This Privacy Policy explains how Issue to Code(the “Service”) processes the personal data and code-related information of its users (“you”). The Service is operated as a graduation thesis project at Universidad Peruana de Ciencias Aplicadas (UPC) and is not, at the date of this document, a production commercial service. By using the Service you accept the practices described below.
The data controller for the purposes of Peruvian Law N° 29733 (Ley de Protección de Datos Personales) and its regulations is the project author. For any privacy-related request, contact us at u202121440@upc.edu.pe.
1. Data we collect
We only collect what is strictly required to make the Service work. Specifically:
- Account data: email address, display name, and a password hash. If you sign in with GitHub, we additionally receive your GitHub user id and public profile information returned by the OAuth handshake.
- GitHub access token: when you connect your GitHub account, the Service stores your OAuth access token encrypted at rest with AES-GCM. The token is only decrypted in memory at the moment of an API call (cloning a repo, opening a pull request) and is never logged.
- Repository metadata: name, default branch, detected languages, file count, and the structural code map (list of symbols and their relationships) that powers the retrieval agents.
- Issue data: the title, description, type and base branch of each issue you create, plus the artefacts the pipeline produces (plan, generated code files, pull request URL).
- Operational logs: timestamps and request metadata (status codes, latencies). We do not log request bodies that contain your source code.
2. What we do NOT store
The promise on the landing page is explicit and worth repeating here:
- We do not permanently store the source code of your repositories. During indexation the Service clones a shallow copy to a temporary directory, extracts symbols and embeddings, and deletes the clone immediately afterwards. When an agent needs the source of a symbol mid-pipeline, the repo is re-cloned shallow for the duration of that run and then removed.
- We do notshare your code, embeddings or issues with third parties beyond the strictly necessary processors listed in section 4.
- We do not use your code or issues to train any machine learning model owned by the Service.
3. How we use your data
We use the data described above only for the following purposes:
- To create and authenticate your account.
- To run the agent pipeline that converts an issue into a pull request (parsing, retrieving relevant code, generating a plan, generating code, self-reviewing the output, opening the PR on GitHub).
- To display the state of your repositories, issues and pipeline runs in the application interface.
- To monitor the Service's health, detect abuse and enforce the rate limits described in the Terms.
- To comply with legal obligations and respond to lawful requests from competent Peruvian authorities.
4. Third-party processors
To deliver the Service we rely on the following third parties, each acting as a data processor. By using the Service you accept that your data may be processed by them under their own privacy policies:
- Anthropic (Claude API): receives prompts derived from your issue, the retrieved code symbols and the generated plan, in order to produce the agents' output. Anthropic does not train its public models on API inputs by default.
- OpenAI: receives text snippets to compute embeddings (no LLM completion). The Service uses the embeddings endpoint only; OpenAI does not retain inputs to train models for API customers by default.
- GitHub: receives the API calls required to clone your repositories, read issues and open pull requests, under the scopes you grant via OAuth.
- Self-hosted infrastructure (Postgres, Redis, Qdrant): stores account data, pipeline state, embeddings and the code map. These services run on a private VPS managed by the project author and are not exposed publicly.
5. Retention
- Account data: kept while your account is active. You can delete your account at any time by contacting us.
- Repositories: kept as long as you keep them indexed. Deleting a repository removes its code map, embeddings and associated issues immediately.
- Issues and pipeline history: kept until you delete them. Deleting an issue removes its pipeline steps and generated artefacts; any pull request already opened on GitHub stays on GitHub and is governed by its policies.
- Temporary clones: removed at the end of each indexation or pipeline run, typically within minutes.
- SSE event buffer: pipeline events kept in Redis for up to one hour to support reconnection.
6. Your rights
Under Peruvian Law N° 29733, and in alignment with international good practice (GDPR), you have the right to:
- Request access to the personal data we hold about you.
- Request rectification of inaccurate data.
- Request deletion of your account and the data associated with it.
- Withdraw the GitHub connection at any time from Settings. Once disconnected, we no longer hold a usable access token.
- File a complaint with the Autoridad Nacional de Protección de Datos Personales (ANPD) of Peru if you believe your rights are not being respected.
To exercise any of these rights, write to u202121440@upc.edu.pe.
7. Security
- All traffic to the Service is served over HTTPS in any deployment intended for users.
- GitHub access tokens are stored encrypted at rest (AES-GCM).
- Queries to the vector store and the relational database always filter by your user id; we do not expose collection names or internal identifiers to other users.
- We do not execute the code generated by the agents on our infrastructure. Validation is performed statically (syntax tree parsing + self-reflection by the model).
As this is a thesis project, security controls are MVP-grade. Do not connect repositories that contain regulated or highly sensitive information.
8. International transfers
Anthropic, OpenAI and GitHub process data outside of Peru, primarily in the United States. By using the Service you accept that your data may be transferred to these jurisdictions under the contractual and technical safeguards provided by each processor.
9. Cookies
The Service uses a single first-party cookie of type “strictly necessary”: access_token, an HTTP-only cookie that keeps you signed in. No analytics, marketing or third-party tracking cookies are used.
10. Changes to this policy
We may update this Privacy Policy as the Service evolves. Changes take effect on the date shown at the top of this page. Material changes will be communicated through the application interface before they take effect.
11. Contact
For any privacy-related question, write to u202121440@upc.edu.pe.