Privacy Policy

Last Updated: December 5, 2025

1. Introduction

AnnexFour ("we") respects your privacy and is committed to protecting your personal data in accordance with the General Data Protection Regulation (GDPR).

2. Data We Collect

• Account Data: Email address, name, and billing details (processed by Stripe).
• Usage Data: IP address, browser type, and interaction logs (processed by Vercel/Hetzner logs).
• Project Data: GitHub repository URLs and branch names you submit for scanning.

3. How We Process Source Code

We employ a strict "Ephemeral Processing" policy for source code analysis:

1. We clone your repository to a temporary, isolated container.
2. We perform static analysis (AST scanning) to extract metadata (library names, risk indicators).
3. We permanently delete the cloned source code from our servers immediately after the scan is complete.
4. We only store the metadata (e.g., "pandas detected") and the generated report in our database. We never store your raw code.

4. Data Storage and Transfer

• Location: Our primary infrastructure is hosted in Germany (Hetzner) and compliant with EU data sovereignty standards.
• Subprocessors: We use the following third-party service providers:
  • Stripe: Payment processing (USA, Data Privacy Framework certified).
  • OpenRouter/OpenAI: LLM inference (USA, Enterprise Zero-Retention Agreement).

5. Your Rights (GDPR)

Under the GDPR, you have the right to:

• Access your personal data.
• Rectify inaccurate data.
• Request erasure of your data ("Right to be Forgotten").
• Object to processing.

To exercise these rights, email privacy@annexfour.com.

6. Cookies

We use essential cookies for authentication (session management). We do not use third-party tracking cookies for advertising purposes.