Privacy Policy
Effective Date: December 14, 2025
Critical Context ("we," "us," or "our") operates the critical.cx platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.
1. Information We Collect
1.1 Account Information
When you create an account, we collect:
- Name and email address
- Password (stored in encrypted/hashed form)
- Organization/company name
- Optional profile information (username, avatar)
1.2 Connected Account Data
When you connect third-party services, we collect and store:
- GitHub: OAuth access tokens, GitHub user ID, and repository access permissions
- Slack: OAuth tokens, workspace information, bot credentials, and team metadata
Access tokens are encrypted at rest using industry-standard encryption.
1.3 Repository and Code Data
When you connect repositories to Critical Context:
- We clone and store copies of your repository code on our secure servers
- Code is used exclusively to answer questions about your codebase
- Repository metadata (name, URL, timestamps) is stored in our database
1.4 Chat and Message Data
When you interact with our AI-powered chat features:
- Questions you ask about your code
- AI-generated responses and analysis
- Token usage metrics for billing purposes
- File attachments you upload
1.5 External User Data (Embedded Chat)
When visitors use embedded chat widgets on your website:
- First name, last name, and email (if provided)
- A visitor token stored in cookies to maintain session continuity
- Chat conversation history
1.6 Event and Webhook Data
When you use our API or webhook integrations:
- Webhook payloads and event data you send to our endpoints
- Processing status and timestamps
- Error messages for failed events
1.7 Payment Information
Payment processing is handled by Stripe. We store:
- Stripe customer and subscription identifiers
- Plan details and billing period information
- Subscription status
We do not store credit card numbers or full payment details on our servers.
1.8 Automatically Collected Information
When you access our service, we automatically collect:
- IP address
- Browser type and user agent
- Session information
- Access timestamps
- Pages visited and features used
1.9 API Credentials You Provide
To enable AI features, you may provide:
- Anthropic API keys
- AWS credentials (for Amazon Bedrock)
- Google Cloud credentials (for Vertex AI)
All API credentials are encrypted at rest and transmitted securely.
2. How We Use Your Information
We use the information we collect to:
- Provide our services: Answer questions about your codebase using AI analysis
- Process integrations: Connect with GitHub, Slack, and other services you authorize
- Manage your account: Handle authentication, billing, and subscription management
- Improve our service: Analyze usage patterns to enhance features and performance
- Communicate with you: Send service-related notifications, updates, and support responses
- Ensure security: Detect and prevent fraud, abuse, and security incidents
- Comply with legal obligations: Meet regulatory requirements and respond to legal requests
3. Information Sharing and Disclosure
We do not sell your personal information. We may share information in the following circumstances:
3.1 Service Providers
We share data with trusted service providers who assist in operating our service:
- AI Providers: Your questions and code context are sent to AI providers (Anthropic, AWS Bedrock, or Google Vertex AI) to generate responses
- Payment Processing: Stripe processes payments and manages subscriptions
- Error Tracking: Sentry receives error reports to help us identify and fix issues
- Infrastructure: Cloud hosting providers that store and process data
3.2 Connected Services
When you connect services like GitHub or Slack, data flows between Critical Context and those platforms according to their respective privacy policies.
3.3 Legal Requirements
We may disclose information if required by law, legal process, or government request, or to protect the rights, property, or safety of Critical Context, our users, or others.
3.4 Business Transfers
In the event of a merger, acquisition, or sale of assets, user information may be transferred as part of the transaction. We will notify you of any such change.
4. Third-Party Services
Our service integrates with the following third-party services:
| Service | Purpose | Data Shared |
|---|---|---|
| Anthropic (Claude) | AI code analysis | Questions, code context |
| AWS Bedrock | Alternative AI provider | Questions, code context |
| Google Vertex AI | Alternative AI provider | Questions, code context |
| GitHub | Repository access | OAuth tokens, repo data |
| Slack | Team integration | OAuth tokens, messages |
| Stripe | Payment processing | Billing information |
| Sentry | Error monitoring | Error reports, diagnostics |
Each third-party service has its own privacy policy. We encourage you to review their policies.
5. Data Security
We implement robust security measures to protect your data:
- Encryption at Rest: Sensitive data including API keys, OAuth tokens, and credentials are encrypted using industry-standard encryption
- Encryption in Transit: All data is transmitted over HTTPS/TLS
- Password Security: Passwords are hashed using bcrypt with secure salting
- Access Controls: Strict access controls limit who can access your data
- Secure Sessions: Session cookies are signed and configured with security best practices
- Isolated Processing: Code analysis runs in isolated environments
While we strive to protect your information, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.
5.1 Multi-Tenant Architecture
Critical Context operates as a multi-tenant service, meaning multiple customers share the same underlying infrastructure. While we implement technical measures to logically separate customer data, you should be aware that:
- Shared Infrastructure: Your data is stored on shared servers, databases, and storage systems alongside other customers' data
- Logical Separation: We use database-level access controls, encrypted credentials, and account-scoped queries to separate customer data
- Shared Processing: Background jobs and code analysis run on shared computing resources
- Best Effort Isolation: While we strive to maintain strict data isolation, we cannot guarantee that data will never be inadvertently accessible across customer boundaries due to software bugs, misconfigurations, or security vulnerabilities
For organizations requiring complete data isolation, we recommend exploring our self-hosted deployment option, which provides dedicated infrastructure under your control.
5.2 Security Limitations
No security system is impenetrable. Despite our security measures:
- Sophisticated attackers may find ways to circumvent security controls
- Software vulnerabilities may exist that could expose data
- Third-party services we rely on may experience security incidents
- Human error may result in unintended data exposure
By using our Service, you acknowledge these inherent limitations and accept the associated risks.
6. Data Retention
We retain your information for as long as necessary to provide our services and fulfill the purposes described in this policy:
- Account Data: Retained while your account is active and for a reasonable period afterward
- Chat History: Retained to provide conversation continuity and history features
- Repository Data: Retained while repositories are connected; deleted upon disconnection
- Event Logs: Retained for operational and debugging purposes
- Billing Records: Retained as required by law for accounting and tax purposes
You may request deletion of your data at any time (see "Your Rights and Choices").
6.1 Security Incident Response
In the event of a security incident that affects your personal data or content, we will:
- Investigate: Promptly investigate the scope and impact of the incident
- Contain: Take reasonable steps to contain and mitigate the incident
- Notify: Notify affected customers as required by applicable data protection laws
- Report: Report to relevant supervisory authorities as required by law
6.2 Notification Procedures
If a security incident affects your data, we will notify you using the contact information associated with your account. To ensure you receive timely notifications:
- Keep your account email address current
- Add our domain to your email allow list
- Designate a security contact for your organization if applicable
6.3 Notification Timeline
We will provide notification of security incidents as required by applicable law:
- GDPR: Within 72 hours of becoming aware of a breach affecting EU residents' personal data
- Other jurisdictions: As required by applicable breach notification laws
Notification may be delayed if law enforcement requests a delay or if we need additional time to investigate the scope of the incident.
7. Your Rights and Choices
You have the following rights regarding your personal data:
7.1 Access and Portability
You can access most of your data directly through your account dashboard. You may request a copy of your personal data by contacting us.
7.2 Correction
You can update your account information through your account settings. Contact us for corrections to other data.
7.3 Deletion
You may request deletion of your account and associated data. Some data may be retained as required by law or for legitimate business purposes.
7.4 Disconnect Services
You can disconnect GitHub, Slack, and other connected services at any time through your account settings.
7.5 Revoke API Tokens
You can revoke API tokens and regenerate credentials through your account settings.
7.6 GDPR Rights (EU Users)
If you are in the European Economic Area, you have additional rights including:
- Right to restrict processing
- Right to object to processing
- Right to data portability
- Right to lodge a complaint with a supervisory authority
7.7 CCPA Rights (California Residents)
California residents have the right to:
- Know what personal information is collected
- Know whether personal information is sold or disclosed
- Say no to the sale of personal information (we do not sell personal information)
- Request deletion of personal information
- Not be discriminated against for exercising these rights
To exercise any of these rights, contact us at privacy@critical.cx.
8. International Data Transfers
Your information may be transferred to and processed in countries other than your country of residence. These countries may have different data protection laws.
When we transfer data internationally, we implement appropriate safeguards to protect your information, including:
- Standard contractual clauses approved by relevant authorities
- Data processing agreements with service providers
- Security measures described in this policy
9. Children's Privacy
Our service is not directed to children under 16. We do not knowingly collect personal information from children under 16. If we learn that we have collected personal information from a child under 16, we will take steps to delete such information.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by:
- Posting the new Privacy Policy on this page
- Updating the "Effective Date" at the top
- Sending you an email notification for significant changes
Your continued use of the service after changes constitutes acceptance of the updated policy.
11. Contact Us
If you have questions about this Privacy Policy or our data practices, please contact us:
- Email: privacy@critical.cx
- Website: https://critical.cx
For data protection inquiries in the EU, you may also contact your local data protection authority.