Privacy Policy
1. Introduction
This Privacy Policy explains how Rami Code Review ("Rami," "Service," "we," "us," or "our") collects, uses, and protects your information when you use our AI-powered code review service at rami.reviews.
Data Controller: Rami Code Review is operated by ChangWon Lee, an individual based in the Republic of Korea. For data protection inquiries, contact: support@rami.reviews
By using the Service, you acknowledge that you have read and understood this policy.
2. Information We Collect
2.1 Information You Provide
Account Information:
- GitHub username and user ID
- Email address
- Profile avatar URL
Organization Information:
- GitHub organization ID and login
- Organization display name
- Billing email address
- Organization membership and roles
Payment Information:
- Processed by Paddle
- Transaction IDs and purchase confirmations
Authentication Tokens:
- API keys (hashed)
- Device tokens for CLI access
- Session tokens
2.2 Information from GitHub
When you install our GitHub App and use the Service, we access:
- Your GitHub profile
- Repository information for repos where the app is installed
- Pull request diffs and metadata
- Review comments
We only access repositories where you have installed the GitHub App.
GitHub App Permissions Requested:
- Pull requests: Read and write (to read PR diffs and post review comments)
- Contents: Read-only (to access code diffs)
- Metadata: Read-only (repository name, description)
- Members: Read-only (for organization installations)
2.3 Code You Submit
When you request a code review, we process:
- Pull request diffs (changed code)
- File paths and line numbers
- Commit information
- PR title and description
Code is transmitted to third-party LLM providers for analysis.
2.4 Automatically Collected Information
Usage Data:
- API calls and endpoints accessed
- Timestamps of requests
- Quota and credit usage
- Cache hit/miss statistics
- Member activity timestamps
- Per-member usage attribution within organizations
Technical Data:
- IP address
- User agent string
- Request headers
Audit Logs:
- Authentication events
- API key creation/revocation
- Billing transactions
3. How We Use Your Information
We use collected information to:
| Purpose | Legal Basis (GDPR) |
|---|---|
| Provide the code review service | Contract performance |
| Process payments and manage subscriptions | Contract performance |
| Enforce rate limits and quotas | Legitimate interest |
| Prevent fraud and abuse | Legitimate interest |
| Improve the Service | Legitimate interest |
| Send service-related communications | Contract performance |
| Comply with legal obligations | Legal obligation |
| Maintain security and audit logs | Legitimate interest |
4. How We Share Your Information
4.1 Within Organizations
If you are a member of an organization, the following information is visible to the organization owner:
- Your GitHub username and avatar
- Your membership status
- Your usage statistics
- Credits consumed on behalf of the organization
- Last activity timestamp
4.2 Third-Party Service Providers
| Provider | Purpose | Data Shared |
|---|---|---|
| LLM Providers (OpenRouter, OpenAI, Anthropic, xAI, Google, AWS Bedrock) | Code analysis | Code diffs, file paths |
| Paddle | Payment processing (merchant of record) | Email, billing address, transaction data. Paddle acts as an independent data controller for payment processing and as our processor for transaction records. See Paddle's Privacy Policy. |
| GitHub | App installation, PR access | Installation tokens, comments |
| AWS | Infrastructure hosting | All service data |
4.3 Legal Requirements
We may disclose information if required by law, legal process, or government request.
4.4 Business Transfers
In case of merger, acquisition, or sale of assets, your information may be transferred to the successor entity.
4.5 With Your Consent
We may share information for other purposes with your explicit consent.
5. Data Retention
| Data Type | Retention Period |
|---|---|
| Account information | Until account deletion |
| Organization data | Until organization deletion |
| Organization usage events | 7 years (billing verification) |
| Member activity timestamps | 7 years (billing verification) |
| Usage logs | 90 days |
| Audit logs | 1 year |
| Cached review results | 7 days |
| Payment records | 7 years (legal requirement) |
| Organization invoices | 7 years (tax compliance) |
| Session data | 14 days of inactivity |
After retention periods, data is deleted or anonymized.
6. Data Security
We implement industry-standard security measures including encryption in transit and at rest, access controls, and audit logging. Despite these measures, no system is 100% secure.
Data Breach Notification: In the event of a data breach affecting your personal information, we will notify affected users and applicable data protection authorities as required by law. For EEA residents, notification will occur within 72 hours of becoming aware of a breach that poses a risk to your rights and freedoms.
7. Your Rights
7.1 All Users
You have the right to:
- Access: Request a copy of your data
- Correction: Update inaccurate information
- Deletion: Request account and data deletion
- Portability: Export your data in a standard format
7.2 European Economic Area (EEA) Residents
Under GDPR, you additionally have the right to:
- Object: Object to processing based on legitimate interest
- Restrict: Request restriction of processing
- Withdraw Consent: Withdraw consent at any time
- Complain: Lodge a complaint with a supervisory authority
7.3 California Residents (CCPA)
You have the right to:
- Know: What personal information we collect and how it's used
- Delete: Request deletion of your personal information
- Non-Discrimination: Equal service regardless of exercising privacy rights
We do not sell personal information as defined by CCPA.
Categories of Personal Information (preceding 12 months):
- Collected: Identifiers (GitHub username, email), Internet activity (usage logs, API calls), Professional information (code submitted for review)
- Disclosed for business purposes: Identifiers and professional information to LLM providers (for code analysis), identifiers to Paddle (for payment processing)
- Sold: None. We do not sell personal information.
7.4 Exercising Your Rights
To exercise these rights, contact us at support@rami.reviews. We will respond within:
- 30 days (GDPR)
- 45 days (CCPA)
We may need to verify your identity before processing requests.
8. International Data Transfers
Your data may be transferred to and processed in countries outside your residence, including:
- Japan (AWS infrastructure)
- United States (LLM providers, GitHub)
For EEA residents, transfers are protected by:
- Standard Contractual Clauses (SCCs)
- Adequacy decisions where applicable
EU Representative: As a Korea-based operator without an establishment in the EU, we have assessed our obligations under GDPR Article 27. Our processing of EU personal data is limited to users who actively install our GitHub App and request code reviews. Given the nature and scale of our processing, we have not appointed an EU representative. If you have concerns about this assessment or require assistance exercising your rights, contact us at support@rami.reviews.
9. Third-Party LLM Providers
Code submitted for review is processed by third-party LLM providers. We use the following providers:
| Provider | Data Retention | Training Use | Location |
|---|---|---|---|
| OpenAI | 30 days (abuse monitoring) | Opted out via API | United States |
| Anthropic | Not retained after processing | Not used for training | United States |
| Google (Gemini) | Not retained after processing | Opted out via API terms | United States |
| OpenRouter | Varies by underlying model | Configured for no training | United States |
| xAI | Not retained after processing | Not used for training | United States |
| AWS Bedrock | Not retained after processing | Not used for training | United States |
Safeguards: We use API-based access with enterprise terms where available. Code is transmitted via encrypted connections (TLS 1.2+). We do not send repository names, user identities, or commit messages to LLM providers—only the code diff content necessary for analysis, which may include file paths.
Enterprise Users: If your organization requires specific data processing agreements with LLM providers, contact us to discuss available options.
10. Cookies and Tracking
| Cookie | Purpose | Duration |
|---|---|---|
| Session cookie | Authentication | 14 days of inactivity |
| CSRF token | Security | 24 hours |
11. Children's Privacy
The Service is not intended for users under 16 years of age. We do not knowingly collect information from children. If we learn we have collected information from a child under 16, we will delete it within 30 days.
12. Changes to This Policy
We may update this Privacy Policy periodically. Changes will be communicated via:
- Email notification
- Notice on the dashboard
- Updated effective date
Material changes will be notified at least 30 days before taking effect.
13. Contact Us
For privacy-related questions or to exercise your rights:
Email: support@rami.reviews
EEA residents may lodge complaints with their local data protection authority.