Privacy Policy
Effective: 2026-05-17 · GDPR Art. 13/14 · UK GDPR · CCPA · LGPD
1. Controller
Regunav Inc., a Delaware corporation. Data Protection Officer: dpo@codeconstitution.com.
2. What we collect, why, and lawful basis
| Category | Purpose | Lawful basis |
|---|---|---|
| Account identifiers (GitHub login, email) | Authentication, notification | Contract performance (Art. 6(1)(b)) |
| Repository metadata (org/repo names, SHAs) | Run scoping, dashboard rendering | Contract performance |
| File contents (during check execution) | Engine evaluation; not persisted | Contract performance |
| Findings / evidence packs | Dashboard, audit trail, regulatory evidence | Contract + legitimate interests (Art. 6(1)(f)) |
| Audit-trail events (WORM) | Security, compliance, dispute resolution | Legal obligation + legitimate interests |
| Operational telemetry (latency, errors) | Service health, capacity planning | Legitimate interests |
3. What we do NOT collect
- Cloud-provider tokens (HuggingFace, Cloudflare, AWS, GCP, Azure). Your tokens stay in your GitHub Secrets; the log-mirror reusable runs in your runner.
- Repository source code outside the check execution context. We fetch file contents per PR, evaluate, return findings, and discard from memory.
- Long-lived shared secrets. Service-to- service authentication is OIDC-only (5-min tokens verified against GitHub JWKS).
4. Sub-processors
We use a small set of sub-processors to operate the Service. Current list at trust.codeconstitution.com. Material changes are announced 30 days in advance via email to the registered account contact, with an objection window.
5. Retention
- Account data: while your account is active + 30 days
- Findings / evidence packs: per the SKU tier (Free 30 days; Team 1 year; Enterprise 7 years)
- Audit-trail (WORM): minimum 3 years, retained per IFSB / Basel / SOC 2 / ISO 27001 floor
6. Your rights (GDPR / UK GDPR / CCPA / LGPD)
You have the right to access, correct, delete, restrict processing, port, object to processing, and withdraw consent (where applicable). Requests: privacy@codeconstitution.com. We respond within 30 days (GDPR Art. 12(3)).
7. International transfers
Production infrastructure runs in EU (Cloudflare) and US (R2 / S3). Cross-border transfers from the EU are covered by the European Commission's Standard Contractual Clauses (Art. 46(2)(c)).
8. Security
TLS 1.3 in transit. AES-256 at rest. WORM audit chain with per-row cryptographic linking. Continuous monitoring; incident notification within 72 hours of discovery (GDPR Art. 33). SOC 2 Type II audit in progress (target Q4 2026); ISO 27001 controls mapped.
9. Children
The Service is not directed to individuals under 16. We do not knowingly collect personal data from children. If you believe we have, contact privacy@codeconstitution.com.
10. Cookies
We use strictly-necessary first-party cookies for session management. No third-party advertising cookies. Cookie inventory at trust.codeconstitution.com.
11. Changes
Material changes are announced via email + the Trust Center change-log, 30 days in advance. Continued use after the effective date constitutes acceptance.
12. Contact + complaints
privacy@codeconstitution.com. You may also lodge a complaint with your supervisory authority (e.g., Irish DPC for EU/EEA users, ICO for UK).