Privacy Policy
Effective: 2026-05-17 · GDPR Art. 13/14 · UK GDPR · CCPA · LGPD
1. Controller
Regunav Inc., a Delaware corporation. Data Protection Officer: [email protected].
2. What we collect, why, and lawful basis
| Category | Purpose | Lawful basis |
|---|---|---|
| Account identifiers (GitHub login, email) | Authentication, notification | Contract performance (Art. 6(1)(b)) |
| Repository metadata (org/repo names, SHAs) | Run scoping, dashboard rendering | Contract performance |
| File contents (during check execution) | Engine evaluation; not persisted | Contract performance |
| Findings / evidence packs | Dashboard, audit trail, regulatory evidence | Contract + legitimate interests (Art. 6(1)(f)) |
| Audit-trail events (WORM) | Security, compliance, dispute resolution | Legal obligation + legitimate interests |
| Operational telemetry (latency, errors) | Service health, capacity planning | Legitimate interests |
3. What we do NOT collect
- Cloud-provider tokens (HuggingFace, Cloudflare, AWS, GCP, Azure). Your tokens stay in your GitHub Secrets; the log-mirror reusable runs in your runner.
- Repository source code outside the check execution context. We fetch file contents per PR, evaluate, return findings, and discard from memory.
- Long-lived shared secrets. Service-to- service authentication is OIDC-only (5-min tokens verified against GitHub JWKS).
4. Sub-processors
We use a small set of sub-processors to operate the Service. Current list at trust.codeconstitution.com. Material changes are announced 30 days in advance via email to the registered account contact, with an objection window.
5. Retention
- Account data: while your account is active + 30 days
- Findings / evidence packs: per the SKU tier (Free 30 days; Team 1 year; Enterprise 7 years)
- Audit-trail (WORM): minimum 3 years, retained per IFSB / Basel / SOC 2 / ISO 27001 floor
6. Your rights (GDPR / UK GDPR / CCPA / LGPD)
You have the right to access, correct, delete, restrict processing, port, object to processing, and withdraw consent (where applicable). Requests: [email protected]. We respond within 30 days (GDPR Art. 12(3)).
7. International transfers
Production infrastructure runs in EU (Cloudflare) and US (R2 / S3). Cross-border transfers from the EU are covered by the European Commission's Standard Contractual Clauses (Art. 46(2)(c)).
8. Security
TLS 1.3 in transit. AES-256 at rest. WORM audit chain with per-row cryptographic linking. Continuous monitoring; incident notification within 72 hours of discovery (GDPR Art. 33). SOC 2 Type II audit in progress (target Q4 2026); ISO 27001 controls mapped.
9. Children
The Service is not directed to individuals under 16. We do not knowingly collect personal data from children. If you believe we have, contact [email protected].
10. Cookies
We use strictly-necessary first-party cookies for session management. No third-party advertising cookies. Cookie inventory at trust.codeconstitution.com.
11. Changes
Material changes are announced via email + the Trust Center change-log, 30 days in advance. Continued use after the effective date constitutes acceptance.
12. Contact + complaints
[email protected]. You may also lodge a complaint with your supervisory authority (e.g., Irish DPC for EU/EEA users, ICO for UK).