Privacy Policy for CodeArena

Introduction

CodeArena ("we," "our," or "the app") is a GitHub Marketplace application that automatically fixes code issues using AI-powered coding agents. This Privacy Policy explains how we collect, use, store, share, and sell information when you use our GitHub App.

Information We Collect

1. GitHub Repository Data

When you install CodeArena on your repositories, we access and process:

• Repository content: Source code, issue descriptions, comments, and pull request data necessary to analyze and fix reported issues
• Repository metadata: Repository names, branch information, commit history, and file structures
• GitHub events: Webhook payloads for issues, comments, and labels that trigger CodeArena operations
• Installation information: GitHub App installation IDs, organization/user information, and repository access permissions

2. Execution Data

During operation, we collect:

• Job execution logs: Timestamps, status updates, error messages, and completion information for each arena run
• Agent activity: Actions taken by AI coding agents, files modified, and pull requests created
• Performance metrics: Execution duration, container resource usage, and job success/failure rates

3. Authentication Information

• GitHub credentials: App ID and JWT tokens for authenticating API requests (we do not store your personal GitHub password)
• Webhook signatures: HMAC signatures to verify webhook authenticity

How We Use Your Information

We use the collected information to:

1. Execute automated code fixes: Analyze issues, generate fixes, and create pull requests in your repositories
2. Maintain service reliability: Monitor job execution, debug failures, and improve system performance
3. Provide status updates: Track and display the progress of arena runs through our dashboard and GitHub comments
4. Ensure security: Validate webhook authenticity and authenticate API requests
5. Improve the service: Analyze usage patterns to enhance CodeArena's functionality
6. Commercial purposes: Generate insights, create datasets, and develop products based on aggregated and individual data

Data Sharing and Sale

Data We Sell

We sell, license, or otherwise commercially share the following data:

• Code patterns and repositories: Source code, repository structures, and coding patterns collected from your repositories may be sold or licensed to third parties for AI training, research, or commercial purposes
• Issue and fix data: Issue descriptions, bug reports, and corresponding fixes may be included in datasets sold to AI companies, research institutions, or other commercial entities
• Usage analytics: Information about how your team uses CodeArena, including frequency, success rates, and types of issues resolved
• Aggregated and anonymized data: De-identified datasets derived from repository data and usage patterns

Categories of Buyers

We may sell or license data to:

• AI model training companies
• Software development tool providers
• Research institutions and academic organizations
• Data analytics and business intelligence firms
• Other technology companies

Third-Party Service Providers

We also share data with service providers necessary to operate CodeArena:

• GitHub: For repository access and API operations (subject to GitHub's Privacy Policy)
• AWS (SQS, S3, EC2): For job queuing, log storage, and compute infrastructure
• Supabase: For database storage of run metadata
• Anthropic, OpenAI, Google, Cursor: For AI model API access to generate code fixes (code snippets are sent to these providers for processing)
• Fly.io: For hosting webhook services

Important Note: When CodeArena processes your code to generate fixes, relevant code snippets and issue descriptions are sent to AI model providers (Anthropic Claude, OpenAI, Google Gemini, or Cursor) for analysis. These providers have their own privacy policies:

• Anthropic Privacy Policy
• OpenAI Privacy Policy
• Google Privacy Policy
• Cursor Privacy Policy

Legal Compliance

We may also disclose information if required by law, court order, or government regulation, or if we believe disclosure is necessary to:

• Comply with legal obligations
• Protect our rights, property, or safety
• Prevent fraud or security threats

Opt-Out Rights

California Residents (CCPA/CPRA)

If you are a California resident, you have the right to opt out of the sale or sharing of your personal information. To exercise this right, email founders@entityml.com with subject line "Do Not Sell My Personal Information".

We will process your request within 15 business days.

Other Users

If you wish to opt out of data sales and are not a California resident, you can:

• Uninstall CodeArena from your repositories
• Contact us at founders@entityml.com to request opt-out

Note: Opting out of data sales may limit or prevent the functionality of CodeArena.

Data Storage and Retention

Storage Infrastructure

• Database: Job metadata, run timelines, and status information are stored in Supabase (a PostgreSQL-based platform)
• Queue system: Job requests are temporarily stored in AWS SQS queues during processing
• Logs: Execution logs may be stored in AWS S3 buckets for troubleshooting purposes
• Temporary storage: Repository clones and Docker containers are created temporarily during job execution and deleted immediately upon completion
• Commercial datasets: Data sold or licensed to third parties may be retained indefinitely by those third parties

Data Retention

• Active job data: Retained for 90 days after job completion
• Historical logs: Retained for up to 30 days for debugging purposes
• Commercial data: Data used for sale or licensing may be retained indefinitely for business purposes
• Aggregated analytics: Anonymous performance metrics may be retained indefinitely

Data Location

Your data is processed and stored in AWS US-East regions and Supabase cloud infrastructure. We use industry-standard encryption for data in transit (TLS/SSL) and at rest.

Data Security

We implement security measures including:

• Encryption: TLS/SSL for data in transit, encrypted storage for sensitive credentials
• Container isolation: Each job runs in an isolated Docker container with limited resources and no persistent state
• Access controls: Limited employee access to production systems, role-based permissions
• Webhook verification: HMAC signature validation for all incoming GitHub webhooks
• Credential management: API keys and secrets stored securely using environment variables and secrets management systems

Despite these measures, no system is 100% secure. If you discover a security vulnerability, please report it to us immediately.

Your Rights and Choices

Uninstallation

You can uninstall CodeArena at any time from your GitHub repository settings. Upon uninstallation:

• We will stop accessing your repository data for new jobs
• Webhook subscriptions will be automatically removed
• Existing data may still be used or sold per our retention and commercial data policies

Data Access, Deletion, and Portability

You have the right to:

• Access: Request a copy of data we have collected about your usage
• Deletion: Request deletion of your data from our active systems (note: data already sold to third parties cannot be recalled)
• Correction: Request correction of inaccurate data
• Portability: Request your data in a machine-readable format

Important: While we can delete data from our systems, we cannot retrieve or delete data that has already been sold or transferred to third parties.

To exercise these rights, contact us at founders@entityml.com.

Repository Permissions

You control which repositories CodeArena can access through GitHub's installation settings. You can modify permissions at any time.

State-Specific Privacy Rights

California (CCPA/CPRA)

California residents have additional rights:

• Right to know what personal information is collected, sold, or disclosed
• Right to opt out of sale of personal information
• Right to request deletion of personal information
• Right to non-discrimination for exercising privacy rights

Other States

Residents of Virginia, Colorado, Connecticut, and other states with privacy laws may have similar rights. Contact us to exercise applicable rights.

Children's Privacy

CodeArena is not intended for use by individuals under 13 years of age. We do not knowingly collect information from children under 13.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Changes will be posted with an updated "Last Updated" date. Continued use of CodeArena after changes constitutes acceptance of the updated policy.

For significant changes, we will provide notice through:

• GitHub repository commits
• Email notification (if available)
• In-app notifications

Open Source and Transparency

CodeArena is committed to transparency. You can verify our data handling practices by examining the codebase.

Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

Email: founders@entityml.com

Additional GitHub-Specific Information

This app complies with GitHub's policies for GitHub Apps and Marketplace applications:

• GitHub Marketplace Developer Agreement
• GitHub Privacy Statement

Consent

By installing and using CodeArena, you consent to this Privacy Policy and our collection, use, sharing, and sale of information as described herein. By using this service, you acknowledge that your repository data, including source code, may be sold or licensed to third parties for commercial purposes.