Privacy Policy
Last updated: May 8, 2026
This Privacy Policy explains how Code Quality Check ("we", "us") collects, uses, and protects personal data when you use codequalitycheck.com and related services (the "Service").
We try to keep this policy short and accurate. If you spot something that does not match your experience of the Service, please tell us at privacy@codequalitycheck.com.
Controller (Data Controller): Code Quality Check
Privacy contact: privacy@codequalitycheck.com
1. What the Service does
Code Quality Check lets you submit a website URL for a passive code quality scan and receive findings across categories such as security (HTTP headers, SSL/TLS, exposed secrets, cookies, CORS), accessibility, SEO, performance, and common front-end issues. Scan results are saved so you can return to them via a unique link or by logging in. See section 7 for how long we keep scan data.
2. Personal data we collect
A. Data you provide
- Account data: When you sign in with GitHub, we receive and store the minimum identifying information needed to operate your account: an account identifier, your username, your verified email address, and basic account metadata (creation and last-login timestamps, current plan). We do not store your GitHub access token.
- Email preferences: At registration, and any time on your account page, you choose which categories of email you want to receive (Notifications and News & tips). We record your current choice per category.
- Form submissions: When you contact us through a form on the Service, we collect what you give us: your email address, optionally your name, the website URL, your tech stack, your areas of interest, and any free-text notes you write. Free-text content and contact emails are also forwarded to our internal support channel. See section 6 for the service providers we use.
- Scan targets: The website URLs you submit for scanning, plus any URLs we discover by following links from the page we scanned (see C. Scan results and metadata).
B. Data we collect automatically
When you use the Service we automatically collect:
- Request metadata: your IP address, browser type (user-agent string), the page you visited, and the timestamp.
- Cookies: we set a small number of essential first-party cookies for session management, login persistence, and form-submission security (CSRF protection). We do not set third-party tracking or advertising cookies. All cookies are strictly necessary or service-functional, so we do not show a cookie consent banner. See section 3 for analytics.
- Abuse and rate-limit signals: counters tied to your IP address and session, used to enforce rate limits and detect abuse.
- Interaction events: we record specific actions tied to your session (and your account when you are logged in) so we can offer relevant help and follow up about findings on sites you scanned. The events we record are: starting and completing a report download, submitting a form, clicking a button, and the transactional emails we send to you (and any failures to send). Each event is timestamped and stores the scan or page it relates to. We do not record general navigation, mouse movements, or keystrokes.
C. Scan results and metadata
When you request a scan, we store the results: findings, severity ratings, detected technologies, response time, the scanned URL (and the final URL if the scan was redirected), an optional site title, and one desktop-viewport plus one mobile-viewport screenshot of the rendered page. We also store URL lists derived from the scan (pages we found linked from the scanned site, and external pages it links to) so the report can show how your site's pages link together. Scan data is associated with your session if you are anonymous, or with your account if you are logged in.
D. Data processed from scanned websites
When you submit a URL, our scanner fetches publicly available resources from that site (response headers, public pages) to generate findings. We do not intend to collect personal data from page content. We store only minimal evidence needed to explain findings (for example, short redacted snippets). We do not store full HTML or JavaScript snapshots.
Email privacy@codequalitycheck.com to request review and removal of personal data captured incidentally in a scan.
3. Analytics
We use a self-hosted, cookie-less analytics tool (Umami) for aggregated analytics (pageviews, referrers, device types) so we can improve reliability and user experience. It runs on our own infrastructure and does not use cookies for tracking. We do not integrate third-party advertising or tracking tools, and we do not sell or share personal data for advertising. Cookies are covered in section 2.B.
4. Why we use personal data (purposes)
We use personal data to:
- Provide the Service: run scans, generate and display results, and let you return to results via the unique link or by logging in.
- Operate and secure the Service: enforce rate limits, detect and prevent abuse, and protect our infrastructure.
- Support and follow up: respond to your inquiries and, based on the interaction events described in section 2.B, reach out about findings on sites you scanned or services you indicated interest in.
- Improve the Service: debug issues, monitor performance, and improve reliability.
5. Automated processing
Our scanner uses automated, rule-based checks to evaluate the websites you submit. The findings are about the website, not about you.
6. Sharing and service providers
We do not sell or share personal data for advertising or behavioral profiling. Beyond the service providers described below, we share personal data only:
- Legal or safety: when required by law, court order, or to protect rights and safety.
- Business transfer: if we undergo a merger, acquisition, or asset sale, data may be transferred as part of that transaction. We will notify you in advance where required by law.
Service providers
We use a small number of third-party service providers to operate the Service: a hosting provider (United States), an authentication provider (United States), a transactional email provider (United States), an internal operator-notification service (international), and a self-hosted analytics tool. For the current named list of these providers, contact privacy@codequalitycheck.com.
7. Data retention
This section describes how long we keep different categories of data.
- Scan results (findings, summary, technologies, response time, URL lists, screenshots): retained while your account is active and for as long as needed to operate and improve the Service. Scan results are reachable at a unique, unguessable URL marked
noindex; anyone with the link can view them. When a scan link is pasted into a chat or social platform, that platform may fetch and cache a preview image showing the scanned domain and score. This preview is generated by us and contains no information beyond what is already on the scan page itself. You may delete a scan from your dashboard at any time; once deleted, the unique link returns a 404 to anyone who held it. If you scanned without an account, email privacy@codequalitycheck.com with the link to request deletion. - Raw page content (full HTML or JavaScript snapshots from the sites you scanned): not stored. The scanner reads page content to generate findings but does not persist it.
- Operational and security logs: retained for as long as necessary to operate and protect the Service. Israeli data security regulations require minimum retention for certain log types; where they apply to us, we comply with that minimum.
- Account data: retained while your account is active. You may request account deletion by contacting privacy@codequalitycheck.com; we will action your request within the response window in section 10.
8. International data transfers
We are based in Israel. Some of our service providers are based in the United States or other countries, so personal data may be transferred internationally. Where we transfer personal data from Israel to a country outside Israel, we comply with the Israeli Protection of Privacy Regulations (Transfer of Information to Foreign Databases) 5761-2001.
9. Security
We apply reasonable technical and organizational measures to protect personal data, including HTTPS encryption in transit, abuse prevention (rate limiting tied to IP and session), and access controls separating administrator and regular user authentication.
If you believe your data has been compromised, contact privacy@codequalitycheck.com immediately.
10. Your rights and how to exercise them
Israel (Protection of Privacy Law)
Under Israeli law, providing information is generally voluntary. Some information is required for us to deliver the Service: we cannot run a scan without a URL, we cannot respond to a support request without a contact method, and we cannot create an account without an authenticated identity.
You have the right to inspect information held about you, request correction, and lodge a complaint with the Israeli Privacy Protection Authority (PPA, רשות הגנת הפרטיות).
If you live outside Israel and have rights under your local law, email privacy@codequalitycheck.com. We apply the same process to all rights requests.
How to exercise your rights
To exercise any of these rights, email privacy@codequalitycheck.com with "Privacy Request" in the subject line. Include enough information for us to locate your data (for example, your email address, GitHub username, or a recent scan URL).
We will respond to rights requests within 30 days of receipt. We may extend that period by another 30 days where the request is complex, and we will tell you within the first 30 days if we need to extend.
We may ask you to confirm the request from your account email, or to provide other reasonable proof of identity proportionate to the sensitivity of the request.
11. Changes to this policy
We may update this policy from time to time. The "Last updated" date at the top will be revised when material changes are posted.
- Added the transactional emails we send (and send failures) to the list of interaction events we record.
- Added the list of interaction events we record, and follow-up as a purpose for using them.
- Added how email preferences are recorded and how to change them.
12. Contact
Code Quality Check
Privacy email: privacy@codequalitycheck.com
Regulator complaints
Israeli Privacy Protection Authority (PPA, רשות הגנת הפרטיות), gov.il/en/departments/the_privacy_protection_authority.