CodeCharter is operated in Germany by Bochmann Software GmbH. All data is stored on servers in Germany. Payments are processed by our payment provider Stripe. If you reach us through a Google Ads ad, we additionally report one conversion to Google Ads server-side (see the section "Google Ads conversion measurement"). Beyond that, we do not share personal data with third parties.
What data we process
For each account we store:
- Email address (for login and notifications)
- Display name (freely chosen, used only in the UI)
- Password hash (never in plaintext)
- Creation date and a sign-in log: the most recent sign-in attempts (up to 30 per account) with timestamp, IP address, browser identifier, and success or failure
- During an email change: the new, not yet confirmed email address until you confirm it
- The version and time of your acceptance of the terms of service
- Active and past subscriptions
- Billing data: once you complete a checkout, a customer ID from our payment provider Stripe that links your account to your subscription there
- If you reach us through a Google Ads ad: the Google click identifier (
gclid) and any campaign parameters (utm_source,utm_medium,utm_campaign), stored on your account server-side and used solely for conversion measurement - If you connect the GitHub CI integration: the installation ID and the name of the GitHub account the app is installed on
- Created API keys (stored as hashes only; the plaintext value is visible only once immediately after creation)
- Download log (which version, which platform, when, plus IP address and browser identifier)
- An audit log of significant account and configuration actions, including the client IP address per entry; audit entries are deleted automatically after 24 months
For the analysis itself we process no data in our infrastructure. The CLI runs on your machine or your CI runner, reads your source code locally, and writes findings locally. We do not pull your repository or any code snippets into our cloud.
Where data is stored
| What | Where |
|---|---|
| Portal database | Server in Germany (EU) |
| Release binaries | Server in Germany (EU) |
| Logs | Server in Germany (EU) |
| Email delivery | EU region of an established provider |
Backups are created daily and retained for seven days, then overwritten.
Right of access
You have the right at any time to find out what data we have stored about you. Send an email from the address registered with us to [email protected] with the subject "Data access request". We will respond within 30 days with an overview of all fields.
Right to erasure
You can delete your account yourself on the profile page. When you do:
- Your user record is removed.
- All subscriptions are hard-deleted (no soft-delete).
- All API keys are removed; existing CI pulls will be rejected starting with the next request.
- A salted, slow-derived hash of your email address is added to a blocklist so that re-registration with the same address is rejected. We use the same hardening method as for passwords (PBKDF2 with a random salt per entry); the email itself is not stored.
If you want the blocklist entry removed, contact us. We will remove it manually.
MCP server telemetry
The CodeCharter MCP server can optionally send pseudonymised usage telemetry to our servers. This section fulfils the disclosure obligation under Article 13 GDPR for that processing.
Purpose of processing
We use telemetry for product usage analysis and customer analytics. Specifically, we evaluate which MCP tools are called how often and how the analysis performs across versions. From that we derive product roadmap and bug-fix prioritisation.
Legal basis
Article 6 (1) (a) GDPR — consent. Telemetry is off by default and is only activated through explicit opt-in, either via a CLI flag, an environment variable, or an entry in the local configuration file. You can withdraw consent at any time by removing the flag, unsetting the environment variable, or resetting the configuration entry. No further data will be sent starting with the next MCP server launch.
Data collected
The following allowlist is exhaustive. No other fields are transmitted, because they are structurally not part of the payload type.
tool_name— name of the MCP tool that was called (for exampleanalyze_solution).latency_bucket— latency bucket of the call, not the exact value.is_success— whether the call succeeded.workspace_id(hashed) — a hash value, never the workspace path itself. The MCP server currently sends a constant placeholder hash that contains no workspace information.finding_summaries— at mostrule_id, severity, and per-rule count. No finding text, no file, no code location. The MCP server currently transmits this list empty, so no per-rule data is sent.license_id— license ID of the active CodeCharter subscription.client_instance_id— pseudonymous local GUID (see below).code_charter_version— installed CodeCharter version.dot_net_version— .NET runtime version.os_family— operating system family (win,linux,mac).occurred_at_utc— UTC timestamp of the call.
Data NOT collected
The following fields are explicitly not part of the payload and are not transmitted. They are structurally absent from the telemetry payload type, so they cannot be sent by accident.
- Source code in any form, whole or as snippets.
- File, class, method, or entity names.
- File paths and diff contents.
- Developer identities (username, email, Git author, hostname).
- Rule DSL text and custom rule definitions.
- Finding message text and code snippets from findings.
Retention
Telemetry events are retained for 60 days and then deleted automatically. We retain aggregated evaluations without personal reference beyond that.
Character of client_instance_id
The client_instance_id is a pseudonymous GUID that is generated once per installation locally and stored in a file. It is not derived from hardware attributes, MAC addresses, hostnames, or user data — it is purely random. You can reset it at any time by deleting the local file; a new ID will be generated on the next launch.
Storage locations:
- Windows:
%LOCALAPPDATA%\CodeCharter\client-instance-id - Linux and macOS:
$XDG_DATA_HOME/codecharter/client-instance-id, with fallback~/.codecharter/client-instance-id
Recipients
Data is processed exclusively on our own servers in the EU. There is no transfer to third parties, including within the EU.
Deletion requests
You can request deletion of all telemetry events previously sent under your license. To do so, write to [email protected] with the subject "Telemetry deletion request" and your license ID in the message body. We will confirm deletion within 30 days.
Technical documentation
A full technical description of the telemetry, including endpoint URL, payload schema, and opt-in mechanics, is available at MCP telemetry.
Google Ads conversion measurement
If you reach our site through a Google Ads ad, Google appends a click identifier (the gclid parameter) to the destination URL. We use this identifier to measure the effectiveness of our advertising, without setting any tracking cookie or showing a cookie banner.
How it works
The click identifier and any campaign parameters (utm_source, utm_medium, utm_campaign) are stored on your account server-side at registration. If you later start a paid subscription, we report that one conversion back to Google Ads server-side (offline conversion import): the click identifier, the time, and the order value and currency. We do not transmit your name, email address, or any other account data.
Legal basis
Article 6 (1) (f) GDPR — legitimate interest. Our legitimate interest is measuring and managing the economics of our advertising. You may object to this processing at any time by writing to [email protected] with the subject "Google Ads objection".
Recipients and international transfer
The recipient of the conversion data is Google (Google Ireland Ltd. and Google LLC). Google processes the data as a processor under the Google Ads Data Processing Terms. This may involve a transfer to the USA, based on the adequacy decision for the EU-US Data Privacy Framework and supplementary standard contractual clauses.
Retention
We store the click identifier and campaign parameters for the duration of the billing relationship on your account. If you delete your account, they are removed with the user record. Conversions transmitted to Google are additionally subject to Google Ads' own retention periods.
Data processing on behalf
For business customers we offer a Data Processing Agreement (DPA) under Article 28 GDPR. Contact us and we will send you the standard DPA to sign remotely.
Cookies
The portal sets only technically necessary cookies: for the session, for CSRF protection on forms, and for your language preference (set for one year when you switch the UI language).
We set no tracking cookies, no Google Analytics, no Meta Pixel, and no advertising cookies. Our Google Ads conversion measurement runs server-side and entirely without cookies (see the section "Google Ads conversion measurement"). Therefore no cookie banner.
Controller under GDPR
Bochmann Software GmbH
Mitja Bochmann
[email protected]
Full contact and representation details in the Legal Notice.