Code Lexica logo

Privacy Policy

Last updated: 3/31/2026

Code Lexica, Inc. (“Code Lexica,” “we,” “us,” or “our”) is a Delaware corporation headquartered at 809 W Main Ave, Suite 212, Spokane, WA 99201. This Privacy Policy describes how we collect, use, disclose, and protect information when you access or use the Code Lexica platform (the “Service”), visit our website at codelexica.com, or otherwise interact with us.

By accessing or using the Service, you acknowledge that you have read and understand this Privacy Policy. If you are using the Service on behalf of an organization, you represent that you have authority to bind that organization to this Privacy Policy.

1. Information We Collect

1.1 Information You Provide

  • Account Information: Name, email address, company name, job title, and team size when you create an account, request a demo, or contact us.
  • Payment Information: Billing address and payment method details processed through our third-party payment processor (Stripe). We do not store full payment card numbers on our systems.
  • Repository Access Credentials: OAuth tokens for connecting to GitHub, GitLab, Azure DevOps, or Bitbucket. We use OAuth-based authentication and never store your Git passwords.
  • Communications: Information you provide when you contact us for support, submit feedback, or participate in surveys.
  • Organization Data: Workspace configurations, team member invitations, and administrative settings you configure within the Service.

1.2 Source Code and Customer Data

When you connect a repository to the Service, we access and process:

  • Source Code: The contents of repositories you explicitly authorize us to access through your Git provider.
  • Documentation: README files, inline comments, configuration files, and other documentation within your repositories.
  • Metadata: Repository structure, file names, commit history metadata, branch information, and dependency manifests.
  • Derived Intelligence: Reports, knowledge graphs, architectural models, analysis results, and contextual data generated by the Service from your source code (collectively, “Derived Data”).

1.3 Information Collected Automatically

  • Usage Data: Features accessed, reports generated, chat queries submitted, credits consumed, timestamps, and interaction patterns.
  • Device and Browser Data: IP address, browser type and version, operating system, device identifiers, and referring URLs.
  • Log Data: Server logs recording access times, pages viewed, errors encountered, and API calls made.
  • Cookies and Similar Technologies: Session cookies for authentication, preference cookies, and analytics cookies (see Section 9 below).

2. How We Use Your Information

We use the information we collect for the following purposes:

  • Service Delivery: To provide, operate, and maintain the Service, including processing your repositories, generating reports and analyses, powering interactive codebase chat, and delivering integrations with project management tools (JIRA, Linear).
  • Account Management: To create and manage your account, authenticate your identity, and administer your subscription and billing.
  • Service Improvement: To monitor performance, analyze usage trends, diagnose technical issues, and improve the functionality, reliability, and security of the Service.
  • Communications: To send you transactional messages (account confirmations, billing receipts, service updates), respond to support requests, and, with your consent, send product announcements and marketing communications.
  • Security and Fraud Prevention: To detect, prevent, and respond to security incidents, fraud, abuse, and violations of our Terms of Service.
  • Legal Compliance: To comply with applicable laws, regulations, legal processes, or enforceable governmental requests.
  • Aggregated Statistics: To compile anonymized, aggregated statistics about Service usage for internal analysis and, where permitted, to improve our products. Aggregated Statistics do not identify you or any individual customer (see Section 3).

3. Source Code Processing and Security

We understand that your source code is among your most sensitive and valuable assets. We have designed the Service with the following safeguards:

  • Secure Access: We access your source code exclusively through authenticated OAuth API connections to your Git provider. We never store your Git credentials.
  • Encryption: All source code and Derived Data are encrypted at rest using AES-256 encryption (via AWS KMS) and encrypted in transit using TLS 1.2 or higher.
  • Tenant Isolation: Each customer's data is logically isolated. Your source code, Derived Data, and knowledge graphs are never accessible to other customers.
  • Processing Purpose: Your source code is processed solely to build knowledge graphs, generate reports, power codebase chat, and provide the features described in the Service. We do not use your source code to train machine learning models or for any purpose unrelated to providing the Service to you.
  • No Commingling: Your source code is not commingled with other customers' code. Aggregated Statistics derived from your usage do not contain or expose your source code.
  • Deletion: When you disconnect a repository, the associated source code, knowledge graph, and Derived Data are deleted within thirty (30) days. When you close your account, all associated data is deleted within thirty (30) days, unless retention is required by law.

4. Third-Party Sub-Processors and Service Providers

We engage the following categories of third-party service providers who may process your data in connection with the Service. All sub-processors are contractually required to maintain appropriate security and privacy standards:

  • Cloud Infrastructure (AWS): Hosting, compute, storage, and data processing for the Service. All customer data is processed within AWS infrastructure with encryption at rest and in transit.
  • Authentication Providers: For secure login, identity management, and SSO/SAML authentication for Enterprise customers.
  • Payment Processor (Stripe): To process subscription payments and manage billing. Stripe receives only the payment information necessary to complete transactions.
  • Git Providers (GitHub, GitLab, Azure DevOps, Bitbucket): To access repositories you explicitly authorize via OAuth. We access only the repositories and permissions you grant.
  • Analytics (PostHog): To understand usage patterns and improve the Service. Analytics data is anonymized where possible.
  • AI Model Providers (Google Gemini, Anthropic Claude): The Service uses third-party large language model (LLM) providers to power report generation, codebase chat, and code analysis features. Customer source code and synthetic data derived from Customer source code may be transmitted to these providers for processing. We maintain Zero Data Retention (ZDR) agreements with each AI model provider, meaning: (a) your data is not stored by the provider after processing is complete; (b) your data is not used to train, fine-tune, or improve the provider's models; and (c) your data is processed in memory only and is not logged or retained. We may engage additional AI model providers from time to time; any such providers will be subject to equivalent ZDR commitments. A current list of AI model providers is available upon request at support@codelexica.com.

We do not sell your personal information or source code to third parties. A current list of sub-processors is available upon request at support@codelexica.com.

5. Data Security

We implement and maintain a comprehensive security program designed to protect your data. Our security controls include:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256 via AWS KMS)
  • OAuth-based repository access (we never store Git credentials)
  • Role-based access controls (RBAC) with least-privilege principles
  • Multi-factor authentication (MFA) for all internal systems and production access
  • Regular vulnerability scanning (SAST/DAST) and annual third-party penetration testing
  • Secure software development lifecycle (SSDLC) aligned with OWASP Top 10 2025 and NIST 800-53
  • Infrastructure managed via Terraform with immutable deployments
  • Web Application Firewall (WAF) for public-facing endpoints
  • SSO/SAML support for Enterprise customers requiring centralized authentication
  • Incident response procedures with defined escalation paths

Our security program is documented in our Security Program Policy and supporting appendices, which are available to Enterprise customers and prospective customers upon request and subject to NDA. While we strive to protect your information using commercially reasonable measures, no method of electronic transmission or storage is completely secure, and we cannot guarantee absolute security.

6. Data Retention

  • Account Data: Retained for as long as your account is active and for a reasonable period thereafter to fulfill legal obligations, resolve disputes, and enforce agreements.
  • Source Code and Derived Data: Retained while the associated repository is connected to the Service. Upon disconnection, source code and Derived Data are deleted within thirty (30) days.
  • Account Closure: Upon account closure, all account data, source code, and Derived Data are deleted within thirty (30) days, unless retention is required by applicable law.
  • Aggregated Statistics: Anonymized, aggregated data that does not identify you or your organization may be retained indefinitely for analytical purposes.
  • Backup Copies: Backup copies of data may persist in encrypted backups for up to ninety (90) days after deletion from production systems, after which they are permanently purged.

7. Your Rights and Choices

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Request correction of inaccurate or incomplete personal data.
  • Deletion: Request deletion of your personal data, subject to legal retention requirements.
  • Portability: Request a copy of your personal data in a structured, commonly used, machine-readable format.
  • Restriction: Request restriction of processing of your personal data in certain circumstances.
  • Objection: Object to the processing of your personal data where we rely on legitimate interest as the legal basis.
  • Withdrawal of Consent: Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at support@codelexica.com. We will respond to verified requests within thirty (30) days, or within the timeframe required by applicable law.

7.1 California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), including the right to know what personal information is collected, the right to request deletion, the right to opt out of the sale or sharing of personal information, and the right to non-discrimination for exercising your rights. We do not sell or share personal information as defined by the CCPA/CPRA.

7.2 EU/EEA and UK Residents (GDPR/UK GDPR)

If you are located in the European Economic Area or United Kingdom, we process your personal data on the following legal bases: (a) contractual necessity (to provide the Service); (b) legitimate interest (to improve the Service, ensure security, and prevent fraud); and (c) consent (for marketing communications). You may withdraw consent at any time.

For international data transfers outside the EEA/UK, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented by additional technical and organizational measures where appropriate. You have the right to lodge a complaint with your local supervisory authority.

8. International Data Transfers

The Service is operated from the United States, and your data is processed and stored in the United States using AWS infrastructure. If you access the Service from outside the United States, your information will be transferred to, stored, and processed in the United States. We ensure that appropriate safeguards are in place for international transfers, including Standard Contractual Clauses for transfers from the EEA/UK, and compliance with applicable data protection laws. Enterprise customers requiring a Data Processing Agreement (DPA) may request one at support@codelexica.com.

9. Cookies and Tracking Technologies

We use cookies and similar technologies as follows:

  • Essential Cookies: Required for authentication, session management, and core functionality of the Service. These cannot be disabled without affecting Service functionality.
  • Analytics Cookies: Used to understand usage patterns and improve the Service. We use PostHog for product analytics.
  • Preference Cookies: Used to remember your settings and display preferences.

We do not use advertising or third-party tracking cookies. You can manage cookie preferences through the cookie consent banner on our website or by configuring your browser settings. Disabling essential cookies may impair your ability to use the Service.

10. Children's Privacy

The Service is designed for professional use by businesses and developers and is not directed to individuals under sixteen (16) years of age. We do not knowingly collect personal information from children under 16. If we become aware that we have inadvertently collected personal information from a child under 16, we will take steps to delete such information promptly.

11. Data Breach Notification

In the event of a security breach that results in unauthorized access to, or disclosure of, your personal data or source code, we will notify affected customers without undue delay and in accordance with applicable law. For Enterprise customers with executed agreements, notification timelines are governed by the applicable agreement. We will provide information about the nature of the breach, the data affected, the measures taken to address the breach, and recommended steps for affected individuals.

12. Third-Party Links and Integrations

The Service integrates with third-party platforms including Git providers (GitHub, GitLab, Azure DevOps, Bitbucket), project management tools (JIRA, Linear), communication tools (Slack), and AI coding tools (via MCP Server). These integrations are activated only when you explicitly connect them. Each third-party service is governed by its own privacy policy and terms of service. We are not responsible for the privacy practices of third-party services, and we encourage you to review their policies.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. We will notify you of material changes by posting the updated policy on the Service, updating the “Last Updated” date, and, for material changes that affect how we process your data, sending notice to the email address associated with your account at least thirty (30) days before the changes take effect. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.

14. Contact Information

For questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

Code Lexica, Inc.
809 W Main Ave, Suite 212
Spokane, WA 99201
Email: support@codelexica.com