Faultmark← Back to Home

Legal

Privacy Policy

Effective date: April 2, 2026  ·  Last updated: April 2, 2026

1. Overview

Faultmark ("we", "our", "us") is an AI-powered static code analysis tool. This Privacy Policy explains exactly what data we collect from you, how we process it, what we share with third parties, and your rights. We wrote this to be specific — not vague — because you're trusting us with your source code, and you deserve to know precisely what happens to it.

2. Data We Collect

Account information. When you register, we collect your name and email address. If you sign in via GitHub or Google OAuth, we receive your name, email, and public profile information from those providers. If you sign in with credentials, we store a hashed version of your password.

Onboarding preferences. During onboarding, we collect your self-reported role (e.g. Solo Developer, Team Lead, CTO) and primary tech stack (e.g. Next.js, Python). This is used to personalize your experience and is not sold or shared.

Connected repository metadata. When you connect a GitHub repository, we store the repository name, full name (owner/repo), URL, default branch, scan status, bug count, and last-scanned timestamp. We do not persistently store full file contents.

Scan records. For each scan you run, we store a record containing: scan ID, repository reference, branch name, timestamp, duration, number of bugs found, and scan status.

Bug reports and code snippets. For each bug Faultmark identifies, we store: the bug title, severity, affected file path, description, a specific buggy code snippet extracted from your file, the proposed fixed code, an explanation of the fix, a confidence rating, and — for Pro/Team plan scans — the debate transcript from the multi-model analysis. These code snippets are stored in our database and associated with your account. They are not full file copies; they are targeted excerpts relevant to the identified issue.

GitHub OAuth token. When you authenticate with GitHub, we receive an OAuth access token. This token is held in your encrypted session (JWT) and used to fetch file contents during scans and to create branches and Pull Requests when you accept a fix. We do not store your GitHub token in our database — it lives only in your session.

Pull Request URLs. If you accept a fix and we create a Pull Request on your behalf, we store the resulting GitHub PR URL in your bug record so you can track it.

Session and browser data. During an active scan, the scan's terminal output, confirmed bugs, and disputed bugs are cached in your browser's sessionStorage. This data is local to your browser tab and is automatically cleared when you close the tab. We do not transmit this client-side cache to our servers separately — the canonical results are saved to the database directly by the scan pipeline.

Usage and error logs. We collect anonymized server logs including API response times, error rates, and feature usage metrics. These are not linked to your identity and are used solely to monitor and improve service reliability.

Payment information. All billing is handled by Stripe. We do not receive or store your credit card number or full payment details. We store only the subscription status and Stripe customer ID associated with your account.

3. How We Use Your Data

  • To authenticate you and maintain your session
  • To fetch your repository files from GitHub for the purpose of running a scan you initiate
  • To transmit relevant code to AI providers and return analysis results to you
  • To store and display your scan history, bug reports, and fix proposals in your dashboard
  • To create branches and Pull Requests on GitHub when you explicitly accept a fix
  • To enforce usage limits and rate limits per your subscription plan
  • To send transactional emails (scan completion, billing receipts, account security notices)
  • To detect and prevent abuse, fraud, or unauthorized use
  • To improve the reliability and performance of the Service

We do not sell your data. We do not use your source code or bug reports to train AI models. We do not use your data for advertising.

4. How Your Code Is Processed

This section describes exactly what happens to your code during a scan:

Step 1 — Fetch. Using your GitHub OAuth token, Faultmark fetches up to 200 files from your repository via the GitHub API. Files larger than 100 KB are skipped. Common noise files (node_modules, build artifacts, lock files, images, .env files) are excluded automatically.

Step 2 — Transmit to AI. The fetched file contents are sent to one or more AI providers (Anthropic Claude on all plans; additionally OpenAI GPT-4o and Google Gemini on Pro/Team plans). This transmission occurs over HTTPS. The AI providers process your code to generate bug findings and fix proposals.

Step 3 — Store findings. The specific buggy code snippet and proposed fix for each identified bug are saved to your Faultmark account. Full file contents are discarded after analysis — we do not keep a copy of your entire codebase.

Step 4 — PR creation (optional). If you click "Accept" on a fix, Faultmark uses your GitHub token to read the current file, apply the fix, create a branch named faultmark/fix-{id}, commit the change, and open a Pull Request. This is the only write action Faultmark takes on your repository, and only when you initiate it.

5. Third-Party AI Providers

We share code with the following providers during scans:

Anthropic — Claude models. Used on all plans.

OpenAI — GPT-4o. Used on Pro and Team plans as part of the multi-model debate.

Google — Gemini. Used on Pro and Team plans as part of the multi-model debate.

Each of these providers processes your code solely to return analysis results. Faultmark operates under data processing agreements with each provider. Your code is not used for training their models under the terms of these agreements. Their own privacy policies also apply to data they receive.

6. GitHub as a Data Source and Target

Faultmark uses GitHub as both a source (reading your files) and a target (creating branches/PRs). Your GitHub OAuth token is held in your encrypted session and is never stored in plaintext in our database. Revoking Faultmark's access via your GitHub OAuth Apps settings will immediately prevent any further read or write operations on your repositories.

7. Data Retention

  • Account data — retained for the lifetime of your account
  • Scan records and bug reports (including code snippets) — retained for 12 months from the date of the scan, then automatically deleted
  • Onboarding preferences — retained for the lifetime of your account
  • Payment and billing records — retained as required by applicable law (typically 7 years)

You may request deletion of your account and all associated data at any time by contacting hello@faultmark.dev. We will process deletion requests within 30 days.

8. Cookies and Tracking

Faultmark uses only session cookies that are strictly necessary for authentication. We do not use third-party advertising cookies, cross-site tracking pixels, or behavioral analytics services. We collect minimal first-party server-side metrics for service reliability — this data is aggregated and not linked to your identity or browsing behavior.

9. Data Security

We protect your data using industry-standard measures:

  • All data is transmitted over TLS (HTTPS)
  • Your database is hosted on Neon PostgreSQL with encryption at rest
  • Your GitHub token is stored only in an encrypted, server-side JWT session — never in plaintext in our database
  • All API routes verify your session before accessing or modifying any data
  • Bug records are scoped to your user ID — no cross-user access is possible

If you believe your account has been compromised, contact us immediately at hello@faultmark.dev.

10. Your Rights

Depending on your jurisdiction, you may have the following rights:

  • Access — request a copy of the personal data we hold about you
  • Correction — request correction of inaccurate data
  • Deletion — request deletion of your account and associated data
  • Portability — receive your scan history and bug reports in a machine-readable format
  • Restriction — object to or restrict certain processing of your data
  • Withdraw consent — revoke GitHub OAuth access at any time via GitHub settings; this stops all repository read/write operations immediately

To exercise any of these rights, email hello@faultmark.dev. We will respond within 30 days.

11. Children's Privacy

The Service is not directed at anyone under 18. We do not knowingly collect data from minors. If you believe we have done so, contact us and we will delete it immediately.

12. International Data Transfers

Faultmark is based in the United States. If you use the Service from outside the US, your data is transferred to and processed in the US. By using the Service, you acknowledge this. We take reasonable steps to ensure such transfers comply with applicable data protection law, including the GDPR for users in the European Economic Area.

13. Changes to This Policy

We may update this Privacy Policy at any time. We will notify you of material changes via email or an in-app notice at least 14 days before they take effect. The "Last updated" date at the top of this page always reflects the current version.

14. Contact

For all privacy-related questions, data requests, or deletion requests: hello@faultmark.dev