CodeRaptor
Back to Home
GDPR Compliant

GDPR Compliance

CodeRaptor is fully compliant with the EU General Data Protection Regulation (GDPR). We take data protection seriously and provide full transparency about how we handle your data.

Our GDPR Commitment

We are committed to protecting the privacy and personal data of all our users, especially those in the European Union. We comply with GDPR requirements and provide robust data protection measures.

1. Lawful Basis for Processing

We process your personal data under the following lawful bases:

Contractual Necessity

Processing necessary to provide our code review services under our Terms of Service

Legitimate Interest

Improving our services, preventing fraud, and ensuring security

Consent

Marketing communications and non-essential cookies (you can withdraw anytime)

Legal Obligation

Compliance with tax, accounting, and other legal requirements

2. Your GDPR Rights

As a data subject under GDPR, you have the following rights:

Right to Access (Article 15)

You can request a copy of all personal data we hold about you. We provide this within 30 days in a structured, machine-readable format.

Right to Rectification (Article 16)

You can correct inaccurate or incomplete personal data. Update your information directly in your account settings or contact us.

Right to Erasure (Article 17)

You can request deletion of your personal data ("right to be forgotten") when:

  • Data is no longer necessary for the purpose collected
  • You withdraw consent and no other legal basis exists
  • You object to processing and no overriding legitimate grounds exist
  • Data has been unlawfully processed

Right to Restriction (Article 18)

You can request restriction of processing when:

  • You contest the accuracy of data
  • Processing is unlawful but you oppose erasure
  • We no longer need data but you need it for legal claims
  • You object to processing pending verification

Right to Data Portability (Article 20)

You can receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.

Right to Object (Article 21)

You can object to processing based on legitimate interests or for direct marketing purposes at any time.

Rights Related to Automated Decision-Making (Article 22)

While we use AI for code analysis, we don't make automated decisions with legal or similarly significant effects. Code reviews are advisory only.

3. Data Protection Measures

3.1 Technical Measures

  • End-to-end encryption (TLS 1.3 in transit, AES-256 at rest)
  • Regular security audits and penetration testing
  • Access controls with multi-factor authentication
  • Automated vulnerability scanning
  • Secure data centers in EU region (for EU customers)

3.2 Organizational Measures

  • Appointed Data Protection Officer (DPO)
  • Employee training on GDPR and data protection
  • Data protection impact assessments (DPIAs)
  • Incident response and breach notification procedures
  • Regular compliance audits

4. Data Processing Agreement (DPA)

For enterprise customers, we provide a comprehensive Data Processing Agreement that includes:

  • Standard Contractual Clauses (SCCs) for international transfers
  • Detailed description of processing activities
  • Security measures and obligations
  • Sub-processor list and approval process
  • Data subject rights procedures
  • Audit rights and cooperation obligations

5. International Data Transfers

When we transfer data outside the EU/EEA, we ensure adequate protection through:

  • Standard Contractual Clauses: EU Commission-approved SCCs
  • Adequacy Decisions: Transfers to countries with adequate protection
  • EU Hosting Options: Data can remain within EU borders

6. Sub-Processors

We use the following categories of sub-processors:

  • Cloud hosting providers (AWS, Google Cloud - EU regions available)
  • Payment processors (Stripe)
  • Customer support tools (Intercom)
  • Analytics services (PostHog - self-hosted option available)

A complete and up-to-date list of sub-processors is available upon request. We notify customers 30 days before adding new sub-processors.

7. Data Breach Notification

In the event of a personal data breach, we will:

  • Notify supervisory authority within 72 hours of becoming aware
  • Notify affected users without undue delay if high risk to rights
  • Document all breaches and remediation actions
  • Implement measures to prevent future breaches

8. Children's Data

We do not knowingly process data of individuals under 16 years of age (or the applicable age in your jurisdiction). If we discover such processing, we delete the data immediately.

9. Exercising Your Rights

To exercise any of your GDPR rights, you can:

  • Use the self-service tools in your account settings
  • Email our Data Protection Officer at dpo@coderaptor.ai
  • Submit a written request to our postal address

We respond to requests within 30 days. If we cannot comply, we explain why and inform you of your right to lodge a complaint with a supervisory authority.

10. Supervisory Authority

You have the right to lodge a complaint with your local data protection authority. For users in the EU, you can find your authority at: https://edpb.europa.eu

11. Contact Our DPO

Data Protection Officer

For all GDPR-related inquiries, contact our Data Protection Officer:

  • Email: dpo@coderaptor.ai
  • Address: CodeRaptor DPO, 2179 Market Street, San Francisco, CA 94114, USA
  • Response Time: Within 30 days

12. Updates to GDPR Compliance

We continuously review and update our GDPR compliance practices. Material changes will be communicated via email and posted on this page.

Last Updated: October 12, 2025