Privacy Policy
Last updated: July 5, 2026
Your privacy matters. This policy describes what data CodeCheck collects, how we use it, who we share it with, and the rights you have over your personal data.
01Overview
This Privacy Policy explains how Dealer OS LLC(“we,” “us,” or “our”), the operator of CodeCheck, collects, uses, discloses, and protects personal data when you use the Service. It also describes your privacy rights, including under the EU/UK General Data Protection Regulation (GDPR) and the California Consumer Privacy Act as amended (CCPA/CPRA).
For the purposes of the GDPR, Dealer OS LLCis the “data controller” of personal data processed about account holders.
02Data we collect
We collect the following categories of data:
- Account data — email address and authentication identifiers, managed through our authentication provider (Supabase). If you sign in with GitHub or Google, we receive basic profile information from that provider.
- Scan data — the domains, URLs, and targets you submit for scanning, and the scan results, findings, and reports we generate. Scan data may incidentally include technical details about the systems you test.
- Payment data — billing status, plan, and transaction metadata. Payments are processed by Stripe; we do not receive or store full payment card numbers.
- Usage and device data — log data, IP address, browser type, pages viewed, and interactions, collected automatically and via cookies.
- Communications — messages you send us (for example, support requests).
03How we use your data
We use personal data to:
- provide, operate, secure, and maintain the Service;
- authenticate you and manage your account;
- run scans and generate reports and AI-assisted guidance;
- process payments and manage subscriptions;
- communicate with you about your account, security, and service updates;
- monitor for abuse, enforce our terms, and comply with legal obligations;
- improve and develop the Service.
04Legal bases for processing (GDPR)
Where the GDPR applies, we rely on the following legal bases:
- Contract — to provide the Service you request and manage your account and payments.
- Legitimate interests — to secure and improve the Service, prevent abuse, and communicate with you, balanced against your rights.
- Consent — for non-essential cookies and any optional marketing; you may withdraw consent at any time.
- Legal obligation — to comply with applicable laws.
05Service providers and sharing
We do not sell your personal data. We share data with trusted third-party processors who act on our instructions:
- Supabase — authentication and database hosting.
- Stripe — payment processing and billing.
- Anthropic — AI processing to generate remediation reports (scan-related content may be transmitted to generate output).
- Hosting and infrastructure providers — to run and deliver the Service.
We may also disclose data to comply with law, enforce our agreements, protect rights and safety, or in connection with a merger, acquisition, or sale of assets.
07Data retention
We retain personal data for as long as your account is active and as needed to provide the Service, then for as long as necessary to comply with legal obligations, resolve disputes, and enforce our agreements. You may request deletion as described below; some data may be retained where we have a legal basis or obligation to do so.
08Data security
We implement reasonable technical and organizational measures designed to protect personal data, including encryption in transit and access controls. However, no method of transmission or storage is completely secure, and we cannot guarantee absolute security.
09International data transfers
We are based in the United States and our providers may process data in the United States and other countries. Where we transfer personal data from the EEA, UK, or Switzerland, we rely on appropriate safeguards such as Standard Contractual Clauses where required.
10Your GDPR rights
If you are in the EEA, UK, or Switzerland, you have the right to:
- access the personal data we hold about you;
- rectify inaccurate or incomplete data;
- erase your data (“right to be forgotten”);
- restrict or object to certain processing;
- data portability;
- withdraw consent at any time;
- lodge a complaint with your local data protection authority.
To exercise these rights, contact us at bekzod@dealer-os.io.
11Your California rights (CCPA/CPRA)
If you are a California resident, you have the right to know what personal information we collect, use, and disclose; to request deletion or correction; and to opt out of the “sale” or “sharing” of personal information. We do not sell your personal information. You will not be discriminated against for exercising these rights.
To submit a request, contact us at bekzod@dealer-os.io. We may need to verify your identity before responding.
12Children's privacy
The Service is not intended for individuals under 18, and we do not knowingly collect personal data from children. If you believe a child has provided us data, contact us and we will delete it.
13Breach notification
In the event of a personal data breach that is likely to result in a risk to your rights, we will notify affected users and relevant authorities as required by applicable law.
14Changes to this policy
We may update this Privacy Policy from time to time. We will update the “Last updated” date and, for material changes, provide additional notice where appropriate.
15Contact us
For privacy questions or to exercise your rights, contact Dealer OS LLC at bekzod@dealer-os.io.