Privacy Policy

Introduction

KLG Tech Innovations Limited (“Kolega,” “we,” “us”) respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, and safeguard your information when you use our Service at kolega.dev.

This policy applies to individual users of our Service for the Free and Pro tiers. If you use Kolega through your employer, their privacy policies may also apply. For information about cookies and tracking technologies, please see our separate Cookie Policy.

For questions about this policy, contact: contact@kolega.ai

Personal Data We Collect

Information You Provide

• Account Information: Name, email address, and profile details from your GitHub account when you authenticate via GitHub OAuth.
• Payment Information: Billing details and payment method information for paid subscriptions. This information is securely transmitted to and stored by our payment processor, CityPay.
• Communications: Content of your messages when you contact us for support or feedback.
• Repository Content: Code from repositories you connect for scanning. This is accessed temporarily for analysis and not stored permanently.
• Professional Information: Resume and background details if you apply for positions with us.
• Location Information: City, ZIP/postal code, state, county, country, latitude (of city), longitude (of city), metro area, and geography/region information.

Information Collected Automatically

• Technical Data: IP address, browser type, device information, operating system, and connection details.
• Usage Data: Features used, actions taken, timestamps, errors encountered, performance metrics, number of users, and session statistics.
• Scan Data: Vulnerability findings, severity levels, affected file locations, and remediation status.
• Location Data: Approximate location based on IP address for service optimization and security.
• Cookies and Trackers: We use cookies and other tracking technologies to enhance your experience. For detailed information about cookies, please see our Cookie Policy.

How We Use Your Data

We process your personal data to:

• Provide and maintain our Service
• Manage your account and subscriptions
• Process payments and prevent fraud
• Communicate service updates and respond to inquiries
• Improve our Service through analytics
• Ensure security and prevent abuse
• Comply with legal obligations
• Enforce our Terms of Service
• Traffic optimization and distribution
• Hosting and backend infrastructure
• Analytics and monitoring web traffic
• Displaying content from external platforms

Important: We do not use your code or scan results to train AI models.

Legal Basis for Processing (EEA/UK Users)

We process your data based on:

• Contract: To provide the Service you've requested
• Consent: For marketing communications and optional features
• Legal Obligation: To comply with laws and regulations
• Legitimate Interests: For security, fraud prevention, and service improvement

Data Sharing

We share your data only with:

Service Providers

• Amazon Web Services (AWS): Cloud infrastructure, hosting, backend infrastructure, and traffic optimization through Amazon S3 and Amazon CloudFront
• MongoDB: Database and analytics
• AI Model Providers: OpenAI, Anthropic, Google (with zero data retention agreements) for code analysis and fix generation
• GitHub: Repository access, webhook integration, and pull request creation
• Atlassian Jira, Azure DevOps, Linear: Ticket management and workflow integration (when enabled)
• CityPay: Payment processing and billing
• Google LLC: Analytics through Google Analytics 4 and content display through Google Fonts
• Internal Communications: Slack and Google Workspace may be used for customer support where team members may access support tickets and communications

Other Disclosures

• Legal Requirements: When required by law or legal process
• Business Transfers: During mergers or acquisitions
• With Consent: When you authorise specific sharing

Data Security

We implement industry-standard technical and organisational measures to protect your data, including:

• Encryption in transit (TLS 1.3) and at rest
• Access controls and authentication
• Regular security reviews and improvements
• Incident response procedures
• Appropriate security measures to prevent unauthorised access, disclosure, modification, or unauthorised destruction of data

While we continuously work to enhance our security measures, no system is completely secure. Please protect your account credentials and notify us immediately of any suspicious activity.

Code and AI Processing

Code Access

• Read-only by default: Kolega only has read access to your code. Write access is limited to creating pull requests
• On-demand processing: Code is accessed only when scans are triggered, either by events or scheduled jobs
• Temporary processing: Code is cloned temporarily for analysis and discarded after processing
• No permanent storage: Source code is not stored long-term in Kolega's systems

What We Store

• Scan results including vulnerability findings, severity levels, and affected file locations
• Metadata including repository names, commit SHAs, scan timestamps, and user information
• Generated fixes and remediation details created by Smart Remediate
• Configuration including your scan settings, repository assignments, and integration configurations

What We Don't Store

• Complete repository source code
• Git history or commit contents (beyond metadata)
• GitHub credentials or access tokens
• Secrets or credentials detected in scans (only their locations)

AI Processing

Kolega uses third-party AI providers for deep code analysis and fix generation:

• Code snippets only: AI models receive relevant code chunks, not entire repositories
• Context-limited: Chunks are ~20k lines maximum, providing necessary context while limiting exposure
• No training: Your code is not used to train or improve AI models
• Temporary processing: Code sent to AI providers is processed and immediately discarded per provider policies

Model providers maintain zero data retention policies for API customers. Code submitted through Kolega is processed in real-time and not stored, logged, or used for model training.

Your Privacy Rights

Depending on your location, you may have rights to:

• Access: Obtain copies of your personal data and learn if data is being processed
• Rectification: Correct inaccurate information and verify the accuracy of your data
• Deletion: Request removal of your data and have your personal data deleted or otherwise removed
• Restriction: Limit how we process your data
• Portability: Receive data in a portable format and have it transferred to another controller
• Objection: Oppose certain processing activities
• Withdrawal: Revoke consent where processing is consent-based

To exercise these rights, contact: contact@kolega.ai

Additional Rights for EEA/UK Residents

You may lodge complaints with your local data protection authority:

• EU authorities: ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm
• UK authority: ico.org.uk

You are also entitled to learn about the legal basis for data transfers abroad including to any international organisation governed by public international law or set up by two or more countries, such as the UN, and about the security measures taken by the Owner to safeguard your data.

Where personal data is processed for a public interest, in the exercise of an official authority vested in the Owner or for the purposes of the legitimate interests pursued by the Owner, users may object to such processing by providing a ground related to their particular situation to justify the objection.

Additional Rights for US Residents

Some US states provide additional rights including:

• Confirming data processing
• Opting out of sales/targeted advertising (we do not sell data)
• Non-discrimination for exercising rights
• Appealing privacy decisions

Data Retention

We retain personal data only as long as necessary for:

• Providing our Service
• Complying with legal obligations
• Resolving disputes
• Enforcing agreements

Unless specified otherwise, personal data shall be processed and stored for as long as required by the purpose they have been collected for and may be retained for longer due to applicable legal obligation or based on the users' consent.

Personal data collected for purposes related to the performance of a contract between the Owner and the user shall be retained until such contract has been fully performed. Personal data collected for the purposes of the Owner's legitimate interests shall be retained as long as needed to fulfill such purposes.

Once the retention period expires, personal data shall be deleted. Therefore, the right of access, the right to erasure, the right to rectification and the right to data portability cannot be enforced after expiration of the retention period.

International Data Transfers

Our servers are located in the European Union. If you access our Service from outside the EU, your data may be transferred to the EU. For transfers outside the EEA/UK, all data is encrypted in transit and at rest and complies with Service Provider Standard Contractual Clauses.

Depending on the user's location, data transfers may involve transferring the user's data to a country other than their own. Data processing is carried out at the Owner's operating offices and in any other places where the parties involved in the processing are located.

Children's Privacy

Our Service is not intended for children under 18. If we discover we've collected data from a child under 18, we'll promptly delete it. To report underage users, contact: contact@kolega.ai

System Logs and Maintenance

For operation and maintenance purposes, this application and any third-party services may collect files that record interaction with this application (System logs) or use other personal data (such as the IP address) for this purpose.

Legal Action

The user's personal data may be used for legal purposes by the Owner in Court or in the stages leading to possible legal action arising from improper use of this application or the related services. The user declares to be aware that the Owner may be required to reveal personal data upon request of public authorities.

Updates to This Policy

We may update this policy periodically. We'll notify you of material changes through our Service or email. Continued use after changes indicates acceptance.

The Owner reserves the right to make changes to this privacy policy at any time by notifying its users on this page and possibly within this application and/or - as far as technically and legally feasible - sending a notice to users via any contact information available to the Owner.

International Users

We welcome users worldwide. All users enjoy the privacy rights described in this policy, which meet or exceed international standards including GDPR. If you have questions about privacy rights in your jurisdiction, please contact us.

Contact Information

For privacy questions or to exercise your rights: