Privacy Policy

By logging into your TechDebtGPT account you agree to be bound by our Privacy Policy
Table of contents
IntroductionInformation We CollectHow We Use Your InformationInformation SharingData SecurityData RetentionYour RightsThird-Party Services and Integrations

Introduction

  • Purpose: This privacy policy explains how we collect, use, store, share, and protect your data when you use our AI code analysis application.
  • Commitment to Privacy: We are committed to safeguarding your data and complying with applicable data protection laws, such as GDPR and CCPA, where relevant.

Information We Collect

We collect the following data to provide our services:

  • Source Code: Code retrieved from git providers, including Azure DevOps, Gitlab, Bitbucket, and Github.
  • Work Items: Tasks, issues, or other work-related data from board providers, such as Jira and Azure DevOps.
  • Other Data: If applicable, we may collect user account information (e.g., email addresses, usernames) for authentication or communication purposes.

How We Use Your Information

We use your data to deliver code analysis and related services:

  • Source Code:
    • Sent to third-party LLMs for automated analysis to provide insights or recommendations.
    • Processed by SonarQube (hosted by us) for static code analysis to identify issues or vulnerabilities.
    • Converted into a vectorized form and stored in our Qdrant database for future analysis or reference.
  • Work Items:
    • Stored in our database to analyze project workflows and provide integrated insights.
  • Purpose:
    • To enhance code quality, provide actionable insights, and integrate with your development processes.

Information Sharing

We share your data only as necessary to provide our services:

  • Source Code:
    • Shared with third-party LLMs for analysis. These providers are contractually obligated to use the data solely for the requested analysis and not for other purposes, such as training their models, without your explicit consent.
    • Processed by SonarQube, which is hosted and controlled by us.
  • Vectorized Code:
    • Stored in Qdrant, which is hosted and managed by us.
  • Work Items:
    • Stored in our database and not shared with third parties unless required for service delivery (e.g., with hosting providers).
  • Service Providers:
    • We may share data with trusted service providers (e.g., cloud hosting services) under strict confidentiality agreements to ensure data security.

Data Security

We implement industry-standard security measures to protect your data:

  • Transmission: Source code is transmitted to third-party LLMs using secure channels (e.g., HTTPS).
  • Storage: Vectorized code in Qdrant and work items in our database are protected with encryption and access controls, limiting access to authorized personnel only.
  • Third-Party Security: We require third-party LLMs to maintain robust security practices compliant with industry standards.

Data Retention

We retain data only as long as necessary:

  • Source Code: Not stored by our app; it is only transmitted for analysis and deleted after processing.
  • VECTORIZED CODE: Stored in Qdrant for the duration of your service use plus 30 days, after which it is deleted, unless required by law.
  • Work Items: Stored in our database for the duration of your service use plus 90 days, after which they are deleted, unless required by law.
  • Retention Policy: We periodically review stored data to ensure compliance with this policy.

Your Rights

You have rights over your data, subject to applicable laws:

  • Access: Request a copy of the data we hold about you.
  • Correction: Request corrections to inaccurate data.
  • Deletion: Request deletion of your data, subject to legal obligations.
  • Contact: Reach out to us at [insert contact email] to exercise these rights or for any privacy concerns.

Contact Us

For questions or concerns about this privacy policy or our data practices:

  • Email: info@techdebtgpt.com
  • Response Time: We aim to respond to inquires within one (1) business day.

Effective Date: April 22, 2026

Who We Are

TechDebtGPT is provided by Ritech International AG, Dammstrasse 19, 6300 Zug, Switzerland. For the activities described in this notice, Ritech International AG is the controller of personal data described here.

TechDebtGPT is a trademark of Ritech International AG.

If you have privacy questions or want to exercise your rights, contact us at techdebtgpt@ritech.co.

Scope

This notice applies to the TechDebtGPT website, signup and authentication flows, authenticated product features, and customer-enabled integrations reflected in the current TechDebtGPT service as of April 22, 2026. It covers:

  • website visitors;
  • trial users;
  • customer users and workspace members;
  • organization owners, admins, and other authorized users;
  • support contacts and people who communicate with us about the service; and
  • people whose personal data enters the service through customer-enabled integrations, chats, reports, or collaboration features, such as repository contributors, pull request participants, work-item assignees, or Slack participants.

Personal Data We Collect

Depending on how TechDebtGPT is used, we may collect and process the following categories of personal data:

  • account and profile data, such as name, email address, phone number, company, job role, industry, organization membership, account status, and login credentials or password hashes;
  • authentication and security data, such as sign-in records, refresh or access token records, MFA state, MFA method, recovery code records, passkey records, security verification data, and related audit information;
  • organization and workspace data, such as organization names, descriptions, avatars, subscription-related identifiers, user roles, project settings, workspace configurations, and administrative preferences;
  • repository and engineering data, such as repository URLs, clone URLs, branches, commits, pull requests, issues, work items, boards, reviews, comments, contributor records, team records, and related metadata;
  • prompts, chats, reports, and collaboration content, such as prompt text, chat messages, Slack thread content, report content, settings, files, code, code excerpts, and related metadata;
  • search and embedding data, such as embeddings, retrieval metadata, content snippets, excerpts, file paths, repository metadata, and associated index records;
  • connected-provider data, such as provider account IDs, usernames, avatars, emails, OAuth tokens, bot tokens, scopes, workspace or team identifiers, and profile information returned by connected services;
  • customer-supplied model credentials, such as API credentials customers choose to configure for supported model providers;
  • technical, device, and log data, such as IP address, browser type, operating system, device information, timestamps, request or response metadata, error logs, and security event logs;
  • consent and preference data, such as CookieYes consent choices, analytics consent state, theme choices, and other product preferences; and
  • cookies and browser storage data, including data stored through cookies, localStorage, and sessionStorage.

Sources of Data

We collect personal data from several sources:

  • directly from users, administrators, and support contacts;
  • from organization admins, teammates, and other users acting within a customer workspace;
  • from connected services and customer-enabled integrations, including GitHub, GitLab, Bitbucket, Azure DevOps, Jira, Slack, and SonarQube; and
  • automatically through browsers, cookies, browser storage, security tools, logs, and similar technologies used to operate and protect the service.

How We Use Personal Data

We use personal data to:

  • create and manage accounts, organizations, workspaces, and user access;
  • authenticate users, support MFA and other security features, detect abuse, and protect the service;
  • connect to repositories, boards, chat systems, and other customer-enabled integrations;
  • analyze repositories, pull requests, work items, reports, and related engineering or operational data;
  • generate AI-assisted answers, summaries, forecasts, reports, recommendations, and other requested outputs;
  • create embeddings, search indexes, retrieval context, and related analysis features;
  • synchronize data from connected providers and keep customer workspaces up to date;
  • measure usage, product performance, and service analytics when optional analytics technologies are enabled;
  • respond to support requests, troubleshoot problems, and communicate with users about the service;
  • send service, security, and administrative communications;
  • comply with legal obligations, legal process, and regulator requests; and
  • investigate violations and enforce our terms, policies, and other legal rights.

Legal Bases for EU/UK Users

For users in the EU and UK, we rely on the following legal bases:

  • Contract: to provide the service, create and manage accounts, authenticate users, connect integrations, generate requested outputs, and carry out related service operations;
  • Legitimate interests: to secure the service, prevent fraud and abuse, improve reliability and performance, operate analytics that do not depend on consent, support customers, investigate misuse, protect our rights, and manage ordinary business operations;
  • Consent: for optional analytics technologies and related data collection that depends on your analytics consent choice; and
  • Legal obligation: to keep required records, respond to lawful requests, and meet applicable legal, regulatory, tax, accounting, or compliance duties.

Cookies and Similar Technologies

TechDebtGPT uses cookies and similar technologies, including browser-based storage, for core service operations and, if you allow it, analytics.

  • CookieYes: We use CookieYes as our consent manager to record and manage cookie consent choices.
  • Necessary cookies and browser storage: We use necessary cookies and browser storage, including localStorage and sessionStorage, to support core functionality such as sign-in state, JWT or session handling, CSRF-related flows, MFA progression, consent state, theme selection, and other service preferences.
  • PostHog analytics: We use PostHog for analytics and product measurement. PostHog analytics are gated by analytics consent managed through CookieYes.
  • Google reCAPTCHA: We use Google reCAPTCHA in authentication and similar flows to help detect bots, abuse, and fraudulent activity.
  • No additional claim about GPC or advertising opt-outs: This notice does not claim support for Global Privacy Control signals or separate targeted-advertising opt-out mechanisms unless and until those are separately confirmed and implemented.

You can manage cookie choices through the consent tools made available in the service and through your browser settings, although disabling necessary technologies may affect how the service works.

AI and Code Analysis

TechDebtGPT includes AI-assisted analysis and code-processing features. As part of providing those features:

  • customer content, prompts, repository material, work-item content, chat content, files, code, code excerpts, and related metadata may be sent to model and embedding providers to deliver requested outputs;
  • TechDebtGPT uses model and embedding workflows involving OpenAI, Anthropic, Google, and AWS Bedrock;
  • repositories may be temporarily cloned to infrastructure controlled by or for Ritech during analysis, indexing, and related workflows, and cleanup routines are run after those workflows;
  • TechDebtGPT uses Qdrant for vector and retrieval infrastructure, and Qdrant can retain embeddings, metadata, and associated content snippets or excerpts used for retrieval and search; and
  • AI outputs can reflect the inputs, prompts, configuration, and connected data made available by the customer or user.

This notice does not state that repositories or source code bypass storage during processing, does not characterize Qdrant as holding embeddings without related content, and does not make a broader claim about how third-party model providers may use data beyond what has been separately confirmed in writing.

Sharing and Recipients

We share personal data only as needed for the purposes described above. Recipients may include:

  • Ritech personnel and contractors with a legitimate need to access data for operations, support, security, development, or compliance;
  • Amazon Web Services (AWS) for hosting, infrastructure, compute, storage, networking, and related operational services;
  • Qdrant for vector database and retrieval infrastructure;
  • PostHog for analytics when analytics consent is active;
  • CookieYes for consent management;
  • Google reCAPTCHA for bot and abuse prevention;
  • connected collaboration and development providers such as Slack, GitHub, GitLab, Bitbucket, Azure DevOps, Jira, and SonarQube, when customers choose to connect them;
  • model and AI infrastructure providers, including OpenAI, Anthropic, Google, and AWS Bedrock, when needed to process customer requests;
  • email and messaging service providers, including AWS SES and other SMTP-based delivery providers used to send account, service, or operational emails;
  • other customer-directed integrations and recipients that users or administrators enable or instruct us to use;
  • legal, compliance, audit, insurance, and professional-advisory recipients when reasonably necessary; and
  • parties involved in an actual or proposed financing, merger, acquisition, reorganization, sale of assets, or similar transaction.

Some recipients act on our behalf and some receive data as part of customer-directed workflows or under their own platform terms.

International Transfers

Ritech International AG is based in Switzerland. TechDebtGPT uses primary hosting and several providers in the United States, including AWS resources in us-east-1, and processing may occur in Switzerland, the EU or UK, the United States, and other locations where our providers operate.

When personal data is transferred across borders, Ritech takes steps designed to protect the data consistent with applicable law. This notice does not identify a specific transfer mechanism for every transfer, and any more specific safeguard claim should be confirmed before publication.

Retention and Deletion

We retain personal data for as long as needed for the purposes described in this notice, the customer relationship, our operational needs, and applicable legal obligations.

  • temporary repository clones used in analysis workflows are cleaned up after those workflows run;
  • accounts may be deactivated or soft-deleted, and some identifying fields may be nulled, disabled, or replaced rather than immediately erased everywhere;
  • project, repository, pull request, work-item, report, chat, Slack, integration, search-index, analytics, log, backup, audit, and security records may persist for as long as reasonably needed for service operations, troubleshooting, dispute handling, fraud prevention, legal compliance, and ordinary deletion or backup cycles; and
  • deleting content from the product or disconnecting an integration may not immediately remove every related copy from active systems, logs, or backups.

If you want deletion or export assistance, contact us at techdebtgpt@ritech.co. In some cases we may need to coordinate with the customer organization that administers your workspace.

Security

We use reasonable technical and organizational measures designed to protect personal data. Based on the reviewed code and infrastructure, those measures include access controls, role-based permissions, MFA options, encrypted transport, bot-abuse protections, web security controls, and other security features used in ordinary service operation.

Security measures vary by component and provider, and no method of transmission, storage, or processing is completely secure. We do not guarantee perfect security or claim the same protection model across all service components.

Rights and Choices

Depending on where you live, you may have rights regarding your personal data.

  • EU and UK users: You may have the right to request access, rectification, erasure, restriction, objection, and data portability, and to withdraw consent for processing that depends on consent.
  • U.S. state privacy rights: Where applicable, you may have rights to know or access, delete, correct, and obtain portability of personal data.
  • Consent choices: You can withdraw analytics consent through the consent tools we make available, and future processing that depends on that consent will stop after your choice is applied.
  • Complaints: You may have the right to complain to an applicable data protection or privacy regulator.

To exercise rights, email techdebtgpt@ritech.co. We may need to verify your identity, your authority to make the request, and the scope of data involved before completing a request.

If we deny a request, you can appeal by replying to the denial or by emailing techdebtgpt@ritech.co with Privacy Appeal in the subject line.

Children

TechDebtGPT is intended for business and professional use. The services are not directed to children, and Ritech does not knowingly collect personal data from children under 13 through the services.

Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will post the updated version with a new effective date and provide additional notice where required by law.

Contact Us

Ritech International AG
Dammstrasse 19
6300 Zug
Switzerland
techdebtgpt@ritech.co

Get Started
Info
Home
Features
Pricing
Legal
Terms and Conditions
Privacy Policy
Contact
info@techdebtgpt.com
TechDebtGPT is a Trademark of Ritech International AG.
Dammstrasse 19, 6300 Zug, Switzerland
(c) Ritech International AG 2026