Velox.ai (“we”, “our”, “the Service”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our platform.
2. Information We Collect
We collect the following categories of personal data:
Authentication data: GitHub/Bitbucket usernames, OAuth tokens (encrypted at rest), and avatar URLs obtained during the OAuth flow.
Session data: Session identifiers, login timestamps, and session expiry information stored with hashed tokens (SHA-256).
Audit logs: Pseudonymized records of API requests and security events for compliance monitoring. User identifiers and IP addresses are one-way hashed before storage.
Code & repository data: Repository metadata, pull request information, and code diffs processed temporarily for analysis. No code is permanently stored after analysis completes.
MFA configuration: Encrypted TOTP secrets for users who enable multi-factor authentication.
3. How We Use Your Information
To authenticate you and maintain your session
To provide code review and analysis services
To maintain security audit trails for SOC 2 compliance
To enforce rate limiting and prevent abuse
To improve the Service (only with your consent)
4. Data Protection Measures
We implement industry-standard security controls including:
AES-256 / Fernet encryption for tokens and secrets at rest
SHA-256 hashing for session tokens
Pseudonymization of personal identifiers in audit logs (salted SHA-256)
TLS encryption for all data in transit
Role-based access controls and session timeout enforcement
Rate limiting to prevent brute-force attacks
5. Data Retention
We retain your data only as long as necessary:
Audit logs: 90 days
Session data: 30 days
OAuth tokens: 30 days
Pipeline and analysis results: 90 days
Production watch sessions: 60 days
Expired data is automatically purged by our data retention system.
6. Your Rights (Right to Erasure)
You have the right to request deletion of all your personal data. You can do this by:
Using the self-service deletion API endpoint (POST /api/privacy/delete-my-data)
Upon request, we delete your sessions, OAuth tokens, MFA configuration, and pseudonymized audit log entries. Deletion requests via the API are processed immediately.
7. Cookies & Consent
We use essential cookies for authentication and session management. Optional analytics cookies are only used with your explicit consent. You can manage your cookie preferences at any time using the consent banner or in your account settings.
8. Third-Party Services
The Service integrates with GitHub and Bitbucket via their respective OAuth APIs. When you authenticate, you grant the Service access to your repositories according to the OAuth scopes requested. We do not share your data with other third parties.
9. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated through the Service interface. Your continued use of the Service constitutes acceptance of any updated policy.
10. Contact Us
For questions or concerns about this Privacy Policy or your personal data, please contact us at privacy@velox.ai.