Skip to content

Privacy and GDPR

What data CodeCharter processes, where it is stored, and how we meet our GDPR obligations.

Updated on 2026-05-29

CodeCharter is operated in Germany by Bochmann Software GmbH. All data is stored on servers in Germany. We do not share any data with third parties outside the EU.

What data we process

For each account we store:

  • Email address (for login and notifications)
  • Display name (freely chosen, used only in the UI)
  • Password hash (never in plaintext)
  • Creation date and last login time
  • Active and past subscriptions
  • Created API keys (stored as hashes only; the plaintext value is visible only once immediately after creation)
  • Download log (which version, which platform, when)

For the analysis itself we process no data in our infrastructure. The CLI runs on your machine or your CI runner, reads your source code locally, and writes findings locally. We do not pull your repository or any code snippets into our cloud.

Where data is stored

What Where
Portal database Server in Germany (EU)
Release binaries Server in Germany (EU)
Logs Server in Germany (EU)
Email delivery EU region of an established provider

Backups are created daily and retained for seven days, then overwritten.

Right of access

You have the right at any time to find out what data we have stored about you. Send an email from the address registered with us to [email protected] with the subject "Data access request". We will respond within 30 days with an overview of all fields.

Right to erasure

You can delete your account yourself on the profile page. When you do:

  • Your user record is removed.
  • All subscriptions are hard-deleted (no soft-delete).
  • All API keys are removed; existing CI pulls will be rejected starting with the next request.
  • A salted, slow-derived hash of your email address is added to a blocklist so that re-registration with the same address is rejected. We use the same hardening method as for passwords (PBKDF2 with a random salt per entry); the email itself is not stored.

If you want the blocklist entry removed, contact us. We will remove it manually.

Data processing on behalf

For business customers we offer a Data Processing Agreement (DPA) under Article 28 GDPR. Contact us and we will send you the standard DPA to sign remotely.

Cookies

The portal sets only technically necessary cookies for the session and CSRF protection on forms.

We set no tracking cookies, no Google Analytics, no Meta Pixel, and no advertising cookies. Therefore no cookie banner.

Controller under GDPR

Bochmann Software GmbH
Mitja Bochmann
[email protected]

Full contact and representation details in the Legal Notice.