Privacy Policy

1.1 Our Commitment to Privacy

• Mesrai ("we," "our," or "us") is committed to protecting your privacy and being transparent about our data practices. This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you use our AI-powered code review service ("Service").

1.2 Early-Stage Disclosure

• IMPORTANT: Mesrai is an early-stage, bootstrapped startup. While we implement industry-standard security practices and privacy controls, we currently do not hold enterprise security certifications such as SOC 2 Type II, ISO 27001, HIPAA, or PCI-DSS (note: we do not process payment cards directly; Stripe handles all payment processing).
• We are committed to pursuing appropriate certifications as we grow and scale. Our current security posture is appropriate for our stage, and we continuously improve our practices.

1.3 Scope

• Our website (mesrai.com)
• Our web application and dashboard
• Our GitHub integration and code review service
• Our API (if available)
• Communications from us (emails, support, etc.)

1.4 Agreement

• By using the Service, you agree to this Privacy Policy. If you do not agree, please do not use the Service.

2.1 Account and Profile Information

• Email address (required for account creation and communication)
• GitHub username (via OAuth authentication)
• GitHub user ID (unique identifier)
• GitHub profile information (name, avatar, public email if available)
• Organization name (if using organization account)
• Team membership (if using team features)

2.2 GitHub Integration Data

• Repository metadata: Repository names, URLs, descriptions, visibility (public/private)
• Pull request data: PR titles, descriptions, numbers, authors, status, branch names
• Code diffs: The actual code changes in pull requests (processed temporarily, not stored)
• File paths and names: Paths of files changed in PRs
• Commit information: Commit messages, SHAs, authors, timestamps
• Comments: Existing PR comments and discussions
• Webhooks: Events from your repositories (PR opened, synchronized, closed)

2.3 Usage and Analytics Data

• Review history: Which PRs were reviewed, when, results summary
• Feature usage: Which features you use (auto-fix, custom rules, etc.)
• API usage: Number of API calls, endpoints accessed (if using API)
• Settings and preferences: Your configuration choices
• Session data: Login times, session duration
• Device information: Browser type, operating system, device type (e.g., desktop, mobile)
• IP address: For security, fraud detection, and geographic analytics
• Referral source: How you arrived at our site (e.g., search engine, direct link)

2.4 Payment Information

• We do NOT store payment card information. All payment processing is handled by Stripe, Inc.
• Payment status: Whether payment succeeded or failed
• Subscription details: Plan type, billing cycle, renewal date
• Invoice information: Amount charged, date, invoice ID
• Last 4 digits of card (for your reference in account settings)
• Billing address (if provided to Stripe)
• Your full payment card details are stored securely by Stripe and subject to Stripe's PCI-DSS compliant infrastructure.

2.5 Communications

• Email correspondence: Your messages, our responses
• Support tickets: Issue descriptions, troubleshooting steps, resolution
• Feedback and surveys: Your responses to surveys or feedback requests

2.6 Cookies and Tracking Technologies

• Essential Cookies (Required): Authentication (keep you logged in), Security (CSRF protection, session management), Preferences (remember your settings)
• Analytics Cookies (Optional, can be disabled): Usage analytics, Performance monitoring, A/B testing
• Third-Party Cookies: Stripe (payment processing), GitHub (OAuth authentication), Analytics providers (PostHog, Sentry if used)
• You can disable non-essential cookies via our cookie banner or browser settings. Disabling cookies may affect Service functionality.
• Browser "Do Not Track" signals are respected where technically feasible.

2.7 Information from Third Parties

• GitHub: Your public profile, repository access permissions
• AI Providers: Metadata about API usage (not your code content)
• Stripe: Payment and subscription status

3.1 Service Delivery (Contract Performance)

• Code review: Process your code with AI to generate reviews
• GitHub integration: Post review comments to your PRs
• Dashboard: Display review history, analytics, and trends
• Notifications: Alert you to review completion, issues found
• Collaboration: Enable team features (if using Team plan)

3.2 Account Management

• Authentication: Verify your identity and maintain sessions
• Billing: Process payments, manage subscriptions, send invoices
• Support: Respond to inquiries, troubleshoot issues
• Updates: Notify you of Service changes, new features, maintenance

3.3 Service Improvement (Legitimate Interest)

• Analytics: Understand how users interact with the Service
• Performance optimization: Identify slow features, errors, crashes
• Feature development: Decide which features to build or improve
• A/B testing: Test variations to improve user experience
• Quality assurance: Monitor AI review quality and accuracy

3.4 Security and Fraud Prevention (Legitimate Interest)

• Threat detection: Identify and block malicious activity
• Abuse prevention: Detect and prevent misuse (e.g., scraping, DDoS)
• Account security: Monitor for unauthorized access
• Compliance: Investigate violations of our Terms and Conditions

3.5 Legal Compliance (Legal Obligation)

• Regulatory compliance: Comply with GDPR, CCPA, and other laws
• Legal requests: Respond to subpoenas, court orders, law enforcement
• Tax obligations: Calculate and remit applicable taxes
• Audit and reporting: Maintain records for legal or regulatory audits

3.6 Marketing and Communications (Consent or Legitimate Interest)

• Product updates: Inform you of new features (can opt-out)
• Security alerts: Notify you of critical security issues (cannot opt-out)
• Surveys: Request feedback to improve the Service (can opt-out)
• Educational content: Send tips, best practices, blog posts (can opt-out)

4.1 AI Service Providers (Necessary for Service)

• Anthropic (Claude): Enterprise API with data protection terms
• OpenAI (GPT): Business API with data retention limits (typically 30 days)
• DeepSeek: Subject to DeepSeek's privacy policy
• Google (Gemini): Enterprise API where available
• Others: May change as we optimize quality and cost

4.2 Infrastructure and Service Providers

• Cloud providers (AWS, Google Cloud, or similar): Host our application and databases
• CDN providers (Cloudflare or similar): Deliver website assets, protect against DDoS
• Monitoring (Sentry, Datadog): Error tracking, performance monitoring
• Analytics (PostHog, Mixpanel): Usage analytics (anonymized where possible)
• Email (SendGrid, Postmark): Transactional emails (review notifications, password resets)
• All vendors are carefully vetted, process data only as instructed by us, and sign Data Processing Agreements (DPAs) where required.

4.3 Payment Processing (Stripe)

• Stripe is PCI-DSS Level 1 certified (highest security standard for payments)
• We do NOT see or store your full credit card number
• Stripe may share limited data with payment networks (Visa, Mastercard, banks)

4.4 GitHub Integration

• We access your repositories via GitHub's API per your granted permissions
• You control our access via GitHub settings (can revoke at any time)

4.5 Business Transfers

• If Mesrai is involved in a merger, acquisition, bankruptcy, or sale of assets, your information may be transferred to the acquiring entity.
• We will notify you via email and/or prominent website notice.
• The acquiring entity must honor this Privacy Policy or provide you notice of changes.
• You may delete your account before the transfer is finalized.

4.6 Legal Obligations and Safety

• In response to subpoenas, court orders, or legal process
• To comply with government or regulatory requests
• To protect our rights, property, or safety, or that of users or the public
• To detect, prevent, or address fraud, security, or technical issues
• We will resist overly broad or unlawful requests where possible
• We do NOT provide real-time access to user data (no backdoors)

4.7 Aggregated and Anonymized Data

• We may share aggregated, anonymized, or de-identified data that cannot reasonably identify you (e.g., "Mesrai analyzed 10M pull requests this year").
• This data is not "personal data" under GDPR/CCPA.

5.1 Code Data (Temporary)

• Your source code is NOT permanently stored.
• Code is processed in-memory during AI review (typically <60 seconds)
• Code is deleted immediately after review comments are posted
• No code is retained in our production databases
• AI providers may retain code temporarily for abuse monitoring (typically 30 days)

5.2 Account Data

• While account is active: Retained indefinitely
• After account deletion: Deleted within 90 days
• Legal holds: May be retained longer if required by law or litigation

5.3 Review Metadata and History

• Review results (findings, scores, comments): Retained for 12 months
• Aggregated statistics (anonymized): Retained indefinitely
• You may request deletion of review history at any time

5.4 Usage Logs

• Application logs: Retained for 90 days (for debugging and security)
• Audit logs: Retained for 1 year (for compliance and investigations)
• Analytics data: Aggregated data retained indefinitely; raw data deleted after 12 months

5.5 Communication Records

• Support tickets: Retained for 2 years (for customer service quality)
• Email correspondence: Retained as long as relevant to the conversation
• You may request deletion of communication records

5.6 Backup Data

• Deleted data may persist in backups for up to 90 days
• Backups are encrypted and securely stored
• Backups are not used for operational purposes

5.7 Legal Retention

• Data may be retained longer if required by law or regulation, necessary for legal claims or litigation (legal hold), or needed for audit, tax, or compliance purposes.

6.1 Technical Measures

• Encryption in transit: All data transmitted over the internet is encrypted using TLS 1.2+ (HTTPS)
• Encryption at rest: Databases and backups are encrypted using AES-256 or equivalent
• Code processing: Code is processed in encrypted memory (not written to disk)
• Authentication: Strong password requirements, support for 2FA (GitHub SSO)
• Authorization: Role-based access control (RBAC) for internal team
• Least privilege: Employees have access only to data necessary for their role
• API security: API keys, OAuth tokens, rate limiting
• Cloud hosting: Reputable providers (AWS, GCP) with SOC 2/ISO 27001 certifications
• Firewalls: Network segmentation, intrusion detection systems
• Monitoring: Real-time alerts for suspicious activity, automated threat detection
• Patching: Regular security updates to operating systems, libraries, dependencies

6.2 Organizational Measures

• Security awareness training for all employees
• Data handling policies and procedures
• Incident response plan
• Confidentiality agreements (NDAs)
• Secure software development lifecycle (SSDLC)
• Code reviews for all changes
• Automated security scanning (SAST, dependency checks)
• Penetration testing (as budget allows)

6.3 Physical Security

• No physical servers: We use cloud infrastructure (no on-premises data centers)
• Cloud providers maintain physical security (biometric access, surveillance)
• Employee devices: Full-disk encryption, strong passwords, device management

6.4 Third-Party Security

• All vendors undergo security assessment before onboarding
• Data Processing Agreements (DPAs) with GDPR-compliant terms
• Periodic vendor audits and reviews
• Vendors must report security incidents within 24 hours

6.5 Limitations (Early-Stage Disclosure)

• No SOC 2 audit: We have not undergone a formal SOC 2 Type II audit (planned for future)
• No dedicated security team: Security is managed by our engineering team (not a separate security org)
• No 24/7 SOC: We do not have a 24/7 Security Operations Center (monitoring is automated)
• Limited penetration testing: We conduct internal security reviews; formal pen tests are planned as we scale

6.6 Your Responsibilities

• Keeping your account credentials secure (strong passwords, 2FA)
• Not sharing your account with others
• Reporting suspected security issues to contact@mesrai.com
• Using up-to-date browsers and operating systems

7.1 Our Commitment

• We will investigate and contain the breach immediately
• We will notify affected users within 72 hours of discovering the breach (GDPR requirement)
• We will notify relevant regulatory authorities as required by law

7.2 What We Will Tell You

• Nature of the breach: What happened and how
• Data affected: What types of information were exposed
• Potential impact: What risks you may face
• Our response: Steps we've taken to contain and remediate
• Your steps: Actions you should take to protect yourself (e.g., change passwords)

7.3 How We Notify You

• Email: To your registered email address
• In-app notification: Alert in the application
• Website banner: Prominent notice on our website
• Public disclosure: If the breach is widespread, we may issue a public statement

7.4 Types of Breaches Covered

• Unauthorized access to databases
• Accidental exposure of data (e.g., misconfigured cloud storage)
• Ransomware or malware attacks
• Insider threats (employee misconduct)
• Third-party breaches affecting our vendors

8.1 Access Your Data (Right to Access)

• You may request a copy of the personal information we hold about you.
• Email contact@mesrai.com with your account email, GitHub username, and requested data.
• Response time: Within 30 days (may extend to 60 days for complex requests)
• You'll receive a structured export (JSON, CSV, or PDF) with all personal data we store.
• No charge for reasonable requests (excessive requests may incur a fee).

8.2 Correct Your Data (Right to Rectification)

• Account settings: Update email, name, preferences directly
• Email support: For data you cannot change yourself

8.3 Delete Your Data (Right to Erasure / "Right to be Forgotten")

• Self-service: Delete account via account settings
• Email request: contact@mesrai.com
• What gets deleted: Account information, review history and metadata, usage logs (after retention period), backups (within 90 days)
• What is NOT deleted: Aggregated anonymized analytics, financial records (retained for tax/legal compliance, typically 7 years), data subject to legal hold
• Timeline: Deletion within 90 days (30 days from primary systems + 60 days from backups)

8.4 Export Your Data (Right to Data Portability)

• Formats available: JSON (structured data), CSV (tabular data), PDF (human-readable summary)
• Includes: Account details, review history and results, configuration and preferences
• Not included: Code content (we don't store it long-term), third-party data (request from GitHub)

8.5 Restrict Processing (Right to Restriction)

• While we verify accuracy (if you dispute data correctness)
• If processing is unlawful but you prefer restriction over deletion
• If we no longer need the data but you need it for legal claims
• While we verify overriding legitimate grounds (if you object to processing)
• How to request: Email contact@mesrai.com with details

8.6 Object to Processing (Right to Object)

• Direct marketing (we will stop immediately)
• Profiling for marketing purposes
• Processing for research/analytics (we will stop unless we have compelling legitimate grounds)
• You cannot object to: Processing necessary to provide the Service (e.g., code review), legal compliance (e.g., tax records), contract performance (e.g., billing)

8.7 Withdraw Consent

• Marketing emails: Click "unsubscribe" in any email
• Analytics cookies: Disable via cookie settings
• Account: Delete your account to withdraw all consent
• Effect: We will stop processing for that purpose. Does not affect lawfulness of prior processing.

8.8 Opt-Out of Communications

• Marketing emails: Unsubscribe link in every email (we send very few marketing emails)
• Product updates: Opt-out via account settings
• Security alerts: Cannot opt-out (critical for account security)
• Billing notifications: Cannot opt-out (required for subscription management)

8.9 Complaint to Supervisory Authority

• EU/EEA: Your national data protection authority
• UK: Information Commissioner's Office (ICO)
• California: California Privacy Protection Agency
• We prefer to resolve issues directly: Please contact us first at contact@mesrai.com.

9.1 GDPR (European Economic Area, UK, Switzerland)

• Contract performance: To provide the Service (Art. 6(1)(b) GDPR)
• Legitimate interests: Analytics, security, fraud prevention (Art. 6(1)(f) GDPR)
• Legal compliance: Tax, regulatory obligations (Art. 6(1)(c) GDPR)
• Consent: Marketing, optional features (Art. 6(1)(a) GDPR)
• International transfers use Standard Contractual Clauses (SCCs) approved by the EU Commission
• Data Protection Contact: contact@mesrai.com
• We do NOT make solely automated decisions with legal or significant effects on you. AI reviews are suggestive tools; humans make final decisions.

9.2 CCPA (California)

• We do NOT sell personal information.
• Sharing with AI providers is for service provision, not "sale" under CCPA.
• Right to Know: What data we collect, how we use/share it
• Right to Delete: Request deletion
• Right to Non-Discrimination: We will not discriminate for exercising CCPA rights
• Email contact@mesrai.com to exercise rights. Response time: 45 days.
• You may designate an authorized agent to make requests on your behalf.

9.3 Other U.S. State Privacy Laws

• For residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and other states with privacy laws: You have similar rights to CCPA (access, deletion, opt-out).
• Contact contact@mesrai.com to exercise rights.

9.4 Brazil (LGPD)

• Legal basis: Contract, legitimate interest, consent
• Rights: Access, correction, deletion, portability, objection
• Data Protection Contact: contact@mesrai.com

9.5 Canada (PIPEDA)

• We comply with the Personal Information Protection and Electronic Documents Act (PIPEDA)
• You have rights to access, correct, and challenge our data practices
• Complaints may be filed with the Office of the Privacy Commissioner of Canada

10.1 Where Data is Stored

• United States: Our primary servers and AI providers (Anthropic, OpenAI) are U.S.-based
• European Union: We may use EU-based infrastructure for EU users (if available)
• Other regions: Cloud providers may replicate data globally for redundancy

10.2 Safeguards for International Transfers

• Standard Contractual Clauses (SCCs): EU-approved contracts with data processors
• Data Processing Agreements (DPAs): With all vendors handling EU data
• Adequacy decisions: Where available (e.g., EU-U.S. Data Privacy Framework, if applicable)

10.3 Your Consent

• By using the Service from outside the country where our servers are located, you consent to international data transfers subject to the safeguards described above.

11.1 Age Requirement

• The Service is NOT intended for children under 18 years of age. We do not knowingly collect personal information from children under 18.
• If you are under 18: Do not create an account, do not submit any personal information to us.

11.2 Parental Notice

• If we become aware that we have collected personal information from a child under 18 without parental consent, we will delete that information immediately and terminate the account.
• Parents/guardians may contact us at contact@mesrai.com to request deletion.

11.3 COPPA (U.S.)

• We do not knowingly collect data from children under 13
• We do not market to children

• We may update this Privacy Policy to reflect changes to our data practices, new features or services, legal or regulatory requirements, and user feedback.
• When we make material changes: We will update the "Last Updated" date at the top, notify you via email (at least 30 days before changes take effect), and may display a prominent notice on our website or in-app.
• Continued use after changes take effect constitutes acceptance. If you disagree, you may delete your account before changes take effect.
• We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data.

• General Privacy Inquiries: contact@mesrai.com — Response time: Within 7 business days
• Data Protection / GDPR Inquiries: contact@mesrai.com — For GDPR compliance, data subject requests, privacy concerns
• Security Issues: contact@mesrai.com — For reporting vulnerabilities, suspected breaches, security concerns
• Support, Legal & Billing: contact@mesrai.com — For general questions, account issues, technical support, legal notices, billing inquiries

14.1 Third-Party Links

• Our Service may contain links to third-party websites or services (e.g., GitHub, AI providers, documentation sites).
• We are NOT responsible for the privacy practices of third parties.
• We recommend reviewing their privacy policies before providing information. Links do not imply endorsement.

14.2 California "Shine the Light" Law

• We do NOT share data for third-party direct marketing.

14.3 Nevada Privacy Rights

• We do NOT sell data (no opt-out necessary).

14.4 No Liability for Third Parties

• We are not liable for GitHub's data practices or security, AI providers' data handling, Stripe's payment processing, or third-party breaches (unless caused by our negligence).

14.5 Consent to Electronic Communications

• By using the Service, you consent to receiving electronic communications (emails, in-app notifications) from us. These communications are part of our service delivery.

BY USING THE SERVICE, YOU ACKNOWLEDGE THAT:

• You have read, understood, and agree to this Privacy Policy
• You consent to the collection, use, and sharing of data as described
• You understand your data may be processed in the United States and other countries
• You understand we use AI providers that temporarily process your code
• You understand we are an early-stage startup without enterprise certifications
• You have the right to withdraw consent and delete your account at any time