1. Introduction

Welcome to ThinkReview ("we," "our," or "us"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Chrome extension and related services (collectively, the "Service"). Please read this privacy policy carefully.

Data Controller: ThinkReview trading as Thinkode LTD (Company Registration Number: 12850972) is the data controller responsible for your personal information. For questions about data protection, please contact us at support@thinkreview.dev.

2. User Data Collection

2.1 Authentication Information

When you sign in using Google OAuth through the Extension, we collect:

• Email address
• Name (given name and family name)
• Profile picture URL
• Locale preferences
• Google OAuth access tokens (stored locally in your browser)

2.2 Code Review Data

When you use the Extension to review code on GitLab, GitHub, or Azure DevOps:

• Code patch content (git diff format) from merge requests and pull requests
• Merge request/Pull request URLs
• Merge request/Pull request IDs
• Platform information (GitLab, GitHub, or Azure DevOps)

Important: Code patch content (git diff format) from merge requests and pull requests is discarded immediately after the review is completed. We do not retain or store your code patch content on our servers.

Local AI Option: When using the local Ollama AI option, code patch content is processed entirely on your local machine and is not transmitted to our servers. Only usage metadata (that a review was performed) may be tracked for analytics.

2.3 Conversation History and Prompts

When you use the conversational review feature to interact with the AI about code reviews:

• User prompts: We collect the text of questions and messages you send to the AI during conversational code reviews.
• Conversation history: We collect and process the full conversation history, including your messages and AI responses, to maintain context and provide coherent responses.
• Processing: Conversation history and prompts are sent to our backend services (hosted on Google Cloud Services) for processing by AI model APIs (Google Gemini Developer API, Anthropic Claude API, OpenRouter APIs, or OpenAI).
• Storage: Conversation history is maintained in your browser's memory during active sessions. When using cloud-based AI, conversation data is transmitted to our servers for processing and may be retained for up to 90 days for operational purposes. You can request deletion of your conversation history at any time by contacting us at support@thinkreview.dev.
• Local AI Option: When using the local Ollama AI option, conversation history and prompts are processed entirely on your local machine and are not transmitted to our servers.

2.4 Usage and Analytics Data

We collect the following usage information:

• Review count and daily review usage statistics
• Subscription information (plan type, status, billing period, cancellation status)
• Custom domain configurations (for self-hosted GitLab instances that you configure)
• Ollama configuration settings (if using local AI - stored locally and optionally synced)
• User feedback on reviews (ratings and optional comments)
• Review prompt interaction data (whether you submitted, deferred, or dismissed feedback prompts)
• Extension settings (AI provider preference, language preferences, UI state)

2.5 Local Browser Storage

The Extension stores the following data locally in your browser:

• User authentication data (email, name, profile information) - stored using Chrome's chrome.storage.local API
• OAuth tokens - stored securely in Chrome storage
• Extension settings (AI provider preference, language preferences, UI state) - stored in Chrome storage and browser localStorage
• Review history metadata - stored locally for quick access
• Subscription status - cached locally for offline access
• Custom domain configurations - stored locally for your configured GitLab instances

This local data remains on your device and is not automatically synced unless you are logged into Chrome with sync enabled. You can clear this data at any time through Chrome's extension settings or by uninstalling the Extension.

2.6 Payment Information

When you subscribe to a paid plan:

• We use LemonSqueezy for payment processing
• Payment information (credit card details, billing address) is handled directly by LemonSqueezy and is not stored by us
• We receive subscription status and billing information from LemonSqueezy to manage your account

2.7 Automatically Collected Information

• Usage Data: Information about how you use the Service, including features accessed, review requests made, and interaction patterns.
• Device Information: Browser type, version, operating system, and device identifiers.
• Log Data: IP addresses, timestamps, and error logs for debugging and service improvement.

3. Data Handling

We use the information we collect for the following purposes:

• Provide and Maintain Service: To deliver AI-powered code reviews and maintain functionality.
• Improve Our Service: To analyze usage patterns and enhance features and user experience.
• Authentication: To verify your identity and manage your account.
• Communication: To send service updates, security alerts, and respond to inquiries.
• Analytics: To understand how users interact with our Service and make data-driven improvements.
• Compliance: To comply with legal obligations and protect our rights.

4. Data Processing and AI Analysis

Code Review Processing:

• Cloud-Based AI: When using cloud-based AI (default), GitLab/GitHub/Azure DevOps merge request diffs are sent to our backend services (hosted on Google Cloud Services) for AI analysis using one or more of the following APIs: Google Gemini Developer API, Anthropic Claude API, OpenRouter APIs, or OpenAI.
• Local AI (Ollama): When using the Ollama local AI option, code patch content is processed entirely on your local machine. No code content is transmitted to our servers. Only usage metadata (that a review was performed) may be tracked for analytics.
• Processing: Code diffs are processed in real-time. Code patch content (git diff format) is discarded immediately after the review is completed and is not permanently stored on our servers.
• Conversation Processing: User prompts and conversation history are processed in real-time through our backend services using AI model APIs. Conversation data may be retained for up to 90 days for operational purposes. You can request deletion of your conversation history at any time by contacting us at support@thinkreview.dev.
• Caching: AI-generated reviews and summaries may be temporarily cached to improve performance and reduce API costs. However, the original code patch content itself is not cached or stored.
• Third-Party AI Services: When using cloud-based AI, code patches are processed using one or more of the following AI APIs: Google's Gemini Developer API, Anthropic's Claude API, OpenRouter APIs, or OpenAI. Each service provider's data processing practices are governed by their own privacy policies.

5. Data Sharing

We may share your information in the following circumstances:

• Service Providers: With third-party service providers who perform services on our behalf (e.g., Google Cloud Services, Open Router, Anthropic, OpenAI).
• Legal Requirements: When required by law or to respond to legal processes.
• Business Transfers: In connection with a merger, acquisition, or sale of assets.
• With Your Consent: When you explicitly authorize us to share information.

We do not sell your personal information to third parties.

6. Data Security

We implement appropriate technical and organizational security measures to protect your information:

• All data transmissions are encrypted using HTTPS/TLS protocols.
• Google OAuth is used for secure authentication.
• Access to personal data is restricted to authorized personnel only.
• Regular security audits and updates to our systems.
• Firebase Authentication and Firestore security rules to protect user data.

7. Data Storage

7.1 Local Browser Storage

The Extension stores data locally in your browser using:

• Chrome Storage API (chrome.storage.local): Used for user authentication data, OAuth tokens, extension settings, subscription status, and custom domain configurations. This data persists until you clear it or uninstall the Extension.
• Browser localStorage: Used for UI preferences (panel state, width, language preferences). This data is stored per-domain and persists until you clear browser data.

You can manage or delete this local storage data at any time through Chrome's extension settings, browser settings, or by uninstalling the Extension.

7.2 Server Storage

We store the following data on our servers (hosted on Google Cloud Services):

• User Account Information: Email, name, profile data - retained until you delete your account.
• Code Review Metadata: Merge request/PR URLs, review counts, timestamps - retained for service functionality and analytics.
• Subscription and Billing Information: Plan type, status, billing period - retained as required for billing and legal compliance.
• Review Feedback and Analytics: User feedback, usage statistics - retained for service improvement.

7.3 Data Retention

We retain your information for as long as necessary to provide our Service and comply with legal obligations:

• Account Information: Retained until you delete your account. You can request account deletion by contacting us at support@thinkreview.dev.
• Code Review Content: Code patch content (git diff format) from merge requests and pull requests is discarded immediately after the review is completed and is not stored on our servers. Only metadata (URLs, IDs, timestamps) is retained for service functionality and analytics.
• Conversation History and Prompts: Conversation history and user prompts are retained for up to 90 days for operational purposes. You can request deletion of your conversation history at any time by contacting us at support@thinkreview.dev. Conversation history is also maintained in your browser's memory during active sessions.
• Usage Logs: Retained for up to 90 days for operational purposes.
• Billing Records: Retained as required by law for tax and accounting purposes.

8. Your Privacy Rights

Depending on your location, you may have the following rights:

• Access: Request access to your personal information.
• Correction: Request correction of inaccurate or incomplete information.
• Deletion: Request deletion of your personal information.
• Data Portability: Request a copy of your data in a structured format.
• Opt-Out: Opt out of certain data processing activities.
• Withdraw Consent: Withdraw consent for data processing where consent was required.

To exercise these rights, please contact us at support@thinkreview.dev.

9. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to:

• Necessary Cookies: Maintain your session and authentication state. These are essential for the Service to function and cannot be disabled.
• Analytics Cookies: Analyze usage patterns through Google Analytics and Google Tag Manager to understand how visitors interact with our website.
• Preference Cookies: Remember your preferences and settings to improve user experience.

9.1 Cookie Consent

In compliance with GDPR and other privacy regulations, we request your consent before loading non-essential cookies (such as analytics cookies). When you first visit our website, you will see a cookie consent banner where you can:

• Accept All: Consent to all cookies including analytics cookies for tracking and analysis.
• Necessary Only: Only allow essential cookies required for the Service to function.

Your consent preference is stored in your browser's local storage and will be remembered for 365 days. You can change your cookie preferences at any time by clearing your browser's local storage or contacting us at support@thinkreview.dev.

9.2 Managing Cookies

You can control cookies through your browser settings, but disabling necessary cookies may affect Service functionality. To withdraw your consent for analytics cookies, you can clear your browser's local storage for our website or contact us for assistance.

10. Third-Party Services

Our Service integrates with third-party services that have their own privacy policies:

• Google OAuth: For user authentication. We receive your email, name, and profile picture from Google. Google's privacy policy applies: Google Privacy Policy
• Google Cloud Services: For backend services, hosting, and data storage. Google Cloud's privacy policy applies: Google Cloud Privacy Notice
• AI Model APIs: For cloud-based code analysis, we use multiple AI model APIs including:
  • Google Gemini Developer API - Google Privacy Policy
  • Anthropic Claude API - Anthropic Privacy Policy
  • OpenRouter APIs - OpenRouter Privacy Policy
  • OpenAI - OpenAI Privacy Policy
  When using cloud-based AI, code patches may be processed using any of these APIs. Each service provider's data processing practices are governed by their own privacy policy.
• LemonSqueezy: For payment processing. Payment information is handled directly by LemonSqueezy and is not stored by us. LemonSqueezy's privacy policy applies: LemonSqueezy Privacy Policy
• Ollama (Optional): For local AI processing. When you choose to use Ollama, code is processed entirely on your local machine. Ollama is an open-source tool you install and manage yourself. No data is shared with Ollama or us when using this option.

Data Sharing: We do not sell your personal information. We share data only with the third-party service providers listed above who assist in operating our service, and only to the extent necessary for them to provide their services.

11. Children's Privacy

Our Service is not intended for users under the age of 13. We do not knowingly collect personal information from children under 13. If you believe we have collected information from a child under 13, please contact us immediately.

12. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. We ensure that such transfers comply with applicable data protection laws and implement appropriate safeguards.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

• Posting the updated policy on this page with a new "Last Updated" date.
• Sending an email notification for significant changes.
• Displaying a notification in the extension.

Your continued use of the Service after changes constitutes acceptance of the updated policy.

14. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to know what personal information is collected, used, shared, or sold.
• Right to delete personal information.
• Right to opt-out of the sale of personal information (we do not sell personal information).
• Right to non-discrimination for exercising CCPA rights.

15. European Privacy Rights (GDPR)

If you are in the European Economic Area (EEA), you have rights under the General Data Protection Regulation (GDPR):

• Right to access, rectify, and erase your personal data.
• Right to restrict or object to processing.
• Right to data portability.
• Right to lodge a complaint with a supervisory authority.
• Right to withdraw consent at any time.

16. Extension Permissions and Data Access

The Extension requires the following permissions to function:

• Storage Permission: To save your preferences, authentication data, and settings locally in your browser using Chrome's storage API.
• Identity Permission: To authenticate you using Google OAuth for secure sign-in.
• Web Navigation Permission: To detect navigation events (e.g., LemonSqueezy checkout completion) for subscription management.
• Scripting Permission: To inject content scripts on GitLab, GitHub, and Azure DevOps pages to provide code review functionality.
• Active Tab Permission: To access content on the current tab for extracting code patch content for review.

Host Permissions: The Extension requests access to:

• GitLab, GitHub, and Azure DevOps domains (to provide code review functionality on merge request/pull request pages)
• Our backend services (us-central1-thinkgpt.cloudfunctions.net) for processing reviews and managing your account
• ThinkReview webapp domains (thinkreview.dev, portal.thinkreview.dev, app.thinkreview.dev) for authentication synchronization
• Optional: Custom GitLab instance domains that you configure for self-hosted instances
• Optional: Local Ollama instances (http://localhost:11434 or your configured URL) for local AI processing

The Extension only accesses data on pages you visit and only when you actively use the Extension's features. We do not collect browsing history or access websites you don't explicitly use with our Extension.