POVV

Privacy Policy

Effective July 7, 2026 · POVV LLC (Delaware)

1. What we collect

Account data (email, authentication identifiers), workspace configuration (labs, repository URLs, goals), usage metering (audit counts, token costs), and payment status. Card details are collected and stored by Stripe, our payment processor — never by POVV. Anonymous audits are keyed to a browser fingerprint used solely for free-quota abuse control.

2. Repository source code — zero retention

During an audit, a bounded snapshot of the repository is processed in memory and discarded when the audit completes. We do not persist your source code. For private repositories, the sealed verdict stores cryptographic hash anchors of evidence (SHA-256), never verbatim code. For public repositories, short verbatim quotes that survived machine verification may be sealed with file/line attribution. GitHub personal access tokens you connect are stored encrypted and used only to fetch repositories you direct us to audit.

3. AI processing

Repository snapshots are processed by third-party model providers (currently Anthropic and xAI) under their API terms to generate the verdict. Snapshots are sent for inference only; we do not use your code to train models.

4. Public verdicts

Verdicts for public repositories may be published at a hash-addressed URL together with their evidence manifest. Verdicts for private repositories are never published. A sealed verdict is an append-only record: it can be revoked from public view, but its cryptographic receipt remains verifiable.

5. Retention and deletion

Account and workspace data persist while your account is active. You may request account deletion at [email protected]; we delete personal data within 30 days, except sealed audit ledger entries (kept as integrity-critical records with personal identifiers removed) and records we must retain by law.

6. Your rights

Depending on your jurisdiction (including GDPR where applicable), you may request access, correction, export, or deletion of your personal data, and object to or restrict certain processing. Write to [email protected]. We do not sell personal data.

7. Security

Access controls are enforced at the database row level, secrets are stored encrypted, transport is TLS-only, and verdict integrity is protected by Ed25519 signatures over SHA-256 hashes. No system is perfectly secure; report suspected vulnerabilities to [email protected].

8. Changes and contact

Material changes will be announced in-product or by email. Questions: [email protected] · POVV LLC, Delaware, USA.