Data Privacy & Security

Privacy Policy

At VizRepo, data privacy is foundational to how we build and operate our platform. Your source code and intellectual property deserve strong, transparent protection.

Effective date: March 15, 2026 · Last updated: March 17, 2026

Zero Code Retention

Your source code is never stored in any database. Code is processed in ephemeral environments and automatically deleted after each scan.

AES-256 Encryption

All credentials and access tokens are encrypted with AES-256-GCM before storage. All connections are secured with TLS encryption.

GDPR-Aligned Practices

Built with GDPR principles in mind. Account and project deletion is immediate. Custom DPAs available for enterprise customers.

Immediate Data Deletion

When you delete a project or your account, all associated data — diagrams, scans, endpoints, and credentials — is permanently removed immediately.

1. Information We Collect

We collect the minimum data necessary to provide our service:

  • Account information: name, email address, and authentication provider ID when you create an account. Authentication (including passwords) is managed by Firebase Authentication and is never stored on our servers.
  • Repository metadata: repository URL, branch names, file paths, and commit SHAs — used solely to generate diagrams.
  • Access tokens: Git provider tokens are encrypted with AES-256-GCM before storage and are never logged or exposed in plaintext.
  • Usage analytics: we use Google Analytics with IP anonymization enabled to collect aggregated usage patterns. No personally identifiable information is shared with analytics providers.

2. How We Handle Your Source Code

This is the section most enterprise teams care about. Here is our commitment:

  • Source code is fetched from your repository into a temporary, isolated directory that exists only for the duration of a single scan. It is automatically deleted when the scan completes — whether it succeeds or fails.
  • We never persist your raw source code in any database, cache, or long-term storage.
  • Only the resulting structural metadata (endpoint signatures, control flow graphs, and diagram markup) is retained to render your diagrams.
  • Each scan operates in its own isolated temporary directory. No data is shared between scans or between users.
  • We do not use your code, metadata, or generated diagrams to train machine learning models.

3. Data Security

  • Encryption in transit: all connections between your browser, our API, and third-party services are encrypted with TLS.
  • Encryption at rest: all sensitive data, including Git provider tokens and OAuth credentials, is encrypted with AES-256-GCM before storage.
  • Credential management: access tokens are encrypted server-side and are never accessible in plaintext through our API or admin interfaces.
  • Authentication: user authentication is handled by Firebase Authentication (Google Cloud), supporting email/password, Google, and GitHub OAuth sign-in with industry-standard security.
  • Rate limiting: API endpoints are rate-limited to prevent abuse and ensure service availability for all users.
  • Infrastructure: hosted on cloud infrastructure with managed TLS, automatic deployments, and environment-level isolation.

4. Data Retention & Deletion

We retain your account data and generated diagrams for as long as your account is active. When you delete a project or your account:

  • All associated data — including diagrams, scan history, endpoints, metadata, and git connections — is permanently and immediately deleted. There is no grace period; deletion is irreversible.
  • Encrypted access tokens are deleted immediately upon repository disconnection or account deletion.
  • You can delete your account directly from the application at any time. You may also contact us at privacy@vizrepo.com to request complete data removal on your behalf.

5. Third-Party Services

We integrate with the following categories of third-party services:

  • Cloud infrastructure (Render): for hosting, compute, and application deployment.
  • Database (MongoDB Atlas): for storing account data, project metadata, and generated diagrams. All data is encrypted at rest by the provider.
  • Authentication (Firebase Authentication): for secure user sign-in via email/password, Google, and GitHub OAuth. We only receive the minimum profile data necessary.
  • Analytics (Google Analytics): with IP anonymization enabled. We collect aggregated usage data to improve the product. No PII is shared.

We do not sell, rent, or share your personal data with third parties for marketing purposes.

6. Your Rights

Under GDPR and applicable privacy laws, you have the right to:

  • Access all personal data we hold about you.
  • Request correction of inaccurate data.
  • Delete your account and all associated data — directly from the application or by contacting us.
  • Request a copy of your data in a portable format.
  • Object to or restrict certain processing activities.
  • Withdraw consent at any time where processing is based on consent.

To exercise any of these rights, contact us at privacy@vizrepo.com.

7. Cookies & Tracking

We use strictly necessary cookies for authentication and session management. We use Google Analytics with IP anonymization enabled for aggregated usage insights. We do not use cross-site advertising or remarketing cookies.

8. Changes to This Policy

We will notify registered users via email at least 30 days before any material changes to this policy take effect. The latest version is always available on this page.

Enterprise inquiry? We offer custom Data Processing Agreements (DPAs), dedicated infrastructure options, and tailored security reviews for organizations with advanced compliance requirements. Contact us at enterprise@vizrepo.com.