Privacy Policy

Effective date: 26 May 2026

1. Who we are

Codatus ("we", "us") is operated by Cove Innovations, s.r.o. For any privacy-related questions, contact us at hello@codatus.com.

2. What data we collect

When you install the Codatus GitHub App on your organization, we receive and store:

• Installation metadata from GitHub: installation ID, organization name, installing user's login, and account ID.
• Repository metadata read via GitHub's API during a scan: repository names, branch names, branch protection settings, workflow configurations, permissions, and security settings.
• Scan results: the scorecard generated from the metadata above.
• Email address and GitHub identity, if you choose to sign in with GitHub on the Codatus request-sent page to be notified when an organization admin approves your install request. We store your verified GitHub email, your GitHub user ID and login, and the organizations your install request applies to.
• Feedback you submit through the feedback form on the scan report page. We store the text of your feedback and, if you provide it, the email address you enter so we can follow up.
• Newsletter email address, if you subscribe to our blog updates via the form on a blog post or the blog index. We collect your email address and (briefly, via our newsletter provider) your IP address for spam-prevention purposes.

We do not collect or store:

• Source code from any repository.
• Cookies on site visitors. The codatus.com site sets no cookies of its own.
• Any personal information not listed above.

We use a privacy-friendly analytics service (see Section 4) for aggregate visit counts only. It sets no cookies, does not track visitors across sessions, and stores no IP addresses.

3. How we use your data

We use the data above only to:

• Run compliance scans you request.
• Show you the resulting report.
• Publish the report as a GitHub issue in a repository you select (only when you click "Create issue").
• Identify your installation on return visits via a cryptographically random token in the URL.
• Email you a link to your scan when an organization admin approves an install request you submitted (only if you chose to sign in with GitHub to subscribe to this notification).
• Review feedback you submit in order to improve the product, and reply to you if you provided an email.
• Send you our newsletter, containing new posts, scanner updates, and related notes - only if you have actively subscribed via the form and confirmed your subscription via the double opt-in email. Every newsletter email contains a one-click unsubscribe link.

We do not sell your data, share it with third parties for marketing, or use it to train machine learning models.

Our legal basis for processing your email address for the newsletter is your consent, given by submitting the subscribe form and confirming via the opt-in email. You may withdraw this consent at any time by unsubscribing.

4. Where your data is stored and who processes it

Scan data, captured emails, and feedback are stored in a managed PostgreSQL database hosted in the European Union. The application itself runs on Fly.io infrastructure in the Frankfurt, Germany region.

We use Resend as our email delivery provider to send approval notifications. When we send you an email, your email address and the message body are transmitted to Resend. See Resend's privacy notice for details of how they handle this data.

We use GoatCounter for aggregate site analytics on codatus.com. GoatCounter records page-view counts, the country a visit came from, the referrer URL, and basic browser/screen information. It sets no cookies, does not store IP addresses (the IP is used briefly for country lookup and discarded), and does not track visitors across sessions or sites.

We use Kit (operated by ConvertKit, Inc., headquartered in the United States) as our newsletter subscription and email delivery provider. When you subscribe, your email address and the metadata of your interaction (subscribed-at and confirmed-at timestamps, applied tags) are transmitted to and stored by Kit. We rely on Standard Contractual Clauses for the transfer to the United States. See Kit's privacy policy and Kit's data processing agreement for details.

Mail sent to addresses at our newsletter sending subdomain (for example, hello@email.codatus.com) is received and forwarded to our operational inbox via ImprovMX. ImprovMX briefly handles the contents of forwarded messages in transit. See ImprovMX's privacy policy for details.

5. How long we keep your data

When you uninstall the Codatus GitHub App, we immediately mark your installation as deleted. You lose access to that installation's reports and no further scans can be initiated for it. Reinstalling the app creates a new, independent installation and a fresh scan. We currently retain your deleted installation record and past scan reports indefinitely for operational reasons.

We also retain captured notification emails (from sign-in for approval alerts) and feedback submissions indefinitely unless you ask us to delete them.

Newsletter subscriber email addresses are retained until you unsubscribe. Every newsletter we send includes a one-click unsubscribe link. You can also unsubscribe at any time by emailing hello@codatus.com.

You may request permanent deletion of any of your records at any time by emailing hello@codatus.com.

6. GitHub's role

Codatus is a GitHub App. GitHub is the primary data controller for your GitHub account, organization, and repositories. Please also review GitHub's Privacy Statement. You can review and revoke Codatus's permissions at any time in your GitHub organization's Installed GitHub Apps settings.

7. Your rights

If you are in the European Economic Area, United Kingdom, or a jurisdiction with similar laws, you have the right to:

• Access the personal data we hold about you.
• Request correction of inaccurate data.
• Request deletion of your data (in most cases, uninstalling the GitHub App achieves this).
• Object to or restrict processing.
• Request data portability.
• Lodge a complaint with your local data protection authority.

To exercise any of these rights, email hello@codatus.com.

8. Security

We protect your data with industry-standard practices: TLS for all network traffic, access controls on the database, and principle-of-least-privilege on our GitHub App permissions (read-only on repository metadata, write only on issues you explicitly ask us to create).

9. Changes to this policy

We may update this policy from time to time. When we do, we'll update the "Effective date" above and, for material changes, notify active installations via a GitHub issue or notice on this page.

10. Contact

Questions? Email hello@codatus.com.