Legal
Privacy Policy
Last updated · April 19, 2026
1. Information We Collect
1.1 Account Information
When you sign in with GitHub, we receive your GitHub user ID, username, avatar URL, and verified primary email address. If you connect GitHub for repository import, we store the resulting GitHub user token encrypted at rest so we can list the GitHub App installations available to your account.
1.2 Repository Data
We access pull request diffs and file contents through the GitHub API using your organization's GitHub App installation. Source code is processed in memory during analysis and is not permanently stored. We retain:
- Pull request metadata (title, author, PR number, SHA hashes)
- Analysis findings (rule violations, severity, file paths, line numbers)
- Trust scores and grades
- Code snippets referenced in findings (limited to 200 characters)
1.3 Usage Data
We collect anonymized usage analytics (page views, feature usage) to improve the Service. We use PostHog for analytics, which is configured to respect Do Not Track headers.
2. How We Use Your Information
- To provide and improve the code analysis service
- To compute trust scores and generate analysis reports
- To send notifications about analysis results (via GitHub)
- To enforce plan limits and manage billing
- To detect and prevent abuse of the Service
3. Data Retention
We retain different categories of data for different periods, following the principle of storage limitation (Art. 5(1)(e) GDPR):
- Analysis findings and PR metadata: retained for the lifetime of your account, so historical trust scores and trends remain visible to your team.
- AI call logs (AI Review, Cross-Check, Deep Audit prompts and responses): retained for 90 days, then automatically purged.
- Audit logs (logins, permission changes, admin actions): retained for 12 months.
- Session cookies and short-lived job queues: retained for at most 7 days.
- Stripe billing records: retained as required by tax law in the relevant jurisdiction (typically 7 years).
When an organization uninstalls the GitHub App, we soft-delete all associated operational data immediately and permanently purge it 30 days after uninstallation.
3.1 Sub-processors
We publish the current sub-processor list, DPA links, data categories, regions, and change-notice subscription at /subprocessors. Each provider is bound by a Data Processing Agreement with equivalent security and confidentiality obligations.
That page is the canonical sub-processor record for provider names, purposes, data categories, processing regions, DPA links, and change-notice subscriptions.
5. Security
We use industry-standard security measures including encrypted connections (TLS), stateless JWT authentication, PostgreSQL Row-Level Security, and secrets managed through environment variables. GitHub App private keys are never stored as files.
6. Your Rights
Regardless of jurisdiction, you have the right to:
- Access your data via the Veriva dashboard and API
- Request deletion of your data by uninstalling the GitHub App, or via Settings → General → Delete organization (30-day grace window)
- Export your findings data via the SARIF format, or download a complete JSON bundle of every PR, finding, audit entry, policy, hook, and agent via Settings → General → Data → Export
- Opt out of analytics by enabling Do Not Track in your browser
6.1 Rights under GDPR (EU / EEA / UK residents)
If you reside in the European Economic Area, the United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) grants you additional rights:
- Right of access: request a copy of the personal data we hold about you.
- Right to rectification: request correction of inaccurate data.
- Right to erasure: request deletion of your data (“right to be forgotten”).
- Right to restrict processing: ask us to limit how we use your data.
- Right to data portability: receive your data in a portable format (JSON / SARIF).
- Right to object: object to processing based on legitimate interests.
- Right to lodge a complaint with your local data-protection authority.
We act as a data processor for the pull-request content we analyze on your organization's behalf; your organization is the data controller. The legal basis for processing personal account metadata (your email, name, org membership) is contractual necessity (Art. 6(1)(b) GDPR). The legal basis for processing repository code is the legitimate interest (Art. 6(1)(f) GDPR) of improving code quality and security posture. To exercise any of these rights, email privacy@veriva.dev — we respond within 30 days.
6.2 Rights under CCPA / CPRA (California residents)
If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) grants you the following rights:
- Right to know what categories of personal information we collect, the sources, the purposes, and who we share it with.
- Right to delete personal information we have collected, subject to certain exceptions.
- Right to correct inaccurate personal information.
- Right to opt out of the sale or sharing of personal information — Veriva does not sell or share personal information for cross-context behavioral advertising.
- Right to limit use of sensitive personal information — we do not use sensitive personal information for any purpose beyond providing the Service.
- Right to non-discrimination for exercising any CCPA right.
To exercise these rights, email privacy@veriva.dev from the email address associated with your account, or submit a request through your organization administrator. We will verify your identity before processing requests. You may also authorize an agent to submit a request on your behalf.
Categories of personal information collected in the last 12 months: identifiers (GitHub user ID, email), internet activity (dashboard usage analytics), and professional information (organization membership, role). We do not collect sensitive personal information as defined by CPRA.
6.3 International Data Transfers
Veriva's infrastructure is primarily hosted in the United States. If you are located in the European Economic Area, the United Kingdom, or Switzerland and use the Service, your personal data will be transferred to and processed in the United States.
For such transfers we rely on the European Commission's Standard Contractual Clauses (SCCs) (Module 2: Controller-to-Processor) and the UK's International Data Transfer Addendum (IDTA) where applicable. Where our sub-processors participate in the EU-US Data Privacy Framework, that certification provides an additional basis for transfers. Details on request via privacy@veriva.dev.
7. Children's Privacy
The Service is intended for software developers and organizations, not for children. We do not knowingly collect personal data from anyone under 16 (or the equivalent minimum age in your jurisdiction). If you believe a minor has created an account, please contact us at privacy@veriva.dev and we will delete the account.
9. Changes to This Policy
We may update this policy from time to time. We will notify you of material changes via the Service dashboard. For sub-processor changes, you can also subscribe to dedicated change notices at /subprocessors.
10. Contact
For privacy inquiries, contact us at privacy@veriva.dev.