Privacy Policy for Diffgraph

Effective Date: November 3, 2025
Last Updated: November 3, 2025

This Privacy Policy describes how Tijs Martens ("we," "us," "our," or "Diffgraph") collects, uses, shares, and protects personal data when you use the Diffgraph GitHub application (the "Service"). We are committed to protecting your privacy and complying with applicable data protection laws, including the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other worldwide privacy regulations.

1. Controller Information

Data Controller:
Tijs Martens (Personal Account)
Email: tijs@rodi-digital.com

For privacy-related inquiries, please contact us at the email address above.

2. Data We Collect

2.1 GitHub Data

When you install and authorize Diffgraph, we collect and process the following data from your GitHub repositories:

  • Repository Information: Organization names, repository names, repository metadata
  • Pull Request Data: Pull request diffs, code changes, file structures, commit metadata
  • Developer Information: GitHub usernames, commit author names and emails, contributor information (as contained in commit history and code comments)
  • Code Content: Source code diffs necessary to generate architectural visualizations

2.2 Account and Authentication Data

  • GitHub account identifiers and authentication tokens
  • GitHub organization membership information
  • Email address associated with your GitHub account
  • User preferences and application settings

2.3 Billing Information

For paid subscriptions, we collect payment information through Stripe, including:

  • Name and billing address
  • Payment method information (processed and stored by Stripe, not by us)
  • Transaction history and invoice records

2.4 Analytics and Usage Data

Through PostHog, we automatically collect:

  • Application usage patterns and feature interactions
  • Session data and user journey information
  • Device and browser information
  • IP addresses and general location data (country/region level)
  • Error logs and diagnostic information

2.5 Technical and Log Data

  • Server logs and access records
  • API usage data and rate limiting information
  • Security and fraud prevention data

3. How We Use Your Data

3.1 Legal Basis for Processing

We process your personal data under the following legal bases:

  • Contract Performance: To provide the Service you've subscribed to, including analyzing code diffs and generating architectural diagrams
  • Legitimate Interests: To improve our Service, ensure security, prevent fraud, and communicate with you about the Service
  • Consent: For analytics cookies and optional features (where required by law)
  • Legal Obligations: To comply with applicable laws, regulations, and legal processes

3.2 Purposes of Processing

We use your data to:

  • Provide Core Service: Analyze pull request code changes and generate Mermaid diagrams showing architectural impact
  • Service Operations: Authenticate users, manage subscriptions, and maintain Service functionality
  • Billing and Payments: Process payments, issue invoices, and manage subscriptions through Stripe
  • Service Improvement: Analyze usage patterns to improve features and user experience
  • Communication: Send Service-related notifications, billing communications, and respond to support requests
  • Security: Detect and prevent fraud, abuse, and security threats
  • Legal Compliance: Comply with legal obligations, enforce our Terms, and protect our rights

Important: We do not use your code or repository data to train machine learning models, provide services to third parties, or for any purpose beyond providing the Diffgraph Service to you.

4. Data Sharing and Recipients

4.1 Third-Party Service Providers

We share data with the following subprocessors who provide essential services:

PostHog (Analytics) - United States

Purpose: Product analytics and usage tracking

Data Shared: Usage patterns, session data, user identifiers

Privacy Policy: https://posthog.com/privacy

Safeguards: SOC 2 Type II, ISO 27001, GDPR compliant, EU-U.S. Data Privacy Framework certified

Stripe (Payment Processing) - United States

Purpose: Payment processing and billing management

Data Shared: Name, email, billing address, payment information

Privacy Policy: https://stripe.com/privacy

Safeguards: SOC 2 Type II, ISO 27001, PCI-DSS compliant, EU-U.S. Data Privacy Framework certified

MongoDB Atlas (Data Storage) - Customer-Selected Region

Purpose: Application database and data storage

Data Shared: All application data including repository information and user data

Privacy Policy: https://www.mongodb.com/legal/privacy-policy

Safeguards: SOC 2 Type II, ISO 27001, GDPR compliant, encryption at rest and in transit

Vercel (Hosting and Infrastructure) - United States

Purpose: Application hosting and deployment infrastructure

Data Shared: All transmitted data, application content

Privacy Policy: https://vercel.com/legal/privacy-policy

Safeguards: SOC 2, ISO 27001, EU-U.S. Data Privacy Framework certified

GitHub (Repository Access) - United States

Purpose: Access to repositories, pull requests, and code for analysis

Data Shared: Application authentication and API interactions

Privacy Policy: https://docs.github.com/privacy

Safeguards: SOC 2 Type II, ISO 27001, GDPR compliant, EU-U.S. Data Privacy Framework certified

4.2 Data Processing Agreements

We maintain written Data Processing Agreements with all subprocessors that comply with Article 28 GDPR requirements, including security obligations, sub-processor rules, and data deletion procedures.

4.3 Other Disclosures

We may disclose your data:

  • To comply with legal obligations, court orders, or regulatory requirements
  • To enforce our Terms of Service or protect our legal rights
  • In connection with a merger, acquisition, or sale of assets (with notice to you)
  • With your explicit consent for specific purposes

We do NOT:

  • Sell your personal data to third parties
  • Use your code or repository data for advertising
  • Share your data with third parties for their marketing purposes

5. International Data Transfers

Our Service processes data globally. Data may be transferred to and processed in the United States and other countries where our service providers operate.

5.1 Transfer Mechanisms

For transfers from the European Economic Area (EEA), United Kingdom, or Switzerland to the United States, we rely on:

  • Standard Contractual Clauses (SCCs): EU-approved 2021 SCCs with all US-based processors
  • UK International Data Transfer Addendum: For UK data transfers
  • EU-U.S. Data Privacy Framework: Where service providers are certified
  • Supplementary Safeguards: Including encryption, access controls, and Transfer Impact Assessments

5.2 Data Residency Options

MongoDB Atlas allows selection of data storage regions. We store data in regions appropriate for our customer base and can accommodate specific regional requirements for enterprise customers.

6. Data Retention

We retain personal data only as long as necessary for the purposes described in this Privacy Policy:

  • Active Account Data: Retained while your account is active and the Service is in use
  • Code Analysis Data: Code diffs and architectural analysis retained for 90 days after processing, then automatically deleted
  • Account Information: Retained for 6 months after account closure to facilitate reactivation requests
  • Billing Records: Retained for 7 years to comply with tax and accounting regulations
  • Marketing Data: Retained for 2-3 years or until you unsubscribe
  • Security Logs: Retained for 12 months for security and fraud prevention

You may request earlier deletion of your data as described in Section 7.

7. Your Rights and Choices

7.1 Rights Under GDPR (EU/UK Residents)

You have the following rights regarding your personal data:

  • Right of Access: Obtain confirmation of whether we process your data and receive a copy of your personal data
  • Right to Rectification: Correct inaccurate or incomplete personal data
  • Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data when no longer necessary for our purposes (subject to legal retention requirements)
  • Right to Data Portability: Receive your data in a structured, machine-readable format (JSON or CSV)
  • Right to Object: Object to processing based on legitimate interests
  • Right to Restriction: Request limitation of processing under certain circumstances
  • Right to Withdraw Consent: Withdraw consent for consent-based processing at any time
  • Right to Lodge a Complaint: File a complaint with your local supervisory authority

Response Time: We will respond to requests within 30 days.

7.2 Rights Under CCPA (California Residents)

California residents have the right to:

  • Right to Know: Request disclosure of categories and specific pieces of personal information collected
  • Right to Delete: Request deletion of personal information (subject to exceptions)
  • Right to Correct: Request correction of inaccurate personal information
  • Right to Opt-Out: Opt-out of the sale or sharing of personal information (Note: We do not sell personal information)
  • Right to Non-Discrimination: Exercise privacy rights without discriminatory treatment

Response Time: We will respond to verifiable requests within 45 days.

7.3 How to Exercise Your Rights

To exercise any of these rights:

  • Email us at: tijs@rodi-digital.com
  • Use the data export and deletion tools in your account settings
  • For California residents, call toll-free: [To be added if CCPA applies]

We may require identity verification before processing requests.

7.4 Cookie and Analytics Preferences

You can manage your analytics preferences:

  • Adjust cookie settings in your browser
  • Opt-out of PostHog analytics through your account preferences
  • Use Do Not Track browser settings (we honor DNT signals for analytics)

8. Security Measures

We implement appropriate technical and organizational measures to protect your data:

  • Encryption: TLS 1.2+ for data in transit, encryption at rest for stored data
  • Access Controls: Role-based access, multi-factor authentication for administrative access
  • Security Monitoring: Continuous monitoring for security threats and unauthorized access
  • Regular Audits: Annual security assessments and compliance reviews
  • Incident Response: Documented breach detection and response procedures
  • Secure Development: Security testing and code review practices

8.1 Data Breach Notification

In the event of a data breach affecting your personal data, we will:

  • Notify you within 72 hours of becoming aware of the breach (as required by GDPR)
  • Provide information about the nature of the breach and measures taken
  • Recommend steps you can take to protect yourself
  • Notify relevant supervisory authorities as required by law

9. Source Code as Personal Data

Important Notice: Source code and code diffs may constitute personal data when they contain or reveal:

  • Developer names and email addresses in commit history
  • Personal comments or identifiable information in code
  • Coding styles or patterns attributable to specific individuals
  • Work patterns revealed through commit timestamps

We treat all code data as potentially containing personal data and apply appropriate protections. However, you are responsible for ensuring you have the necessary rights and consents from all contributors whose code is analyzed by our Service.

10. Children's Privacy

The Service is not intended for individuals under 16 years of age (or 13 in certain jurisdictions). We do not knowingly collect personal data from children. If we become aware that we have collected data from a child without appropriate consent, we will delete it promptly.

11. Cookies and Tracking Technologies

We use the following categories of cookies:

  • Strictly Necessary Cookies: Required for Service operation (authentication, security)
  • Analytics Cookies: PostHog cookies for usage tracking and product analytics (requires consent in EU/UK)
  • Preference Cookies: Remember your settings and preferences

You can manage cookie preferences through:

  • Our cookie consent banner (displayed on first visit)
  • Your browser settings
  • Account preferences page

12. Business Transfers

If we are involved in a merger, acquisition, bankruptcy, or sale of assets, your personal data may be transferred. We will provide notice before your data is transferred and becomes subject to a different privacy policy.

13. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices or legal requirements. We will:

  • Post the updated Privacy Policy with a new "Last Updated" date
  • Notify you via email or in-app notification for material changes
  • Obtain your consent where required by law for material changes

Your continued use of the Service after changes take effect constitutes acceptance of the updated Privacy Policy.

14. Contact Information and Supervisory Authorities

Privacy Inquiries:
Email: tijs@rodi-digital.com

EU/UK Supervisory Authorities:
If you are located in the EU or UK and believe we have not adequately addressed your privacy concerns, you may lodge a complaint with your local data protection authority:

California Privacy Rights:
California residents may contact us using the information above or designate an authorized agent to make requests on your behalf.

15. Additional Information for Specific Jurisdictions

European Economic Area, United Kingdom, and Switzerland

This Privacy Policy complies with GDPR, UK GDPR, and Swiss Federal Act on Data Protection. Data transfers are protected by Standard Contractual Clauses and supplementary measures.

California

This Privacy Policy serves as our notice at collection under the CCPA. We have disclosed our data collection, use, and sharing practices in the preceding 12 months as described in this Policy.

Other Jurisdictions

We comply with applicable privacy laws including PIPEDA (Canada), LGPD (Brazil), and Privacy Act 1988 (Australia). If you have jurisdiction-specific questions, please contact us.