Privacy Policy

Codowave runs autonomous AI agents that read and write code in your connected projects and repositories. To do that, we need access to your code, issues, and the runtime infrastructure your agents use. This page tells you exactly what we collect, where we store it, who we share it with, and how to get it deleted.

We don't sell your data. We don't train shared AI models on it. We don't read your code outside of agent runs you trigger or schedule.

• Account data, your name, email, connected-provider handles, and authentication tokens (managed by Better Auth).
• Repository data, for each repo you connect, we ingest the file tree, issues, pull requests, CI status, and commit history necessary to plan and ship changes.
• Agent runtime data, logs, test output, tool calls, and intermediate plans produced by the agents while they work in your isolated container.
• Billing data, your plan tier, monthly issue allowance and usage counts, and Stripe-managed payment metadata (we never see your card number). For each agent run we record the input/output token counts so we can size the allowance honestly; raw model prompts and completions are not stored beyond the run's lifetime.
• Telemetry, page views, feature usage, errors, and anonymized agent operational metrics. Aggregated, never sold.

By default, Codowave agents send anonymized operational telemetry, memory usage, error counts, and error type names, back to us so we can detect and fix problems across the fleet. We never receive source code, environment variables, or personal data through this channel. The data is aggregated and used solely to improve agent reliability.

You can disable telemetry at any time from your repo settings page. When disabled, the agent sends no operational data for that repo.

We use your data to:

• Run the agents you authorized, plan, code, test, review, merge.
• Show you live progress in the dashboard and the monitor stream.
• Operate plan billing and the monthly issue allowance.
• Detect abuse, prevent fraud, and protect the service.
• Improve Codowave, bug fixes, new features, performance.

We do not use your code or private repository content to train shared models. Each agent run stays scoped to your organization's containers and memory store.

When you connect a repo, Codowave provisions a dedicated Docker container for it on our managed infrastructure. The container holds a checkout of your code while the agent works, runs your tests, and is torn down or hibernated when idle. Each container is scoped to one organization, we never co-tenant your code with another customer's workload in the same container.

The container size (CPU and RAM) is tied to your plan tier. Higher tiers run on priority pools so dependency installs and test runs finish faster.

Codowave shares limited data with vetted infrastructure providers so the product can run. The current list:

• Better Auth, authentication and session management.
• Stripe, payment processing and subscription billing.
• Hetzner, primary compute and container hosting.
• GitHub, repository access, issues, and pull requests via the GitHub App you authorize.
• Anthropic, the large-language-model provider powering agent inference via bring-your-own-key. Your Anthropic API key is stored encrypted and used only to make inference requests on your behalf.
• PostHog, product analytics. Receives page views, feature-usage events, and anonymised agent operational metrics. No repository content, tokens, or model prompts are sent. Data lives in PostHog's US cloud region.
• Sentry, error and performance monitoring. Receives stack traces, request paths, and the user ID for in-app errors so we can detect and fix problems before you report them. Authorization headers, cookies, and API keys are scrubbed client- and server-side before transmission.

• Agent run logs, kept for 30 days for debugging and replay, then auto-deleted.
• Repo snapshots in containers , purged when the container is torn down or after 14 days of inactivity.
• Memory entries, retained for the life of the connected repo so future PRs benefit from past decisions. Deletable on request.
• Billing records, kept as long as required by tax and accounting regulations.

You can, at any time:

• Disconnect a repo and have its memory + container purged.
• Export your account data as JSON.
• Delete your account, we erase everything except records we are legally required to keep.
• Request a copy of all data we hold about you.

GDPR, CCPA, and equivalent privacy laws apply where relevant. Contact us and we'll respond within 30 days.

Repos are checked out into per-organization containers, isolated by network policy. Provider keys and tokens are encrypted at rest with AES-256 and never logged. We use TLS 1.2+ for everything in transit. Production access is gated behind SSO + hardware keys, with a paper trail in our audit log.

Email privacy@codowave.com or use the contact form. We respond within two business days.