Privacy Policy

1. Our Privacy Principles

• We store the minimum data needed to run the Service.
• We never persist your source code, pull-request bodies, commit messages, or repository file contents.
• Your GitHub access token is held in your authenticated session, not written to our database.
• We do not sell personal data and we do not use it to train machine-learning models.

2. Data We Collect

a. Account and authentication data

When you sign in with GitHub, we receive identity information from GitHub based on the OAuth scopes you approve: your GitHub user ID, username, display name, avatar URL, and primary email address. We use this to create your CodeChamp account and identify you on leaderboards and badges.

b. GitHub activity data

To compute scores and badges, CodeChamp reads pull-request metadata from the GitHub API on your connected organizations, including: PR numbers, authors, reviewers, review states, review timestamps, inline-comment counts, and line counts. We derive scores and badge state from this data and store only the derived values along with the minimum identifiers required to attribute them (for example, GitHub user IDs and PR numbers).

We do not store pull-request titles or bodies, commit messages, diffs, file contents, branch names, or repository contents.

c. Slack integration data

If an Admin connects Slack, we store the workspace identifier, the channel selected for digest delivery, and the OAuth token needed to post digest messages. We do not read messages from your Slack workspace.

d. Billing data

Payments are processed by Stripe. We do not receive or store full payment-card numbers. We store subscription status, plan, billing-cycle information, and the Stripe customer and subscription identifiers. Stripe processes your payment data under its own privacy policy.

e. Support and communications

When you contact us by email or through support channels, we receive your email address, message content, and any attachments you send.

f. Technical and usage data

We collect standard server logs (IP address, user agent, request path, timestamps, status codes) and limited product-usage events (for example, which pages loaded, what actions were taken). This is used for security, debugging, abuse prevention, and aggregate product analytics.

g. Cookies and local storage

We use strictly necessary cookies and local-storage entries to keep you signed in and to remember basic preferences. We do not use third-party advertising cookies. If we introduce analytics cookies that require consent in your region, we will ask first.

3. How We Use Data

• To operate the Service — compute scores, award badges, run the leaderboard, post weekly digests.
• To authenticate you and keep your session secure.
• To take payment, manage subscriptions, and send billing emails.
• To respond to support requests, legal requests, and account communications.
• To monitor for abuse, security incidents, and rate-limit violations.
• To improve the Service through aggregated, de-identified analytics.
• To comply with legal obligations and enforce our Terms.

4. Legal Bases (EEA, UK, Swiss Users)

Where GDPR or equivalent laws apply, we process personal data on one or more of the following bases:

• Contract: to provide the Service you or your organization signed up for.
• Legitimate interests: to secure the Service, prevent abuse, and improve our product, balanced against your rights.
• Legal obligation: to comply with tax, accounting, and other legal requirements.
• Consent: for optional processing such as marketing emails, where we ask first and you can withdraw at any time.

5. How We Share Data

We share personal data only in these circumstances:

• With sub-processors that help us run the Service, listed in Section 6.
• Within your organization: leaderboard, badge, and profile data is visible to other authorized users of the same CodeChamp workspace.
• For legal reasons: where required by law, subpoena, or to protect our rights, users, or the public.
• In corporate transactions: in connection with a merger, acquisition, financing, or sale of assets, subject to standard confidentiality protections.

We do not sell personal data and we do not share it for cross-context behavioral advertising.

6. Sub-processors

We currently use the following providers to operate the Service:

Each sub-processor is bound by a data-processing agreement or equivalent contractual protections and processes personal data only to provide the service we engage them for.

7. International Transfers

Personal data may be processed in countries other than the one in which you reside, including the United States. Where we transfer personal data from the EEA, UK, or Switzerland to a country without an adequacy decision, we rely on appropriate safeguards such as the Standard Contractual Clauses. You may contact us for a copy of the relevant safeguards.

8. Data Retention

• Derived scores, badges, and configuration: kept while your workspace is active and for up to 90 days after deletion, after which they are permanently removed.
• Billing records: retained for the period required by applicable tax and accounting law (typically 7 years).
• Server and security logs: retained for up to 90 days, or longer if needed to investigate a specific incident.
• Support communications: kept while needed to handle your request and for a reasonable period thereafter.

9. Your Rights

Depending on where you live, you may have the right to access, correct, delete, port, or restrict processing of your personal data, and to object to certain processing. You may also have the right to lodge a complaint with your local data-protection authority. To exercise any of these rights, email support@codechamp.app. We will respond within the timeframes required by applicable law.

If CodeChamp is used by your employer or another organization, some rights are directed to that organization as the controller of the underlying data; we will forward requests to them where appropriate.

10. Security

We maintain administrative, technical, and physical safeguards designed to protect personal data, including encryption in transit (TLS), encryption at rest for our database, least-privilege access controls, and audit logging. No method of transmission or storage is 100% secure. If we become aware of a breach that affects your personal data, we will notify you and the relevant authorities as required by law.

11. Children

The Service is not directed to children under 16, and we do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, contact us and we will delete it.

12. U.S. State-Specific Rights

Residents of California, Colorado, Connecticut, Virginia, and other U.S. states with comprehensive privacy laws may have additional rights, including the right to know, delete, correct, and opt out of sale or sharing and of certain targeted advertising. We do not sell personal information or engage in cross-context behavioral advertising. To exercise your rights, email support@codechamp.app.

13. Controller vs. Processor

For data about CodeChamp visitors and individual account holders, CodeChamp acts as a data controller. When CodeChamp processes data from a connected GitHub organization on behalf of that organization, the organization is the controller and CodeChamp is a processor; a data-processing addendum is available on request.

14. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will provide reasonable notice, for example by email or an in-product notice. The "Last updated" date at the top of this page reflects the most recent change.

15. Contact

Privacy questions and requests: support@codechamp.app.

We6 Oy (Business ID 3372389-7)
Helsinki, Finland