Privacy Policy
Last updated: January 3, 2026
This Privacy Policy explains how Code Quality Check ("we", "us") collects, uses, and protects personal data when you use codequalitycheck.com and related services (the "Service").
Controller (Data Controller): Code Quality Check, Jerusalem, Israel
Privacy contact: privacy@codequalitycheck.com
1. What the Service does
Code Quality Check lets you submit a website URL for a passive scan and receive findings (security headers, configuration checks, public-facing issues). Scan results are stored for a limited time so you can return to them via a unique link or by logging in.
2. Personal data we collect
A. Data you provide
- Account data: If you log in via GitHub OAuth, we receive your GitHub username and email address. If you use another login method, we collect the authentication information you provide.
- Form submissions: Information you submit through contact forms, scan requests, or other forms on the Service (e.g., name, email address, website URL, project details, messages).
- Scan targets: Website URLs you submit for scanning.
B. Data we collect automatically
- Device and usage data: IP address, browser type, device information, pages visited, and timestamps.
- Session data: Session identifiers stored in cookies (30-day duration).
- Security signals: Rate-limiting counters and abuse prevention data.
C. Scan results and metadata
When you request a scan, we store the results including findings, severity ratings, technologies detected, and response times. This data is linked to your session or account.
D. Data processed from scanned websites
When you submit a URL, our systems fetch publicly available resources (response headers, publicly accessible pages) to generate findings. We do not intend to collect personal data from page content. We store only minimal evidence needed to explain findings (e.g., short redacted snippets). We do not store full HTML or JavaScript snapshots.
If you believe we have inadvertently captured personal data from a scanned page, contact privacy@codequalitycheck.com for review and removal.
3. Cookies and analytics
Cookies
We use strictly necessary session cookies only to maintain your login state.
Analytics
We use self-hosted Umami to understand aggregated usage (pageviews, referrers, device types) to improve reliability and user experience. Umami is privacy-focused and does not use cookies for tracking. We do not use analytics for advertising, and we do not sell or share personal data for behavioral advertising.
4. Why we use personal data (purposes)
We use personal data to:
- Provide the Service: Run scans, generate and display results, let you revisit results via unique links or login.
- Operate and secure the Service: Prevent abuse, enforce rate limits, detect fraud, protect infrastructure.
- Support: Respond to inquiries and support requests.
- Improve the Service: Debugging, performance optimization, and reliability improvements.
5. Automated processing and AI
We use automated systems, including AI and machine learning components, to analyze websites and generate security findings. These automated checks:
- Evaluate publicly available information from websites you submit for scanning
- Generate findings based on detected patterns and known security issues
- Do not make decisions that have legal or similarly significant effects on you
You can contact us if you have questions about how automated processing applies to your data.
6. Legal bases (EEA/UK users)
Where EU/UK GDPR applies, we process personal data under these legal bases:
- Performance of a contract / steps at your request: Running scans you request and providing results.
- Legitimate interests: Operating, securing, and improving the Service (including analytics and abuse prevention), balanced against your rights.
- Legal obligation: When we must comply with applicable law.
7. Sharing and disclosures
We do not sell personal data.
We share personal data only in these cases:
- Service providers: See list below.
- Legal / safety: If required by law, court order, or to protect rights and safety.
- Business transfer: If we undergo a merger, acquisition, or asset sale, data may be transferred as part of that transaction.
The Service is hosted on infrastructure provided by Akamai/Linode (United States). We use the following service providers:
- Akamai/Linode (hosting): servers located in United States
- GitHub (OAuth authentication): receives username and email when you log in
We do not use third-party analytics services that track individual users.
8. Data retention
- Scan results (findings and metadata): Up to 90 days, then deleted or de-identified.
- Raw page content (HTML/JS snapshots): Not stored.
- Security and diagnostic logs: 90 days, then deleted.
- Account data: Retained while your account is active. After deletion request: 7-day grace period, then permanently deleted.
9. International data transfers
We are based in Israel, and our servers are located in the United States. If you access the Service from outside these countries, your data may be transferred internationally for processing.
For EEA and UK users: Israel has been recognized by the European Commission as providing an adequate level of data protection under GDPR. For transfers to the United States, we rely on Standard Contractual Clauses (SCCs) with our hosting provider and/or their participation in applicable data transfer frameworks.
10. Security
We apply reasonable technical and organizational measures to protect data, including:
- HTTPS encryption for all connections
- HttpOnly and Secure flags on cookies
- Rate limiting and abuse prevention
- Access controls on stored data
No method of transmission or storage is 100% secure. If you believe your data has been compromised, contact us immediately.
11. Your rights and choices
A. EEA/UK GDPR rights
Depending on your location and applicable law, you may have the right to:
- Access your personal data
- Correct inaccurate data
- Delete your data (right to erasure)
- Object to or restrict processing
- Data portability
- Withdraw consent (where processing is based on consent)
- Lodge a complaint with a supervisory authority (such as your local data protection authority)
B. Israel (Protection of Privacy Law)
Under Israeli law, providing information is generally voluntary. Certain data is required to provide the Service (we cannot run a scan without a URL; we cannot respond to support requests without a contact method).
You may have rights to review information about you held in a database and request correction, subject to applicable law.
C. United States (California-style disclosure)
If California privacy law applies:
Notice at Collection:
- Categories collected: Identifiers (email, username), internet/network activity (IP, logs, pageviews), scan input (URL), and support communications.
- Purposes: Provide the Service, secure it, support, improve.
- Sold or shared: No.
- Retention: Scan results up to 90 days; other data retained only as needed for security and support.
California residents may have additional rights including the right to know, delete, correct, and opt-out of sale/sharing. We do not sell or share personal information for cross-context behavioral advertising.
Exercising your rights
To exercise privacy rights, email privacy@codequalitycheck.com with "Privacy Request" in the subject line. Include enough information for us to locate your data (e.g., email address, GitHub username, or scan URLs).
12. Unique links and sharing
If you access scan results via a unique link, treat it like a secret: anyone with the link can view the results. If you believe a link has been exposed, contact us and we can invalidate it where feasible.
13. Children
The Service is not intended for children under 13 (or under 16 where applicable). We do not knowingly collect personal data from children.
14. Changes to this policy
We may update this policy from time to time. The "Last updated" date at the top will be revised when changes are posted. We encourage you to review this policy periodically.
15. Contact
Code Quality Check
Jerusalem, Israel
privacy@codequalitycheck.com