Last Updated: October 2025
GDPR Compliance for Code Reviews
ThinkReview is fully compliant with the General Data Protection Regulation (GDPR), ensuring that your code review data and personal information are protected according to the highest European standards.
How We Handle Code Review Data Under GDPR
1. Lawful Basis for Processing
We process your code review data based on:
- Contractual Necessity: Processing merge request diffs is necessary to provide the AI code review service you requested.
- Legitimate Interest: We process usage data to improve our service and prevent fraud.
- Consent: We obtain explicit consent for analytics cookies and optional features.
2. Code Review Data Processing
When you request an AI code review for a GitLab merge request or Azure DevOps pull request:
- Minimal Data Collection: We only process the code diff (patch) content you explicitly request to be reviewed.
- Real-Time Processing: Code diffs are analyzed in real-time and are not permanently stored on our servers.
- No Code Storage: Your source code is never stored in our databases. Each review is processed and discarded immediately after completion.
- Transparent Processing: You control when code reviews are initiated - we never automatically scan your repositories.
3. Your GDPR Rights
As a data subject under GDPR, you have the following rights regarding your code review data and personal information:
- Right of Access: Request a copy of all personal data we hold about you, including account information and usage logs.
- Right to Rectification: Correct any inaccurate personal information in your account.
- Right to Erasure ("Right to be Forgotten"): Request deletion of your account and all associated data. Since we don't store code reviews, deletion removes only account metadata.
- Right to Restrict Processing: Request that we limit how we process your data in certain circumstances.
- Right to Data Portability: Receive your personal data in a structured, machine-readable format.
- Right to Object: Object to processing of your data for legitimate interest purposes.
- Right to Withdraw Consent: Withdraw consent for optional data processing at any time.
4. Data Protection Measures
We implement comprehensive technical and organizational measures to protect your code review data:
- Encryption: All data transmissions use HTTPS/TLS encryption.
- Secure Authentication: Google OAuth provides secure, industry-standard authentication.
- Access Controls: Only authorized personnel can access systems, and access is logged and monitored.
- Regular Audits: We conduct regular security assessments and updates.
- Data Minimization: We only collect and process data necessary for providing the service.
5. Code Review Privacy in Practice
When you use ThinkReview for code reviews:
- You Control the Data: You explicitly trigger each code review by clicking "Review Code" on a merge request.
- No Automated Scanning: We never automatically scan or analyze your repositories without your explicit action.
- No Code Training: We do not use your code to train AI models. Code diffs are sent to Google's Gemini API for analysis and are not retained for training purposes.
- No Code Sharing: Your code reviews are private to your account and are never shared with other users or third parties.
6. Data Processing Agreements
We have Data Processing Agreements (DPAs) in place with our service providers:
- Google Cloud: Our infrastructure provider for hosting and AI services.
- Firebase: For authentication and user data storage.
- Google Gemini AI: For code analysis (processing occurs under Google's DPA).
All third-party processors are GDPR-compliant and have appropriate safeguards in place.
7. Data Retention
Our data retention practices ensure minimal data storage:
- Code Review Data: Not stored - processed in real-time and immediately discarded.
- Account Information: Retained until you delete your account.
- Usage Logs: Retained for up to 90 days for operational and security purposes.
8. International Data Transfers
Your data may be processed in countries outside the EEA (European Economic Area). We ensure all transfers comply with GDPR requirements through:
- Standard Contractual Clauses (SCCs) with data processors
- Adequacy decisions where applicable
- Appropriate technical and organizational safeguards
9. Supervisory Authority
If you are located in the EEA and believe we have not adequately addressed your data protection concerns, you have the right to lodge a complaint with your local supervisory authority. For UK residents, this is the Information Commissioner's Office (ICO).