Privacy Policy
Last updated: 2026-04-16
CEO: Hong Sang Hyuk · Business Registration: 114-86-83769
4 Nambusunhwan-ro 351-gil, Gangnam-gu, Seoul, Republic of Korea
Privacy Contact: help@bitmax.im · Tel: +82-2-585-9566
Payment processing is handled by Paddle.com Market Limited, acting as our Merchant of Record. Paddle may collect and process your payment information in accordance with Paddle's Privacy Policy.
1. Information We Collect
- GitHub Account: login, email (public or primary/verified), display name, avatar URL. GitHub App OAuth scope:
read:user,user:emailonly. - Repository Metadata: name, default branch, language, commit SHA, dependency manifests (package.json, requirements.txt, go.mod, etc.).
- Audit Logs: login events, PR creation/merge, scan results, billing events. IP address and User-Agent are retained for 90 days for security investigation, then automatically purged.
2. Purpose of Collection
We collect the minimum information necessary for CVE detection, AI auto-repair, and compliance report generation (EU CRA, NIS2). Collected data is never sold to third parties and is not used for marketing purposes.
3. Security Measures
- Passwords are hashed using bcrypt with a cost factor of 12.
- All data is stored in PostgreSQL 16 on AWS EC2 (us-east-1).
- Sensitive fields (GitHub App Private Key, Stripe Customer ID, SECRET_KEY) are encrypted at application level using AES-256.
- Transport is protected by TLS 1.2+ (Let's Encrypt) with HSTS preload.
- Row Level Security (FORCE) enforces org-level data isolation at the database level.
- AI sandbox runs with Docker flags: --network none, --read-only, --cap-drop ALL, --security-opt no-new-privileges.
- Audit log entries are chained with SHA-256 hashes for tamper detection.
4. Sub-processors
| Provider | Purpose | Data Shared |
|---|---|---|
| AWS (EC2, RDS) | Infrastructure | All data (encrypted at rest) |
| Anthropic | AI code generation (Stage 2) | Vulnerable code snippets (zero-retention) |
| GitHub | OAuth + repository access | User profile, repository metadata |
| Paddle | Payment processing (Merchant of Record) | Billing information, transaction data |
| Resend | Transactional email | Email address, notification content |
5. Your Rights (GDPR / CCPA)
If you are located in the EU/EEA or California, you have the right to access, correct, delete, port, or restrict processing of your personal data. Contact help@bitmax.im and we will respond within 30 days.
6. International Data Transfers
Your data may be transferred to and processed in countries outside your country of residence, including the Republic of Korea and the United States (AWS us-east-1). We ensure appropriate safeguards are in place in accordance with GDPR Article 46.
7. Cookies
We use a single session cookie (patchops_session) that is HttpOnly, Secure, and SameSite=Lax. No third-party tracking cookies are used.
8. Data Retention
- Audit logs: 7 years (EU CRA requirement)
- CVE findings: subscription period + 30 days
- AI repair history: subscription period + 30 days
- IP address / User-Agent: 90 days
9. Children's Privacy
The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child under 18, we will delete it promptly.
10. Contact
Data Protection Officer: help@bitmax.im