1. Who we are
Claudit ("we", "us", "our") operates the website at claudit.consulting. We are the data controller for personal data processed through this service.
For privacy inquiries, contact us at privacy@claudit.consulting.
2. Data we collect
We collect the following categories of personal data:
- Account data — name, email address, and hashed password when you create an account. If you sign in with GitHub or Google, we receive your name, email, and profile picture from the provider.
- Audit data — code snippets or website URLs you submit for analysis, and the AI-generated audit reports. Audit results are stored in your account history.
- Usage data — pages visited, audit counts, and scores displayed on your dashboard. We do not use third-party analytics trackers.
- Technical data — IP address (anonymized in logs), browser type, and device information transmitted automatically with every HTTP request.
3. How we use your data
- Provide the service — your submitted code or URL is sent to Anthropic's Claude API for AI analysis. Results are streamed back to you and stored in your account. Lawful basis: performance of a contract (GDPR Art. 6(1)(b)).
- Account management — authentication, password resets, and email verification. Lawful basis: performance of a contract.
- Security — rate limiting, abuse prevention, and CSP violation monitoring. Lawful basis: legitimate interests (GDPR Art. 6(1)(f)).
4. Third-party processors
We share data with the following processors, each under a Data Processing Agreement:
| Processor | Purpose | Data shared | Location |
|---|
| Anthropic | Code analysis | Submitted code/URLs | United States |
| Supabase | Database hosting | Account data, audit history | EU (Frankfurt) |
| Railway | Application hosting | Request metadata (IP, headers) | United States |
For US-based processors, transfers are governed by EU Standard Contractual Clauses (SCCs). Anthropic's API is configured to not use submitted data for model training.
5. Data retention
- Account data — retained for the duration of your account, plus 30 days after deletion.
- Audit results — retained for the duration of your account. You can delete individual audits from your history.
- Session data — expires after 30 days of inactivity.
- Server logs — anonymized IP addresses retained for 30 days, then deleted.
- Submitted code — sent to Anthropic for analysis and not stored on our servers beyond the truncated input saved with your audit record. Anthropic does not retain API inputs beyond their standard processing window.
6. Your rights
Under GDPR, CCPA/CPRA, and applicable privacy laws, you have the right to:
- Access your personal data — view your data on the Dashboard, or request a full export.
- Rectify inaccurate data — update your name in Settings.
- Delete your account and all associated data — use the "Delete Account" option in Settings. Deletion is completed within 30 days.
- Export your data — audit reports can be downloaded as Markdown or JSON.
- Object to processing based on legitimate interests.
- Restrict processing while a dispute is being resolved.
- Withdraw consent at any time where consent is the lawful basis.
To exercise any right, email privacy@claudit.consulting. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.
7. Cookies and local storage
We use only essential cookies and browser storage:
- Session cookie — authenticates your login session. Essential, no consent required.
- Theme preference — stored in localStorage (never sent to the server). Not a cookie.
- Audit history — recent audit results cached in localStorage for offline access. Not transmitted to the server.
We do not use analytics cookies, advertising trackers, or any third-party tracking scripts.
8. Security measures
- All data transmitted over HTTPS with TLS 1.3.
- Content Security Policy with per-request nonces to prevent XSS.
- Passwords hashed with bcrypt; never stored in plaintext.
- Two-factor authentication (TOTP) available for all accounts.
- Database encrypted at rest with daily backups.
- Rate limiting on all API endpoints.
- IP addresses anonymized before logging.
9. Submitted code and PII
Source code you submit for auditing may contain personal data (names, emails, API keys, internal identifiers). We recommend removing credentials and sensitive data before submitting code for analysis.
Submitted code is forwarded to Anthropic's Claude API for analysis. Anthropic processes this data under their API terms and does not use it for model training. We store only a truncated snippet (first 10,000 characters) alongside your audit record for reference.
10. Children
Claudit is not intended for use by anyone under the age of 16. We do not knowingly collect personal data from children.
11. Changes to this policy
We may update this privacy policy from time to time. Material changes will be communicated via email to registered users. The "Last updated" date at the top reflects the most recent revision.