Privacy Policy

Last updated: March 2026

What happens to your code, step by step

1You paste code or enter a URL in your browser. Nothing leaves your device until you click Run audit.
2Your code is wrapped in structured prompts on our server and sent to Anthropic's Claude API over HTTPS (TLS 1.3). No other third party sees your code.
3Claude analyzes the code and streams findings back. Anthropic does not retain API inputs for model training — confirmed in their privacy policy and model card.
4Results stream to your browser. If you're signed in, the report is saved to your dashboard. Your submitted code is not stored on our servers — only the audit report output.
5You can delete any audit from your history at any time. Account deletion removes all associated data within 30 days.

1. Who we are

Claudit ("we", "us", "our") operates the website at claudit.consulting. We are the data controller for personal data processed through this service.

For privacy inquiries, contact us at privacy@claudit.consulting.

2. Data we collect

We collect the following categories of personal data:

Account data — name, email address, and hashed password when you create an account. If you sign in with GitHub or Google, we receive your name, email, and profile picture from the provider.
Audit data — code snippets or website URLs you submit for analysis, and the resulting audit reports. Audit results are stored in your account history.
Usage data — pages visited, audit counts, and scores displayed on your dashboard. We do not use third-party analytics trackers.
Technical data — IP address (anonymized in logs), browser type, and device information transmitted automatically with every HTTP request.

3. How we use your data

Provide the service — your submitted code or URL is sent to Anthropic's Claude API for analysis. Results are streamed back to you and stored in your account. Lawful basis: performance of a contract (GDPR Art. 6(1)(b)).
Account management — authentication, password resets, and email verification. Lawful basis: performance of a contract.
Security — rate limiting, abuse prevention, and CSP violation monitoring. Lawful basis: legitimate interests (GDPR Art. 6(1)(f)).

4. Third-party processors

We share data with the following processors, each under a Data Processing Agreement:

Processor	Purpose	Data shared	Location
Anthropic	Code analysis	Submitted code/URLs	United States
Supabase	Database hosting	Account data, audit history	EU (Frankfurt)
Railway	Application hosting	Request metadata (IP, headers)	United States

For US-based processors, transfers are governed by EU Standard Contractual Clauses (SCCs). Anthropic's API is configured to not use submitted data for model training.

5. Data retention

Account data — retained for the duration of your account, plus 30 days after deletion.
Audit results — retained for the duration of your account. You can delete individual audits from your history.
Session data — expires after 30 days of inactivity.
Server logs — anonymized IP addresses retained for 30 days, then deleted.
Submitted code — sent to Anthropic for analysis and not stored on our servers beyond the truncated input saved with your audit record. Anthropic does not retain API inputs beyond their standard processing window.

6. Your rights

Under GDPR, CCPA/CPRA, and applicable privacy laws, you have the right to:

Access your personal data — view your data on the Dashboard, or request a full export.
Rectify inaccurate data — update your name in Settings.
Delete your account and all associated data — use the "Delete Account" option in Settings. Deletion is completed within 30 days.
Export your data — audit reports can be downloaded as Markdown or JSON.
Object to processing based on legitimate interests.
Restrict processing while a dispute is being resolved.
Withdraw consent at any time where consent is the lawful basis.

To exercise any right, email privacy@claudit.consulting. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

7. Cookies and local storage

We use only essential cookies and browser storage:

Session cookie — authenticates your login session. Essential, no consent required.
Theme preference — stored in localStorage (never sent to the server). Not a cookie.
Audit history — recent audit results cached in localStorage for offline access. Not transmitted to the server.

We do not use analytics cookies, advertising trackers, or any third-party tracking scripts.

8. Security measures

All data transmitted over HTTPS with TLS 1.3.
Content Security Policy with per-request nonces to prevent XSS.
Passwords hashed with bcrypt; never stored in plaintext.
Two-factor authentication (TOTP) available for all accounts.
Database encrypted at rest with daily backups.
Rate limiting on all API endpoints.
IP addresses anonymized before logging.

9. Submitted code and PII

Source code you submit for auditing may contain personal data (names, emails, API keys, internal identifiers). We recommend removing credentials and sensitive data before submitting code for analysis.

Submitted code is forwarded to Anthropic's Claude API for analysis. Anthropic processes this data under their API terms and does not use it for model training. We store only a truncated snippet (first 10,000 characters) alongside your audit record for reference.

10. Children

Claudit is not intended for use by anyone under the age of 16. We do not knowingly collect personal data from children.

11. Changes to this policy

We may update this privacy policy from time to time. Material changes will be communicated via email to registered users. The "Last updated" date at the top reflects the most recent revision.

Questions?

Contact our privacy team at privacy@claudit.consulting.