify which sections have been modified, added, or removed. For changes required by new legislation (such as updates to comply with new data protection laws), we will reference the specific legal requirement driving the change to provide context for the modification.

Your continued use of the Service after the effective date of any changes constitutes your acceptance of the revised Privacy Policy. If you do not agree with the changes, you must stop using the Service and may request deletion of your account.

21. Contact Information

For questions, concerns, or requests regarding this Privacy Policy or our data practices, contact us through the following channels:

  • Email: business@forinit.com, This is our primary contact channel for all privacy-related inquiries, data subject access requests, consent withdrawal notifications, and general questions about our data practices. Emails are monitored during business hours (Monday through Friday, 9:00 AM to 6:00 PM IST) and we aim to acknowledge receipt within 48 hours. For urgent security concerns (such as suspected data breaches or compromised accounts), please include "URGENT: Security" in the subject line for prioritized handling.
  • Support: codepeel.com/contact, Our web-based contact form provides a structured way to submit inquiries, feedback, bug reports, and feature requests. The contact form routes messages to the appropriate team based on the category you select, ensuring faster response times for specialized inquiries. Support requests submitted through this channel are tracked in our support system and you will receive a confirmation email with a reference number for follow-up purposes.
  • Data Deletion Requests: business@forinit.com with subject line "Data Deletion Request", To request complete deletion of your personal data and account, send an email with this specific subject line from the email address associated with your CodePeel account. We will verify your identity by confirming account details, process the deletion within 30 days as required by GDPR Article 17 and DPDPA Section 12(3), and send a confirmation email once deletion is complete. Please note that account deletion is irreversible, once processed, your review history, learned rules, configuration, and all associated data will be permanently removed and cannot be recovered.

We aim to respond to all privacy-related inquiries within 30 days of receipt. Complex requests may require additional time, in which case we will notify you of the expected timeline.

22. Open Source and Community Contributions

Certain components of the Service may interact with open source repositories or community-contributed code. When you use the Service on public repositories:

  • Public Visibility of Reviews: Review comments posted by CodePeel on public pull requests are visible to anyone who can view the repository, including the general public, search engine crawlers, and archival services. This means that the content of review findings (identified issues, severity classifications, explanations, and suggested fixes) becomes part of the publicly accessible record of the pull request and may be indexed by search engines, archived by third-party services (such as the Internet Archive), or referenced by other users. You should consider this public visibility when deciding whether to enable automated reviews on public repositories, particularly if review comments might reveal sensitive architectural details or security vulnerability information before patches are applied.
  • Public Record: The content of review comments (findings, suggestions, explanations, code snippets in suggested fixes) becomes part of the permanent public record of the pull request on GitHub and is subject to GitHub's own data retention and privacy policies. Once posted, review comments are stored on GitHub's infrastructure and are subject to GitHub's Terms of Service, we cannot unilaterally delete comments from GitHub after they have been posted, though you can delete them through GitHub's interface if you have appropriate repository permissions. Review comments on public repositories may be forked, quoted, or referenced by third parties, and we cannot control the downstream use of publicly posted content.
  • Shared Repository Visibility: Other users who have access to the same repository (collaborators, organization members, or the public for public repositories) may see CodePeel's review activity, including the timing of reviews, the number of findings, severity distributions, and the content of posted comments. For private repositories, review activity is visible only to users with read access to the repository as determined by GitHub's permission model. Organization administrators may have visibility into CodePeel's activity across all repositories in their organization through GitHub's audit log and third-party app activity features.
  • No Ownership Claim: We do not claim ownership over review comments, findings, suggestions, or any other content posted on your repositories by the CodePeel GitHub App. All review content posted to your repositories is provided under a non-exclusive, royalty-free, perpetual license for you to use, modify, reproduce, and distribute as you see fit. You may delete, edit, or hide review comments at any time through GitHub's interface without any obligation to us. We retain the right to reference aggregated, anonymized statistics about review activity (such as total reviews performed, average findings per review) for marketing and product improvement purposes, but will never publicly identify specific repositories, users, or code without explicit consent.

You are responsible for ensuring that the use of automated code review tools complies with any contribution guidelines, codes of conduct, or policies applicable to the repositories you manage.

23. Intellectual Property

The Service, including its algorithms, user interface, documentation, branding, and proprietary technology, is the intellectual property of Forinit Tech Private Limited. Nothing in this Privacy Policy grants you any rights to our intellectual property except the limited license to use the Service as described in our Terms of Service.

You retain all intellectual property rights in your code, repositories, and content submitted to the Service. We do not claim ownership over your code or the content of your pull requests. The review findings, suggestions, and generated fixes produced by the Service are provided to you under a non-exclusive, royalty-free license to use, modify, and incorporate into your codebase.

The AI-generated review content (findings, explanations, code suggestions) is provided without warranty of originality. You are responsible for ensuring that any generated code you incorporate into your projects does not infringe third-party intellectual property rights.

24. Account Termination and Data Handling

We reserve the right to suspend or terminate your account at any time, with or without notice, for any reason, including but not limited to:

  • Terms of Service Violations: Violation of our Terms of Service or this Privacy Policy, including but not limited to misrepresentation of identity, unauthorized sharing of account credentials, use of the Service for competitive intelligence gathering, or any conduct that we reasonably determine to be harmful to the Service, its users, or its reputation. Violations are assessed on a case-by-case basis, and we may issue warnings, temporary suspensions, or permanent terminations depending on the severity and frequency of the violation. Under the Indian Contract Act, 1872, Section 39, material breach of the terms governing your use of the Service entitles us to terminate the agreement without further obligation.
  • Abuse of the Service: Abuse of the Service, including excessive automated requests designed to overwhelm our infrastructure (denial-of-service patterns), circumvention of rate limits through multiple accounts or IP rotation, exploitation of vulnerabilities or bugs for unauthorized access or data extraction, reverse engineering of our AI prompts or review logic, or any other activity that degrades service quality for other users. We monitor for abuse patterns using automated detection systems and manual review, and accounts identified as abusive may be suspended immediately without prior notice to protect the Service and its users. Rate limits are enforced per plan tier (3/hour for Free, 6/hour for Pro, 12/hour for Max) and circumvention constitutes a material breach of our Terms of Service.
  • Non-Payment: Non-payment of subscription fees after the applicable grace period (typically 7 days after a failed payment attempt), including repeated payment failures, disputed charges, or chargebacks filed without legitimate basis. We will make reasonable efforts to notify you of payment failures via email and provide an opportunity to update your payment method before suspension. Upon suspension for non-payment, your account will be downgraded to Free tier functionality (limited to 30 reviews/month) rather than immediately terminated, giving you time to resolve the payment issue. If payment is not resolved within 30 days of suspension, we reserve the right to terminate the account entirely.
  • Illegal Use: Use of the Service for illegal purposes, to process prohibited content (such as malware, exploit code intended for malicious use, or content that violates applicable laws), or to facilitate activities that violate applicable laws or regulations in any jurisdiction. This includes using the Service to analyze stolen code, process code obtained through unauthorized access to third-party systems, or review code that is subject to legal restrictions on sharing with third parties (such as classified information or export-controlled technology). We may report suspected illegal activity to appropriate law enforcement authorities as required or permitted by applicable law, including under the Information Technology Act, 2000, Section 79(3)(b).
  • Dormant Accounts: Inactivity for a period exceeding 24 months (dormant accounts), defined as no login, no API activity, no webhook events processed, and no billing activity during the 24-month period. Before terminating a dormant account, we will send at least two notification emails to the email address on file (at 30 days and 7 days before scheduled termination) providing an opportunity to reactivate the account by simply logging in. If the account remains inactive after the notification period, it will be terminated and data will be handled in accordance with Section 6 (Data Retention). This policy helps us maintain data hygiene, reduce security risk from abandoned accounts, and comply with the storage limitation principle under GDPR Article 5(1)(e) and DPDPA Section 4(2).

Upon termination, your access to the Service will be immediately revoked. We will retain your data in accordance with Section 6 (Data Retention). You may request export of your data prior to termination by contacting business@forinit.com.

If you wish to delete your account voluntarily, you may do so through the Settings page in the dashboard or by contacting us. Account deletion is irreversible and results in permanent removal of your review history, learned rules, and configuration data within 30 days.

25. Automated Decision-Making

The Service uses automated processing, including artificial intelligence and machine learning, to analyze code and generate review findings. These automated processes:

  • Severity Classification: Determine the severity classification of findings (Critical, Major, Minor, Trivial) based on the AI model's assessment of potential impact, exploitability, and deviation from best practices. Severity classifications are generated by the AI language model based on contextual analysis of the code pattern, the type of issue identified (security vulnerability, logic error, performance issue, style violation), and the potential consequences if the issue reaches production. These classifications are advisory and may not accurately reflect the actual severity in your specific application context, a finding classified as "Minor" by the AI could be critical in your specific deployment environment, and vice versa. Under GDPR Article 22, these automated classifications do not constitute decisions that produce legal effects or similarly significantly affect you, as they are purely advisory and do not restrict your ability to merge code or use the Service.
  • Code Suggestions: Generate code suggestions and fix recommendations based on the identified issues, including replacement code snippets, refactoring proposals, and alternative implementation approaches. These suggestions are generated by AI language models through pattern completion and may not account for your full application context, dependencies, runtime environment, or business requirements. Generated code should be treated as a starting point for human review rather than production-ready output, and may require modification to fit your specific coding standards, error handling patterns, or architectural constraints. You are solely responsible for testing and validating any generated code before incorporating it into your codebase.
  • Health Scores: Calculate health scores (0-100) and review effort ratings based on the number, severity, and distribution of findings identified in a pull request. Health scores are computed using a weighted formula that considers the count of findings at each severity level, the ratio of findings to lines changed, and the diversity of issue categories detected. These scores provide a quick visual indicator of overall code quality but should not be interpreted as a definitive quality metric, a low health score does not necessarily indicate poor code quality (it may reflect the AI's limitations), and a high health score does not guarantee the absence of issues. Health scores are not used to make any decisions about your account access, billing, or service availability.
  • Chat Intent Detection: Detect intent in @codepeel chat messages to determine whether a message is a question (requiring an informational response), a teaching instruction (requiring storage of a new learned rule), an acknowledgment (requiring no action), or a review request (requiring code analysis). Intent detection uses natural language processing to classify your messages and route them to the appropriate handling logic within the Service. If the system misclassifies your intent, you can clarify by rephrasing your message or using explicit commands (such as "learn:" prefix for teaching). Intent classification does not affect your account status, billing, or access to features, and misclassifications have no adverse consequences beyond a potentially unhelpful response.
  • Learned Preference Storage: Determine whether to save learned preferences from conversations based on the detected intent and content of your @codepeel chat interactions. When the system detects a teaching intent (e.g., "always use camelCase for variable names" or "never use var in TypeScript files"), it extracts the rule, confirms understanding, and stores it in your knowledge base for application in future reviews. The decision to store a preference is based on explicit teaching signals in your message and requires confirmation before persistence, the system will not silently learn from casual conversation or questions. You can review, edit, and delete all learned preferences at any time through the dashboard, maintaining full control over what the system has learned about your coding standards.

These automated decisions do not have legal or similarly significant effects on you. They are advisory in nature and do not restrict your ability to merge code, access repositories, or use the Service. You are free to disregard, override, or dismiss any automated finding or recommendation.

Automated decisions regarding account access (such as quota enforcement, rate limiting, and subscription status) are based on objective criteria (usage counts, payment status, time windows) and can be reviewed by contacting support.

26. Notification Preferences

The Service may send you the following types of communications:

  • Transactional Emails: Review completion notifications, billing confirmations, payment receipts, subscription change confirmations, security alerts (such as new login from unrecognized device or API token usage from new IP), password reset emails, and account-related notices essential for Service operation. These communications are sent via Brevo from notifications@codepeel.com and cannot be opted out of while your account is active, as they are necessary for the performance of our contract with you under GDPR Article 6(1)(b) and constitute service messages rather than marketing under the CAN-SPAM Act. Transactional emails are sent in real-time or near-real-time when the triggering event occurs, and failure to receive them may indicate an email delivery issue that should be reported to support.
  • Marketing Emails: Product updates, new feature announcements, tips and best practices for getting more value from the Service, promotional offers (such as upgrade discounts or referral programs), case studies, and newsletter content about code quality and AI-assisted development. You may opt out of marketing communications at any time via the one-click unsubscribe link included in every marketing email (as required by CAN-SPAM Act Section 7704(a)(3) and GDPR Article 7(3)), through the notification preferences in your dashboard Settings page, or by contacting us at business@forinit.com. We will process unsubscribe requests within 10 business days as required by the CAN-SPAM Act, and we will not send marketing emails to users who have not provided consent or who have opted out.
  • GitHub Notifications: Review comments, walkthrough summaries, @codepeel chat replies, and status check results posted on your pull requests through the GitHub API. These notifications are delivered through GitHub's own notification system (email, web, and mobile notifications) and are controlled by your GitHub notification settings, not by CodePeel's notification preferences. To reduce or stop GitHub notifications from CodePeel, you can adjust your GitHub notification settings for the specific repository, mute the CodePeel bot, or uninstall the GitHub App entirely. We do not have direct control over GitHub's notification delivery mechanisms, timing, or format.
  • In-App Notifications: Dashboard alerts for quota warnings (approaching monthly review limit), subscription status changes (payment failures, plan downgrades, trial expiration), system announcements (scheduled maintenance, new features, policy changes), and security notices (unusual account activity, token expiration reminders). In-app notifications are displayed within the CodePeel dashboard interface and do not generate external communications (email or push) unless you have separately enabled those channels for the specific notification type. You can dismiss individual notifications, and dismissed notifications will not reappear. In-app notification preferences can be configured through the Settings page in your dashboard.

To manage your notification preferences, visit the Settings page in your dashboard or contact us at business@forinit.com.

27. API and Programmatic Access

The Service provides programmatic access through API tokens, the MCP Server, the VS Code Extension, and the CLI. When using programmatic access:

  • Token Authentication: API tokens authenticate requests on your behalf and grant the same level of access as your authenticated web session, including the ability to trigger reviews, access review history, and modify account settings. You are solely responsible for the security of your tokens, including storing them in secure credential managers (not in source code, environment variables in public CI/CD logs, or unencrypted configuration files), rotating them periodically, and restricting access to systems and personnel that require it. All activity performed using your API token is attributed to your account and counts against your plan quota, regardless of who or what system initiated the request. Under the Information Technology Act, 2000, Section 43, unauthorized use of computer resources (including API tokens) is a punishable offense, and you should report suspected token compromise immediately.
  • Token Compromise: Compromised tokens should be revoked immediately through the Settings page in your dashboard, which invalidates the token across all systems within seconds. We are not liable for unauthorized access, data exposure, quota consumption, or any other consequences resulting from token compromise due to your failure to maintain adequate token security, including but not limited to accidental publication in public repositories, exposure in CI/CD logs, or theft through compromised development machines. Upon revoking a compromised token, we recommend reviewing your recent review history for any unauthorized activity, generating a new token with appropriate security measures, and auditing your systems to identify and remediate the source of the compromise. If you believe a compromised token was used to access sensitive data, contact us immediately at business@forinit.com for assistance with incident investigation.
  • Rate Limits and Quotas: API usage is subject to the same rate limits (3/hour Free, 6/hour Pro, 12/hour Max), monthly review quotas (30 Free, 500 Pro, unlimited Max), and terms of service as web-based usage, there is no distinction between reviews triggered via the GitHub webhook, VS Code Extension, MCP Server, CLI, or direct API calls. Rate limits are enforced per account (not per token or per IP), and exceeding rate limits will result in HTTP 429 (Too Many Requests) responses with a Retry-After header indicating when the next request will be accepted. Persistent or deliberate circumvention of rate limits (through multiple accounts, distributed requests, or exploitation of timing windows) constitutes abuse and may result in account suspension as described in Section 24.
  • API Request Logging: We log API request metadata including timestamps, endpoint paths, HTTP methods, response status codes, response times, source IP addresses, and user agent strings for security monitoring, abuse prevention, performance optimization, and debugging purposes. API request logs are retained for 30 days in accordance with our server log retention policy described in Section 6, and are used to detect anomalous patterns (such as sudden spikes in request volume, requests from unusual geographic locations, or repeated authentication failures) that may indicate security incidents or abuse. We do not log the full request or response bodies of API calls, only metadata necessary for operational and security purposes. This logging complies with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.
  • Identical Processing: Code submitted through APIs (VS Code Extension, MCP Server, CLI, or direct HTTP requests) is processed identically to code submitted through the GitHub webhook, the same AI providers, the same processing pipeline, the same zero-retention policy for code diffs, and the same security measures apply regardless of the submission channel. Review findings generated through API submissions are stored in the same manner as webhook-triggered reviews and appear in your dashboard review history. The only difference is the delivery mechanism for results: webhook-triggered reviews post comments directly to GitHub pull requests, while API-triggered reviews return results in the API response or through the IDE interface. All data processing, retention, and security policies described in this Privacy Policy apply equally to all access channels.

Third-party applications that integrate with CodePeel through the MCP protocol or API are not operated by us. We are not responsible for how third-party applications handle data after receiving it from the Service.

28. Business Continuity

In the event that CodePeel or Forinit Tech Private Limited ceases operations:

  • Advance Notice: We will make reasonable efforts to provide at least 30 days advance notice to all active users (users with an active account who have logged in within the past 12 months) via email to the address associated with their account and through a prominent notice on the Service interface. This notice will include the planned date of service termination, instructions for exporting your data, information about what will happen to your data after termination, and details about any refunds for prepaid subscription periods. We recognize that sudden service termination could disrupt your development workflows, and we commit to providing as much advance notice as circumstances permit, with 30 days being the minimum in planned shutdown scenarios.
  • Data Export: Users will be given the opportunity to export their data (review history, learned rules, configuration settings, billing records, and account information) in a machine-readable format (JSON) before service termination. We will provide a self-service data export tool accessible through the dashboard, and will also process manual export requests submitted via email for users who encounter difficulties with the self-service tool. The export will include all data categories described in Section 6 that are associated with your account, formatted in a structured manner that could potentially be imported into alternative services. We will maintain the export functionality for the full duration of the notice period and for at least 7 days after the announced termination date.
  • Data Deletion: All personal data will be deleted or irreversibly anonymized within 90 days of service termination, except where retention is required by law (such as billing records required by Indian tax law for 7 years as described in Section 6). The deletion process will include removal of all account records from Firestore, purging of server logs, deletion of backup data, and revocation of all API tokens and OAuth grants. We will provide written confirmation to users who request it that their data has been deleted in accordance with this commitment. This timeline complies with GDPR Article 17 and DPDPA Section 12(3) regarding erasure of personal data when the purpose of processing has been fulfilled.
  • Subscription Handling: In the event of a complete service shutdown, we will make reasonable efforts to provide partial credits or refunds to users with active paid subscriptions, at our sole discretion and subject to the financial circumstances of the shutdown. Any such credits or refunds will be determined on a case-by-case basis and may be prorated based on the remaining unused portion of the billing period. We are not obligated to provide full refunds, and the availability and amount of any refund will depend on the circumstances of the termination. No cancellation fees or early termination penalties will be charged in the event of a service shutdown initiated by us.

We maintain regular backups of Service data for disaster recovery purposes. Backup data is encrypted using AES-256 and subject to the same retention policies as primary data.

29. Compliance with Indian Data Protection Laws

As a company incorporated in India, we comply with applicable Indian data protection legislation, including:

  • Information Technology Act, 2000: We implement reasonable security practices and procedures as required under Section 43A of the IT Act, which mandates that any body corporate possessing, dealing, or handling sensitive personal data or information shall implement and maintain reasonable security practices and procedures. Our security measures (described in Section 7) comply with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, which specify that a body corporate shall be considered to have complied with reasonable security practices if it has implemented security practices and standards certified by the government or those prescribed by any industry association. We also comply with Section 72A regarding punishment for disclosure of information in breach of lawful contract, ensuring that all employees and contractors with access to user data are bound by confidentiality obligations and non-disclosure agreements.
  • Digital Personal Data Protection Act, 2023 (DPDPA): We process personal data in accordance with the principles prescribed under the DPDPA, including: lawful purpose (Section 4, processing only for purposes that are not expressly forbidden by law), purpose limitation (Section 6, processing only for the specific purpose for which consent was given or which is deemed legitimate), data minimization (Section 4(2), collecting only data that is necessary for the specified purpose), accuracy (Section 8(3), making reasonable efforts to ensure personal data is accurate and complete), storage limitation (Section 8(4), retaining data only for the period necessary to fulfill the specified purpose), and accountability (Section 8, implementing appropriate technical and organizational measures to ensure compliance). As a Data Fiduciary under the DPDPA, we acknowledge our obligations regarding notice (Section 5), consent (Section 6), data processing (Section 8), and data breach notification (Section 8(6)).

Under the DPDPA, you have the right to:

  • Right to Access: Access information about the personal data being processed and the processing activities, including a summary of your personal data held by us, the purposes for which it is being processed, and the categories of third parties with whom it has been shared. Under DPDPA Section 11, this right enables you to understand the full scope of data processing activities affecting your personal data, verify the accuracy of information held about you, and exercise informed control over your data. We will provide this information in a clear, concise, and easily understandable format within 30 days of receiving a verified request, and will not charge a fee for the first request in any 12-month period.
  • Right to Correction: Correct inaccurate or misleading personal data held about you, including updating outdated information, completing incomplete records, and rectifying errors in your account profile or associated metadata. Under DPDPA Section 12(1), you have the right to have inaccurate personal data corrected without undue delay, and we will process correction requests within 15 days of receipt. Where corrected data has been shared with third parties (such as payment processors or infrastructure providers), we will take reasonable steps to inform those parties of the correction to ensure consistency across all systems processing your data.
  • Right to Erasure: Erase personal data that is no longer necessary for the purpose for which it was collected, where you have withdrawn consent, or where the specified purpose has been fulfilled. Under DPDPA Section 12(3), this right enables you to request permanent deletion of your personal data from our systems, subject to exceptions for legal compliance (such as tax record retention under the Income Tax Act, 1961) and legitimate business purposes (such as defense of legal claims). We will process erasure requests within 30 days and provide written confirmation of deletion, specifying any data categories that must be retained under legal obligation and the applicable retention period.
  • Right to Nominate: Nominate another individual to exercise your rights under the DPDPA in the event of your death or incapacity, ensuring continuity of data protection rights beyond your personal ability to exercise them. Under DPDPA Section 14, you may designate a nominee who will have the authority to exercise your rights (including access, correction, and erasure) on your behalf in the event that you are unable to do so. To register a nominee, contact us at business@forinit.com with the nominee's name, contact information, and your relationship to them, along with appropriate identification documentation. We will verify the nomination and maintain it on file, activating the nominee's authority only upon receiving satisfactory evidence of the triggering event (death or incapacity).
  • Right to Grievance Redressal: Grievance redressal through our designated contact point for any concerns, complaints, or disputes regarding our processing of your personal data. Under DPDPA Section 13, every Data Fiduciary must establish an effective mechanism for grievance redressal, and we fulfill this obligation through our designated Grievance Officer accessible at business@forinit.com. We will acknowledge your grievance within 48 hours of receipt, assign a reference number for tracking, and provide a substantive response or resolution within 30 days. If you are not satisfied with our response, you have the right to file a complaint with the Data Protection Board of India established under DPDPA Section 18, which has the authority to investigate complaints, issue directions, and impose penalties for non-compliance.

For grievances related to data processing under Indian law, contact our Grievance Officer at business@forinit.com. We will acknowledge your grievance within 48 hours and resolve it within 30 days.

30. Severability and Entire Agreement

If any provision of this Privacy Policy is found to be unenforceable or invalid by a court of competent jurisdiction, that provision shall be limited or eliminated to the minimum extent necessary so that this Privacy Policy shall otherwise remain in full force and effect.

This Privacy Policy, together with our Terms of Service, constitutes the entire agreement between you and CodePeel regarding the collection and use of your personal information in connection with the Service. It supersedes all prior agreements, representations, and understandings regarding the same subject matter.

By using CodePeel, you acknowledge that you have read and understood this Privacy Policy in its entirety and agree to be bound by its terms. If you have questions about any provision, please contact us at business@forinit.com before using the Service.