Privacy Policy

Effective date: July 7, 2026

CIAONEX ("the Company") values the privacy of Commitude ("the Service") users and processes personal data as described below, in compliance with South Korea's Personal Information Protection Act (PIPA), the EU General Data Protection Regulation (GDPR), and other applicable data protection laws.

1. Personal data we collect

When you sign in via GitHub OAuth, the Service collects the following information.

  • Your GitHub user ID, login name, email address, and profile image
  • Your GitHub access token (stored encrypted)
  • Information about the GitHub repositories you register (repository name, commit history, etc.)
  • Work timeline data collected via the Claude Code/Codex hook integration (work summaries, lists of changed files, AI tool cost and token usage, etc.)
  • A customer/subscription identifier issued by our payment processor (Polar) when you subscribe — we never store your card number or other payment credentials ourselves.
  • Visit statistics collected via cookies by Google Analytics/Tag Manager when you visit the landing page (device/browser info, pages viewed, time on page, approximate location, etc.)
  • A random identifier cookie used for the Service's own visit statistics — an arbitrary value not linked to your IP address or other personal data, recorded together only with the page path and time visited.

2. Purpose of collection and use

Each processing activity relies on one of the following legal bases: performance of our contract with you, your consent (for opt-in features), or the Company's legitimate interests.

  • Authenticating and signing you in
  • Providing the dashboard based on your GitHub repositories' commit history
  • Generating AI commit descriptions — only if you opt in, in which case part of the commit message and code changes is sent to the Google Gemini API.
  • Processing subscription payments and managing your plan
  • Analyzing landing page traffic and improving the Service, via cookie-based data collected by Google Analytics/Tag Manager. The same tool also records a single sign-up completion event immediately after a new account is created, to measure conversion.
  • Aggregating page view counts and visitor counts across the Service — used only so the Company can understand traffic trends, and never to identify or profile individual users.

3. Retention period

Upon account deletion, we destroy the information below without delay. You can delete your account yourself from the "Delete account" option in the menu that appears when you click your profile at the bottom of the sidebar.

  • GitHub access token, email, and profile information: deleted immediately upon account deletion
  • Payment-related records: retained for 5 years as required by applicable consumer-protection and e-commerce law, then destroyed
  • GitHub user ID: retained separately, solely to prevent repeated abuse of the free trial on the same account, and is not linked to any other personal information such as email, name, or profile data.
  • Commit history, work timeline, and other service usage records: retained until the relevant project or your account is deleted
  • Raw visit statistics logs (visitor identifier, page visited, time of visit): retained for 90 days, then automatically destroyed. After destruction, only aggregated, non-identifying daily counts (views and visitor counts per page) are kept for statistical purposes.

4. Third-party disclosure and processing

The Service shares the minimum necessary personal data with, or entrusts processing to, the following third parties. See the next section for the countries these transfers go to.

  • GitHub, Inc. — login authentication and repository data lookup
  • Google LLC (Gemini API) — only if you opt in to AI commit descriptions, part of that commit's message and code changes is sent
  • Google LLC (Analytics/Tag Manager) — cookie-based usage data collection for landing page traffic analysis
  • Polar Software, Inc. — subscription payment processing

5. International transfers

Personal data is transferred to the following overseas providers the Service relies on. Each transfer is governed by our service agreement with that provider, or by international transfer safeguards such as Standard Contractual Clauses (SCCs) that provider offers. Retention periods follow Section 3. The Company has not currently appointed a separate EU representative; we will review this as the Service grows.

  • GitHub, Inc. — country: United States — data transferred: login credentials, repository access tokens — purpose: login authentication and repository data lookup
  • Google LLC — country: United States — data transferred: (if you opt in to AI commit descriptions) commit messages and partial code, (on landing page visits) cookie-based visit statistics — purpose: generating AI descriptions, analyzing traffic
  • Polar Software, Inc. — country: Sweden — data transferred: billing/subscription identifiers — purpose: subscription payment processing

6. Your rights

You may exercise the following rights over your personal data at any time. Contact us at the address below and we will respond without delay.

  • Right of access: confirm what personal data the Company holds about you
  • Right to rectification and erasure: request correction or deletion of inaccurate personal data
  • Right to restriction of processing: request that processing of your personal data be paused
  • Right to data portability: receive the personal data you provided in a structured, commonly used format, or have it transferred to another provider
  • Right to object: object to processing based on the Company's legitimate interests
  • Right to lodge a complaint with a supervisory authority — see Section 13 for contact details.

7. Minors

The Service is not directed at, and is not intended for use by, anyone under 18. If we learn that we have collected personal data from someone under 18, we will delete it without delay. If you believe someone under 18 has provided us with their personal data, please contact us at the address below.

8. Notice for California and other U.S. residents

The Company respects the rights afforded by U.S. state privacy laws such as the California Consumer Privacy Act (CCPA/CPRA). The Company does not sell your personal information to third parties for monetary or other valuable consideration.

9. Source code access and security

You don't need to worry. Commitude only looks up the minimum information needed to render the dashboard, and never permanently stores the full contents of your source files on our servers. Using your GitHub permissions at login, it only looks up commit info, changed files (diffs), and — for the Schema feature — the schema files needed to build it (db/schema.rb, Prisma Schema, etc.). The raw commit/diff data it looks up is kept only briefly, anywhere from 1 to 30 minutes, as a display cache, and is then automatically deleted. The default login grants the minimum access level, which can only reach public repositories. To connect a private repository, Commitude can only access it once you explicitly approve that additional permission yourself. The Schema diagram (table/column structure), Hotspots (frequently changed file paths), and the evidence behind your Confidence Score (file paths behind flagged risk signals) are the exception — these are kept per-project so those features keep working, and are deleted when the project or your account is deleted. Even then, only structural information (names, paths, counts) is stored — never the full contents of your source files. The AI Commit Description and session summary features are opt-in exceptions. They're disabled by default, and only once you turn them on yourself do they send the commit message or work log and part of the changed code (up to 6,000 characters) to Google's Gemini API to generate the AI description. Commitude never uses your source code to train AI models.

10. Security measures

  • Your GitHub access token is stored encrypted in our database.
  • HTTPS (SSL) is used for all communication.
  • Access to personal data is restricted to the minimum needed to operate the Service.

11. Cookies and tracking technologies

The Service uses cookies to analyze visit statistics. Most browsers let you refuse or delete cookies through their settings. Blocking cookies that are strictly necessary for the Service to function (such as those that keep you signed in) may limit your ability to use the Service.

12. Data breach response

If a personal data breach occurs, the Company will notify the relevant authorities and affected users without undue delay, within the timeframes required by applicable law, and take appropriate remedial action.

13. Privacy contact and supervisory authorities

For any privacy-related questions, please contact us below. Name: Kevin Kang / Title: Representative / Email: kevin@ciaonex.com You may also file a privacy-related inquiry or complaint with a supervisory authority. South Korea: Personal Information Protection Commission (privacy.go.kr, 182 toll-free within Korea) Other countries: the data protection authority in your country of residence

14. Changes to this policy

This policy may be revised to reflect changes in law or our service. We will announce any material changes within the Service or by email.