Privacy Policy
Protecting your personal data is important to us. Below, we inform you in accordance with the General Data Protection Regulation (GDPR) about the processing of personal data when using Patchhog.
1. Controller
Controller within the meaning of Art. 4 No. 7 GDPR:
Jaden Dahm, Sefferweg 13, 54657 Neidenbach, Germany
Email: support@patchhog.dev
2. General Information on Data Processing
We process personal data only to the extent necessary to provide a functioning service. The legal bases are, in particular, Art. 6(1)(b) GDPR (performance of a contract), Art. 6(1)(f) GDPR (legitimate interest) and Art. 6(1)(a) GDPR (consent), where given.
3. Hosting (Vercel)
Our application is hosted by Vercel Inc. (USA). When the application is accessed, technically necessary server log data is processed (including IP address, time, requested URL, browser type). The legal basis is Art. 6(1)(f) GDPR; the transfer to the USA takes place on the basis of the EU Standard Contractual Clauses.
4. Authentication and Database (Supabase)
For account management, authentication and data storage we use Supabase, Inc. (USA). Account data (e.g. email, authentication tokens) and the data generated within the Service (connected repositories, scan results, findings) are stored there. Legal basis: Art. 6(1)(b) GDPR.
5. Payment Processing (Stripe)
Paid subscriptions are processed via Stripe Payments Europe, Ltd. (Ireland). The data required for payment is processed directly by Stripe; we do not store complete payment data. Legal basis: Art. 6(1)(b) GDPR. Further information: stripe.com/privacy.
6. Sign-in and Repository Access (GitHub)
Sign-in takes place via GitHub, Inc. (USA) using OAuth. We receive the permissions required for the functionality in order to read repositories on your behalf, set commit statuses and — where triggered by you — create pull requests or commits. Legal basis: Art. 6(1)(b) GDPR.
7. Security Scans (Processing of Source Code)
For the security analysis, the source code of your connected repositories is temporarily transmitted to our scan service and processed only for the duration of the respective scan. The code is not stored permanently and is not used for training purposes. Only the results (findings) are stored, including file/line references and a short code excerpt. Legal basis: Art. 6(1)(b) GDPR.
8. Cookies and Local Storage
We use only technically necessary cookies and comparable technologies (e.g. to maintain the sign-in session as well as a service worker for the progressive-web-app functionality). Legal basis: Art. 6(1)(f) GDPR. No tracking for advertising purposes takes place.
9. Storage Period
Personal data is deleted as soon as the purpose no longer applies and no statutory retention obligations stand in the way. Scan results are retained while your account is active; we keep up to the 100 most recent scans per repository, and older scans (together with their findings) are deleted automatically. After deletion of your account, the associated data is removed unless a statutory retention obligation exists.
10. Your Rights
You have the following rights:
- Access (Art. 15 GDPR)
- Rectification (Art. 16 GDPR)
- Erasure (Art. 17 GDPR)
- Restriction of processing (Art. 18 GDPR)
- Data portability (Art. 20 GDPR)
- Objection (Art. 21 GDPR)
- Withdrawal of consent given, with effect for the future
11. Right to Lodge a Complaint with a Supervisory Authority
You have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR), in particular at your place of residence, place of work or the place of the alleged infringement.
12. Changes to this Privacy Policy
We reserve the right to amend this Privacy Policy so that it complies with current legal requirements.