Privacy Policy

Effective: 2026-05-17 · GDPR Art. 13/14 · UK GDPR · CCPA · LGPD

1. Controller

Regunav Inc., a Delaware corporation. Data Protection Officer: dpo@codeconstitution.com.

2. What we collect, why, and lawful basis

CategoryPurposeLawful basis
Account identifiers (GitHub login, email)Authentication, notificationContract performance (Art. 6(1)(b))
Repository metadata (org/repo names, SHAs)Run scoping, dashboard renderingContract performance
File contents (during check execution)Engine evaluation; not persistedContract performance
Findings / evidence packsDashboard, audit trail, regulatory evidenceContract + legitimate interests (Art. 6(1)(f))
Audit-trail events (WORM)Security, compliance, dispute resolutionLegal obligation + legitimate interests
Operational telemetry (latency, errors)Service health, capacity planningLegitimate interests

3. What we do NOT collect

  • Cloud-provider tokens (HuggingFace, Cloudflare, AWS, GCP, Azure). Your tokens stay in your GitHub Secrets; the log-mirror reusable runs in your runner.
  • Repository source code outside the check execution context. We fetch file contents per PR, evaluate, return findings, and discard from memory.
  • Long-lived shared secrets. Service-to- service authentication is OIDC-only (5-min tokens verified against GitHub JWKS).

4. Sub-processors

We use a small set of sub-processors to operate the Service. Current list at trust.codeconstitution.com. Material changes are announced 30 days in advance via email to the registered account contact, with an objection window.

5. Retention

  • Account data: while your account is active + 30 days
  • Findings / evidence packs: per the SKU tier (Free 30 days; Team 1 year; Enterprise 7 years)
  • Audit-trail (WORM): minimum 3 years, retained per IFSB / Basel / SOC 2 / ISO 27001 floor

6. Your rights (GDPR / UK GDPR / CCPA / LGPD)

You have the right to access, correct, delete, restrict processing, port, object to processing, and withdraw consent (where applicable). Requests: privacy@codeconstitution.com. We respond within 30 days (GDPR Art. 12(3)).

7. International transfers

Production infrastructure runs in EU (Cloudflare) and US (R2 / S3). Cross-border transfers from the EU are covered by the European Commission's Standard Contractual Clauses (Art. 46(2)(c)).

8. Security

TLS 1.3 in transit. AES-256 at rest. WORM audit chain with per-row cryptographic linking. Continuous monitoring; incident notification within 72 hours of discovery (GDPR Art. 33). SOC 2 Type II audit in progress (target Q4 2026); ISO 27001 controls mapped.

9. Children

The Service is not directed to individuals under 16. We do not knowingly collect personal data from children. If you believe we have, contact privacy@codeconstitution.com.

10. Cookies

We use strictly-necessary first-party cookies for session management. No third-party advertising cookies. Cookie inventory at trust.codeconstitution.com.

11. Changes

Material changes are announced via email + the Trust Center change-log, 30 days in advance. Continued use after the effective date constitutes acceptance.

12. Contact + complaints

privacy@codeconstitution.com. You may also lodge a complaint with your supervisory authority (e.g., Irish DPC for EU/EEA users, ICO for UK).