PRIVACY & DATA PROTECTION

Privacy Policy

We believe privacy is a right, not a feature. This policy explains exactly what we collect, why, and how you can control it.

Last updated: March 8, 2026

SOC 2 Type II
Independently audited security controls
AES-256 Encryption
All data encrypted at rest and in transit
On-Premises Available
Deploy inside your own infrastructure
Zero-Retention Mode
Code analyzed in memory, never persisted
Customer-Managed Keys
BYOK/CMK — only you hold the keys
GDPR / HIPAA / FedRAMP
Compliance frameworks supported

Zero-Retention Mode

Enterprise

When Local CLI Mode is enabled, your source code never leaves your machine. Analysis runs entirely in-process. Only structured metadata (issue type, severity, file path, line number) is synced to your dashboard. This is the gold standard for banks, defense contractors, healthcare providers, and any organization with strict IP protection requirements.

Overview

BugZeroAI ("we", "our", or "the platform") is an AI-powered software reliability platform. This Privacy Policy explains how we collect, use, store, and protect information when you use BugZeroAI's cloud service, on-premises deployment, or CLI agent.

We are committed to data minimization, transparency, and giving you full control over your code and data. This policy is written in plain language — not legal obfuscation.

What We Collect

Account Information

  • Name and email address (from OAuth provider)
  • Authentication tokens (session cookies, hashed — never plaintext)
  • Workspace and team membership data

Code & Scan Data (Cloud Mode)

In cloud mode, uploaded code is stored encrypted in S3 and used solely for analysis. It is never shared with third parties, used for model training, or accessed by BugZeroAI staff without your explicit consent.

  • Source code files you upload or connect via Git integration
  • Scan results: issue type, severity, file path, line number
  • AI-generated patch suggestions (diffs only)
  • Reliability scores and historical trends

Code & Scan Data (Local CLI / Zero-Retention Mode)

Zero-Retention: Source code is never transmitted in Local CLI Mode.

  • Source code: NEVER transmitted — all analysis runs on your machine
  • Only structured metadata is synced: issue type, severity, file path, line number
  • No source text, ASTs, variable names, or business logic ever leaves your network

Usage & Telemetry

  • Feature usage events (pages visited, scans initiated)
  • Performance metrics (scan duration, error rates)
  • Browser type and OS (for compatibility)

Telemetry is aggregated and anonymized. You can opt out in Settings.

Zero-Retention Mode

Zero-Retention Mode is BugZeroAI's enterprise-grade privacy guarantee for organizations that cannot expose source code to any external service.

When Local CLI Mode is enabled:

1. The BugZeroAI CLI agent runs entirely within your infrastructure (your machine, CI server, or private cloud). 2. Static analysis and AI inference happen in-process — no code is sent to BugZeroAI servers. 3. Only structured scan metadata is transmitted: issue identifiers, severity levels, file paths, and line numbers. No source text. 4. If you configure a private LLM (Azure OpenAI, AWS Bedrock, Ollama), AI analysis also stays within your network. 5. Scan results are stored in your BugZeroAI dashboard with the same encryption and access controls as cloud mode.

Zero-Retention Mode satisfies the data handling requirements of GDPR Article 25 (data protection by design), HIPAA §164.312, FedRAMP Moderate, and most enterprise IP protection policies.

How We Use Your Data

  • Provide the BugZeroAI service: run scans, generate patches, display results
  • Improve detection accuracy using aggregated, anonymized issue patterns (never your code)
  • Send notifications about scan completions, critical vulnerabilities, and patches (configurable)
  • Authenticate your identity and manage team access
  • Generate reliability reports and trend analytics
  • Respond to support requests
We explicitly do NOT:
  • We do NOT sell your data to third parties
  • We do NOT use your source code to train AI models
  • We do NOT allow BugZeroAI staff to read your code without explicit consent
  • We do NOT share scan results with other customers

Data Storage & Security

All data is stored in encrypted form using AES-256 at rest and TLS 1.3 in transit. We use AWS S3 with server-side encryption for file storage and TiDB Cloud for structured data.

Access controls follow the principle of least privilege. BugZeroAI employees do not have standing access to customer data. Access requires a formal approval process with audit logging.

Data residency options are available for Enterprise customers: EU (Frankfurt), US (Virginia), APAC (Singapore), or your own infrastructure.

Data TypeStorageRetentionEncryption
Source code (cloud mode)AWS S3Until project deletedAES-256 SSE
Scan results & issuesTiDB Cloud90 days (Pro) / Unlimited (Enterprise)AES-256 + TLS
Session tokensHTTP-only cookies30 days or logoutSHA-256 hashed
CLI tokensDatabase (hash only)Until revokedSHA-256 hashed
Audit logsDatabase1 yearAES-256
Source code (CLI mode)Your machine onlyNever stored by BugZeroAIN/A

Enterprise & On-Premises

Enterprise customers have additional data control options:

Customer-Managed Keys (CMK/BYOK): Bring your own encryption keys. BugZeroAI encrypts your data with your key — we cannot decrypt it without your explicit authorization.

Private VPC Deployment: BugZeroAI runs in a dedicated cloud environment within your AWS, Azure, or GCP account. No shared infrastructure with other customers. You control network policies, firewall rules, and access logs.

On-Premises / Air-Gapped Deployment: The entire BugZeroAI platform — database, AI engine, dashboard — runs inside your datacenter. No internet connectivity required. Your code never leaves your network under any circumstances.

Private LLM Integration: Connect your own Azure OpenAI Service, AWS Bedrock, or self-hosted model (Ollama, vLLM). AI analysis never touches shared model infrastructure.

Data Processing Agreement (DPA): Available on request for GDPR compliance. Contact our enterprise team.

Third-Party Services

BugZeroAI uses the following third-party services in cloud mode. None of these services receive your source code.

ServicePurposeData Shared
Manus OAuthAuthenticationUser ID, email, name
AWS S3File storageEncrypted code files (cloud mode only)
TiDB CloudDatabaseScan metadata, issues, settings
LLM ProviderAI analysisCode snippets for analysis (cloud mode only)

Your Rights

  • Access: Request a copy of all data we hold about you
  • Deletion: Delete your account and all associated data at any time from Settings
  • Portability: Export your scan history and issue data in JSON format
  • Correction: Update your profile information at any time
  • Opt-out: Disable telemetry and non-essential notifications in Settings
  • Erasure: Request complete data erasure including backups (Enterprise SLA: 30 days)

Contact & DPA Requests

For privacy inquiries, data access requests, or to obtain a Data Processing Agreement (DPA):

Email: [email protected] Enterprise Sales: [email protected] Security Disclosures: [email protected]

We respond to all privacy requests within 72 hours. Enterprise DPA requests are processed within 5 business days.

BugZeroAI— Privacy Policy v2.1
← Back to HomeOpen Dashboard →