Privacy Policy

2. How We Use Your Information

We use the information we collect to: provide, operate, and maintain the Service; process your queries and return AI-generated answers; index and analyze your code for search; manage your account and authenticate you; process payments and send transactional communications; improve our models and product; detect and prevent abuse; and comply with legal obligations.

Legal bases for processing (GDPR / Law 25): We process your personal information on the following legal bases: (a) performance of a contract — to provide the Service you have subscribed to; (b) legitimate interests — to improve the Service, detect abuse, and maintain security; (c) legal obligation — to comply with applicable laws; and (d) consent — where we explicitly request it for optional features.

We do not sell your personal information. We do not use your code or prompts to train general-purpose AI models. Your code is processed only to serve your requests within the Service.

3. Code & Repository Data

When you connect a GitHub repository, we index the source code (Python, XML, JavaScript, and other supported formats) to enable semantic search and AI-powered Q&A. Indexed data includes file contents, structure, and metadata. We store this data in isolated project-specific indexes; your code is not shared with other users or combined with other projects.

Code and prompts are sent to AI providers (e.g., Anthropic for language models, OpenAI for embeddings) solely to generate answers. These providers process data under data processing agreements that prohibit using your data to train their general models. You can disconnect repositories at any time; we will delete indexed data within 30 days of disconnection.

4. Third-Party Services & International Transfers

We use the following third-party service providers. Each has its own privacy policy governing their handling of data. Some of these providers are located outside of Canada or the EEA; where required, we rely on appropriate transfer mechanisms (such as Standard Contractual Clauses or equivalent safeguards):

• Stripe (USA): Payment processing. Card details are handled by Stripe; we receive only transaction and customer identifiers.
• GitHub (USA): OAuth authentication and repository access. We request only the scopes needed to read repository contents you authorize.
• Google (USA): OAuth authentication. We receive your email and name for account creation.
• Anthropic (USA): AI language model processing for generating answers. Data is processed per their API terms and data processing agreements.
• OpenAI (USA): Embedding models for semantic search. Data is processed per their API terms and data processing agreements.
• Amazon Web Services (USA): Cloud infrastructure and hosting. Our servers are hosted on AWS.
• Qdrant: Vector database for storing code embeddings that power semantic search. Embeddings are stored in project-isolated collections on our self-hosted infrastructure.

We select providers that commit to appropriate data handling practices. We do not control their policies; we encourage you to review them.

5. Data Retention

We retain your personal information only as long as necessary for the purposes described in this Policy or as required by law:

• Account data: Retained while your account is active; deleted within 30 days of account deletion request.
• Indexed code and embeddings: Retained while the repository is connected; deleted within 30 days of disconnection or account deletion.
• Query and conversation history: Retained for 12 months, then deleted or anonymized.
• Payment records: Retained for 7 years as required by tax and accounting laws.
• Security and audit logs: Retained for 12 months.
• Support communications: Retained for 2 years.

We may retain certain data longer where required by law, for dispute resolution, or to enforce our agreements.

6. Your Rights (GDPR / Quebec Law 25 / CCPA)

Depending on your location, you have the following rights regarding your personal information. All requests should be submitted to privacy@erpeek.ai. We will respond within 30 days as required by GDPR and Quebec Law 25.

• Right of access (Art. 15 GDPR / Law 25 s.37): Request a copy of the personal information we hold about you, including what categories of data, the purposes of processing, and who it has been shared with.
• Right to rectification (Art. 16 GDPR / Law 25 s.40): Request correction of inaccurate or incomplete data.
• Right to erasure / "right to be forgotten" (Art. 17 GDPR / Law 25 s.40): Request deletion of your personal information, subject to legal retention requirements.
• Right to data portability (Art. 20 GDPR / Law 25 s.37): Request a machine-readable export of personal information you provided to us, so you can transfer it to another service.
• Right to object / restriction (Art. 18-21 GDPR): Object to or request restriction of processing in certain circumstances, including for direct marketing purposes.
• Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing prior to withdrawal.
• Right to lodge a complaint: You may lodge a complaint with your supervisory authority. In Quebec: Commission d'accès à l'information (CAI). In the EU: your national data protection authority.
• California residents (CCPA): You have the right to know, delete, and opt out of sale of personal information. We do not sell personal information. You may designate an authorized agent to make requests on your behalf.

7. Cookies & Tracking

We use session cookies and similar technologies necessary to operate the Service, such as maintaining your login state and preferences. We do not use third-party advertising cookies or tracking pixels. We do not sell or share your data for cross-context behavioral advertising. For a full list of cookies used, see our Cookie Policy.

You can control cookies through your browser settings. Disabling essential cookies may affect the functionality of the Service.

8. Security

We implement appropriate technical and organizational measures to protect your data, including encryption in transit (TLS 1.2+) and at rest (AES-256), access controls, and secure development practices. Access to production data is restricted to authorized personnel on a need-to-know basis. We regularly assess and update our security practices.

In the event of a personal data breach, we will notify affected individuals and relevant supervisory authorities within the timeframes required by law (72 hours under GDPR; promptly under Quebec Law 25 when there is a risk of serious injury).

9. Children's Privacy

The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us at privacy@erpeek.ai and we will take steps to delete it.

10. Changes & Contact

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last Updated" date. For material changes affecting how we process personal information, we will provide at least 30 days' notice where required by law. Your continued use of the Service after such changes constitutes acceptance of the revised policy.

For questions about this Privacy Policy or our data practices, or to exercise your rights, contact our Privacy Officer at: privacy@erpeek.ai

ERPeek Inc.
Montréal, Québec, Canada