Privacy Policy

Main

CodeHalo

PRIVACY POLICY 

Effective Date: May 15, 2026

1. INTRODUCTION

Welcome to CodeHalo.

This Privacy Policy explains how CodeHalo ("CodeHalo," "we," "our," or "us") collects, uses, processes, stores, discloses, and protects information when you access or use:

the CodeHalo website located at codehalo.io, our automated code security analysis platform, APIs, integrations, and related services (collectively, the "Service").

Data Controller. For the purposes of applicable data protection law, including the General Data Protection Regulation ("GDPR") and Singapore's Personal Data Protection Act ("PDPA"), CodeHalo acts as a data controller in respect of personal data collected directly from Users (such as account information, billing data, and usage data). Where CodeHalo processes personal data contained within User-submitted code or repositories on behalf of a Business User, CodeHalo may act as a data processor in respect of that data, and the Business User is the data controller responsible for ensuring the lawfulness of that submission. Business Users requiring a Data Processing Agreement ("DPA") may request one by contacting contact@codehalo.io.

By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy.

2. OUR CORE SECURITY AND DATA MINIMISATION APPROACH

Because CodeHalo operates as a security-focused platform, we are designed around principles of data minimisation and restricted retention.

2.1 Repository Processing

When a User connects a repository for analysis, CodeHalo accesses repository contents only for the purpose of performing a Scan and generating a Report. Repository data is processed in temporary compute environments and is not intentionally stored in persistent application databases except as described in this Privacy Policy.

2.2 No AI Model Training

CodeHalo does not use User-submitted source code, proprietary logic, or vulnerability findings to train general-purpose AI models.

2.3 Limited Retention of Operational Data

Certain limited technical artifacts, temporary logs, or diagnostic data may be transiently retained for:

debugging, security monitoring, abuse prevention, service integrity, incident investigation, and operational reliability.

Such information is retained only for the limited periods specified in Section 9 of this Policy, consistent with operational necessity and applicable law.

2.4 Metadata Retention

CodeHalo may retain metadata associated with completed Scans, including vulnerability classifications, severity levels, remediation guidance, timestamps, and reporting outputs, for the purposes of generating Reports, supporting customer access to historical results, improving Service reliability, fraud prevention, and maintaining audit trails.

CodeHalo does not retain file-level code references or content-derived metadata from User repositories for general analytics purposes beyond what is necessary for the above. Business Users who require stricter limitations on metadata retention may contact us to discuss applicable arrangements or a Data Processing Agreement.

3. INFORMATION WE COLLECT

We may collect the following categories of information.

3.1 Account and Identity Information

When Users create an account or authenticate with the Service, we may collect:

name, email address, username, organisation name, GitHub account information, OAuth authentication metadata, and account preferences.

Retention: Account data is retained for the duration of the User's account and for up to 24 months following account closure, unless a shorter period is required by applicable law or requested by the User. See Section 9 for further detail.

3.2 Repository and Scan Data

When the Service is used to perform a Scan, we may process:

source code, repository structure, dependency files, configuration files, commit metadata, vulnerability findings, and related technical outputs.

Repository contents are processed transiently and are not intentionally retained after Scan completion, subject to the limited operational exceptions described in Sections 2.3 and 9.

3.3 Billing and Transaction Information

Payments are processed through third-party payment providers such as Stripe. We do not store full payment card numbers on our servers.

We may receive and retain limited billing-related information, including:

billing contact information, transaction identifiers, invoice history, payment status, and partial payment metadata provided by payment processors.

Retention: Billing and transaction records are retained for a minimum of 5 years as required by applicable financial and tax regulations.

3.4 Technical and Usage Data

We may automatically collect technical information including:

IP addresses, browser type, device identifiers, operating system, usage logs, timestamps, referring URLs, pages viewed, session activity, crash reports, and interaction metrics.

Retention: Technical and usage data is retained for up to 12 months, after which it is deleted or aggregated into anonymised form.

3.5 Communications Data

If you contact us, participate in surveys, request support, or communicate with us, we may retain records of those communications for the purposes of customer support, quality assurance, and dispute resolution.

Retention: Communications data is retained for up to 24 months from the date of the communication.

4. LEGAL BASES FOR PROCESSING (GDPR)

Where applicable under the GDPR or equivalent legislation, CodeHalo processes personal data under one or more of the following legal bases, mapped to specific processing activities:

Performance of a contract: processing account data to authenticate Users, deliver the Service, process Scan requests, and manage billing and payments.

Legitimate interests: processing usage and technical data for platform analytics, security monitoring, fraud prevention, service improvement, and business administration, where such interests are not overridden by the rights and interests of Users.

Compliance with legal obligations: retaining billing records, responding to lawful governmental requests, and complying with applicable data protection, financial, and regulatory requirements.

Consent: where legally required, sending marketing communications and placing non-essential cookies. Consent may be withdrawn at any time without affecting the lawfulness of prior processing.

Users who wish to object to processing based on legitimate interests may do so by contacting contact@codehalo.io. We will assess such requests and respond within the timeframe specified in Section 12.

5. HOW WE USE INFORMATION

We use collected information to:

provide, operate, and maintain the Service, authenticate Users and manage accounts, process Scans and generate Reports, process payments and manage billing, provide customer support, monitor platform performance and reliability, detect security incidents and abuse, enforce our Terms and policies, conduct analytics and diagnostics, comply with legal obligations, and communicate administrative or operational notices.

5.1 Marketing Communications

We may send Users:

product updates, feature announcements, newsletters, security notices, and promotional communications.

Users may opt out of marketing communications at any time using the unsubscribe mechanism included in emails or by contacting us at contact@codehalo.io. Where legally required (including under GDPR and Singapore's PDPA), marketing communications will only be sent with the User's prior consent.

6. COOKIES AND TRACKING TECHNOLOGIES

CodeHalo uses cookies and similar technologies including web beacons, local storage, analytics tags, and pixels.

6.1 Categories of Cookies

Essential Cookies: necessary for the operation of the Service, including authentication and session management. These cookies cannot be disabled without impairing core functionality.

Functional Cookies: used to remember User preferences and settings.

Analytics Cookies: used to understand how Users interact with the Service, in order to improve performance and user experience.

Marketing Cookies: used to measure the effectiveness of marketing communications and campaigns.

6.2 Consent for Non-Essential Cookies

Essential cookies are placed on the basis of our legitimate interest in operating the Service. All non-essential cookies — including analytics and marketing cookies — are placed only with the User's prior consent, obtained through our cookie consent banner. Users may withdraw or modify their cookie consent at any time through the consent management tool available on our website or through browser settings.

Certain features of the Service may not function properly if essential cookies are disabled.

6.3 Analytics Providers

We may use third-party analytics providers including:

Analytics Provider(s): Google Analytics and others may be added in the future

These providers may collect information about how Users interact with the Service. Please refer to those providers' privacy policies for further information about their data practices.

7. HOW WE SHARE INFORMATION

CodeHalo does not sell personal information.

7.1 Service Providers and Subprocessors

We may share information with trusted third-party vendors and subprocessors that support the operation of the Service, including providers of:

cloud hosting, analytics, payment processing, communications, authentication, infrastructure, monitoring, and customer support.

Current providers include:

Stripe (payment processing), GitHub OAuth (authentication), Digital Ocean (cloud provider), Vercel (hosting), Zoho and Loops (e-mail), Google (e-mail, analytics), Supabase (database), Refgrow (affiliates)

We maintain a list of active subprocessors and will provide an updated list upon request. Business Users will be notified of material changes to our subprocessor arrangements in advance, with the opportunity to raise objections, as further described in any applicable Data Processing Agreement.

7.2 Legal Compliance

We may disclose information where required by law, regulation, court order, subpoena, or valid governmental request. Where legally permitted, we will attempt to notify the User prior to such disclosure.

7.3 Business Transactions

Information may be disclosed or transferred in connection with mergers, acquisitions, financing transactions, reorganisations, or sale of assets. In such circumstances, CodeHalo will provide advance notice to Users where reasonably practicable, and any successor entity will be required to honour the commitments made in this Privacy Policy. If the successor entity's privacy practices differ materially, Users will be provided with notice and, where required by law, the opportunity to delete their data prior to the transfer taking effect.

7.4 Protection of Rights

We may disclose information where reasonably necessary to enforce our agreements, investigate abuse, protect Users or third parties from harm, protect our infrastructure, or defend legal claims.

8. INTERNATIONAL DATA TRANSFERS

CodeHalo and its service providers may process information in jurisdictions outside the User's country of residence. Processing may occur in regions including:

Server / Processing Regions: Singapore

Where personal data is transferred from the European Economic Area ("EEA"), the United Kingdom, or Switzerland to a country not recognised as providing an adequate level of data protection, CodeHalo implements appropriate safeguards, which may include:

Standard Contractual Clauses ("SCCs") approved by the European Commission, the UK International Data Transfer Addendum ("UK IDTA"), or other recognised transfer mechanisms under applicable law.

Copies of applicable transfer safeguards may be requested by contacting contact@codehalo.io.

Note on DPO and EU/UK Representative: CodeHalo does not currently have a formally appointed Data Protection Officer or an EU/UK local representative. Users in the EEA or UK with privacy queries or complaints may contact us directly at contact@codehalo.io. We will respond within the timeframes specified in Section 12. We are monitoring our regulatory obligations in this area as the Service scales.

9. DATA RETENTION

CodeHalo retains information only for as long as necessary for the purposes described in this Privacy Policy, including providing the Service, maintaining operational integrity, complying with legal obligations, resolving disputes, enforcing agreements, and preventing fraud or abuse.

The following retention periods apply:

9.1 Source Code and Repository Data Repository contents submitted for analysis are processed transiently and are not intentionally retained after Scan completion, subject to limited temporary operational retention as described in Section 2.3.

9.2 Operational Logs and Diagnostic Data Operational logs and diagnostic information are retained for a maximum of 90 days, after which such information is deleted, anonymised, or aggregated.

9.3 Account and Identity Data Retained for the duration of the account and for up to 24 months following account closure or termination.

9.4 Billing and Transaction Records Retained for a minimum of 5 years as required by applicable financial, tax, and regulatory obligations.

9.5 Technical and Usage Data Retained for up to 12 months, after which data is deleted or aggregated into anonymised form.

9.6 Communications Data Retained for up to 24 months from the date of the relevant communication.

9.7 Scan Metadata Metadata associated with completed Scans (as described in Section 2.4) is retained for the duration of the User's account and for up to 12 months following account closure, unless the User requests earlier deletion.

Upon expiry of applicable retention periods, data is securely deleted, anonymised, or archived in a manner that prevents further processing.

10. SECURITY MEASURES

CodeHalo implements commercially reasonable technical and organisational safeguards designed to protect information, including where appropriate:

encryption of data in transit, access controls and least-privilege permissions, authentication safeguards, audit logging, infrastructure monitoring, and security review processes.

However, no method of transmission, storage, or processing can be guaranteed to be completely secure. Users are responsible for maintaining the security of their account credentials and for the security of code submitted to the Service.

11. SECURITY INCIDENTS

In the event of a confirmed security incident materially affecting personal information or Confidential Information, CodeHalo will:

notify affected Users and relevant supervisory authorities within the timeframes required by applicable law, including within 72 hours of becoming aware of a personal data breach under GDPR, and within 3 calendar days for significant data breaches under Singapore's PDPA; take reasonable steps to contain, investigate, and remediate the incident; and provide Users with relevant information about the nature of the incident and recommended protective actions, to the extent permitted by applicable law and law enforcement considerations.

12. YOUR PRIVACY RIGHTS

Depending on applicable law and jurisdiction, Users may have the following rights in respect of their personal data:

right of access — to obtain a copy of personal data we hold about you, right to rectification — to correct inaccurate or incomplete personal data, right to erasure — to request deletion of personal data in certain circumstances, right to restriction of processing, right to object to processing based on legitimate interests or for direct marketing, right to data portability — to receive your data in a structured, commonly used format, and right to withdraw consent — where processing is based on consent, without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact:

Privacy Contact Email: contact@codehalo.io

We will acknowledge your request promptly and respond within one month of receipt, as required under GDPR. Under Singapore's PDPA, we will respond within 30 calendar days. In complex cases, the response period may be extended by up to two additional months, in which case we will notify you of the extension and the reason.

We may ask you to verify your identity before processing your request.

13. CALIFORNIA PRIVACY DISCLOSURES (CCPA/CPRA)

For purposes of applicable California privacy laws, including the California Consumer Privacy Act ("CCPA") as amended by the California Privacy Rights Act ("CPRA"):

CodeHalo does not sell personal information. CodeHalo does not knowingly share personal information for cross-context behavioural advertising. California residents have the right to know what personal information is collected, the right to delete personal information, the right to correct inaccurate information, the right to opt out of sale or sharing, and the right to non-discrimination for exercising privacy rights.

California residents may exercise these rights by contacting contact@codehalo.io.

14. SINGAPORE PDPA DISCLOSURES

As CodeHalo is incorporated in Singapore, we comply with the Personal Data Protection Act 2012 (Singapore) ("PDPA") as amended.

Under the PDPA, Users based in Singapore have the right to access and correct personal data held about them. To make a request, please contact contact@codehalo.io. We will respond within 30 calendar days.

CodeHalo does not use personal data for telemarketing without prior consent. If applicable, we comply with the Do Not Call Registry provisions under the PDPA.

The relevant supervisory authority for PDPA matters in Singapore is the Personal Data Protection Commission ("PDPC"). Users who are not satisfied with our response to a privacy concern may file a complaint directly with the PDPC at www.pdpc.gov.sg.

15. CHILDREN'S PRIVACY

The Service is not intended for individuals under the age of 18. CodeHalo does not knowingly collect personal information from children. If we become aware that personal information has been collected from a person under the age of 18 without appropriate parental consent where required, we will promptly delete such information. If you believe we may have inadvertently collected such information, please contact us at contact@codehalo.io.

16. PROHIBITED OR RESTRICTED DATA

Unless expressly authorised in writing by CodeHalo, Users must not submit to the Service:

protected health information ("PHI") as defined under applicable law, classified government or national security information, export-controlled materials, government-restricted information, or data subject to heightened regulatory restrictions including financial account data governed by PCI-DSS.

CodeHalo bears no liability for any prohibited or restricted data submitted in violation of this section. Users who submit such data in violation of these restrictions are solely responsible for any resulting consequences, and CodeHalo's indemnification provisions in the Terms and Conditions apply in full. See Section 14 of the Terms and Conditions for further detail.

17. THIRD-PARTY SERVICES

The Service may integrate with or link to third-party services, including GitHub and payment processors. CodeHalo is not responsible for the privacy, security, or data practices of third-party platforms, websites, or providers. Users should review the privacy policies of those third parties independently.

18. DATA PROCESSING AGREEMENTS

Business Users who process personal data on behalf of their own clients or who require contractual data protection commitments beyond this Privacy Policy may request a Data Processing Agreement ("DPA") from CodeHalo. A DPA governs the terms on which CodeHalo processes personal data as a data processor on behalf of the Business User as data controller. To request a DPA, please contact contact@codehalo.io.

19. CHANGES TO THIS PRIVACY POLICY

CodeHalo may modify this Privacy Policy from time to time. Updated versions will be posted on the website with a revised Effective Date.

For material changes affecting User rights or data handling practices, CodeHalo will provide at least 30 days' advance notice via email to registered Users before the changes take effect, consistent with our Terms and Conditions. Users who object to material changes may delete their account prior to the effective date. Continued use of the Service after the effective date constitutes acceptance of the updated Privacy Policy.

For non-material changes such as clarifications or corrections, updated terms take effect upon posting.

20. CONTACT INFORMATION

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact:

Privacy Contact: contact@codehalo.io

For EU/EEA and UK Users: In the absence of a locally appointed representative, you may direct your inquiry to the above contact. You also have the right to lodge a complaint with your local supervisory authority — for EU residents, the relevant Data Protection Authority ("DPA") in your member state; for UK residents, the Information Commissioner's Office ("ICO") at www.ico.org.uk.

[END OF PRIVACY POLICY]