Privacy

Privacy policy

last updated · 2026-06-07 · effective · 2026-06-07

This Privacy Policy explains what personal data FlareCode collects when you use flarecode.shand our hosted coding-agent service (the "Service"), why we collect it, who we share it with, how long we keep it, and the rights you have over it. It applies to visitors, account holders, and anyone who joined our waitlist.

Who we are

The Service is operated by Roushan, Inc. ("FlareCode", "we", "us", "our"), a corporation incorporated in Delaware, United States. For the purposes of the EU/UK General Data Protection Regulation we act as the data controller for personal data about your account and our marketing site, and as a data processorfor the repository contents and prompts you submit to an agent (you remain the controller of that content). Under India's Digital Personal Data Protection Act, 2023 ("DPDP Act") we are the Data Fiduciary. You can reach us at any time at privacy@flarecode.sh; our grievance contact is listed under Contact below.

A note on terms

"Personal data" means information that identifies or relates to an identifiable person. "Processing" means anything we do with personal data — collecting, storing, using, sharing, or deleting it. Where this policy refers to "you", it means the data subject / Data Principal whose personal data we process.

What we collect

  • Account & GitHub authentication. When you sign in with GitHub we use GitHub OAuth and request the scopes read:user, user:email, and repo. We store your GitHub login, numeric user ID, primary email, and avatar URL. The repo scope grants read and write access to the repositories your GitHub account can reach; we use it only to list your repositories and to read the contents of repositories you explicitly select for an agent. Acting on your code — pushing branches and opening pull requests — is performed by the separately installed FlareCode GitHub App, which holds only the minimal scopes contents:write, pull_requests:write, metadata:read, and actions:read on the specific repositories you choose. See /security for the full breakdown.
  • Repository metadata. When you install the FlareCode GitHub App we store repository IDs, names, default branch, and installation IDs needed to open pull requests on your behalf.
  • Workspace contents & snapshots.Your agent's working directory — including any project you have not yet pushed to GitHub — is snapshotted, encrypted, to private storage so your work survives an idle pause, restart, or eviction. Snapshots are kept for the life of the agent and destroyed when you destroy the agent or delete your account. We never use them for model training and never share or sell them.
  • Agent conversations. Session metadata (model used, message counts, timestamps, status) is mirrored from the agent runtime into our database to power the app. Prompt and completion text is sanitized for known secret patterns (API keys, tokens) before storage.
  • Usage & billing telemetry. Token counts and computed cost per call are stored to power billing and month-to-date usage views.
  • Billing data. If you subscribe to a paid plan, your Stripe customer ID and subscription status are stored. Card details and full billing history live with Stripe — we never see or store card numbers.
  • Waitlist email. If you joined the waitlist before signing up, that email is kept until you ask us to delete it or until your account is created.
  • Device & connection data. Like any web service we automatically receive your IP address, user-agent, and approximate (city-level) location derived from your IP, plus standard request logs. We use these for security, abuse prevention, and debugging.
  • Cookies. We set a first-party session cookie to keep you signed in. We do not use third-party advertising or cross-site tracking cookies. See Cookies below.
  • Support communications. If you email us or contact support, we keep your messages and contact details to respond and maintain a record.

How we use your data

We process personal data to:

  • authenticate you and keep your session secure;
  • run the product — open pull requests on your repositories, deploy your agents, and execute tasks;
  • meter usage, calculate cost, and bill you;
  • surface activity, cost, and status in the app;
  • provide support and respond to your requests;
  • detect, prevent, and investigate fraud, abuse, and security incidents;
  • comply with legal, tax, and accounting obligations; and
  • send service and account notices (and, only if you opt in, product updates).

We do not sell, rent, or share your personal data with third parties for their own marketing, and we do not use your code, prompts, or workspace snapshots to train AI models.

Legal bases for processing

Where the GDPR or DPDP Act applies, we rely on the following legal bases:

  • Performance of a contract — to provide the Service you signed up for (authentication, agent execution, deployments, billing).
  • Legitimate interests — to secure the Service, prevent abuse, debug, and improve reliability, balanced against your rights.
  • Legal obligation — to retain invoices and respond to lawful requests.
  • Consent — for optional product-update emails and any processing that specifically asks for it. You may withdraw consent at any time without affecting prior processing.

Automated processing & AI

The core of the Service is an AI coding agent. Prompts you submit and the repository contents you select are sent to the model provider you choose so the agent can generate code. We do not make legal or similarly significant decisions about you through solely automated means. Cost-cap enforcement is automated: if a task exceeds the limit you set, it is stopped. Model output may be inaccurate — see the disclaimers in our Terms of Service.

What we don't store

  • Your source code in our operational logs — log lines carry only the diff, never the working tree.
  • Workspace snapshots beyond the life of the agent — they are deleted on agent destroy or account deletion.
  • Plaintext API keys you bring for your own model provider (BYOK). BYOK keys are stored encrypted at rest with only the ciphertext, initialization vector, provider metadata, and last four characters retained for display; they are decrypted only when routing a model request, never logged, and never placed in the sandbox.
  • Card numbers, expiration dates, or CVVs — payment data lives entirely with Stripe.

Cookies & similar technologies

We use a strictly necessary first-party cookie to maintain your authenticated session (it expires after roughly 30 days or when you sign out). Because it is essential to operate the Service, it does not require consent. We do not run third-party advertising networks, ad-tech pixels, or cross-site trackers.

With your consent, we use PostHogfor first-party, privacy-respecting product analytics so we can understand how the Service is used and improve it. Analytics are off until you accept in the consent banner (and we honor your browser's Do-Not-Track signal); your choice is stored in a first-party fc_consent cookie. When enabled, we record aggregate product events (page views, sign-up and task milestones) and may capture session replays in which all form inputs and text are masked by default, so replays never contain your code, secrets, or personal data. Analytics traffic is routed through our own domain; we never sell this data or use it for advertising. You can withdraw consent at any time by declining the banner or clearing the cookie.

Who we share data with (subprocessors)

We share personal data only with the service providers needed to run FlareCode, each bound by contractual data protection obligations:

  • Cloudflare — hosting, database (D1), object storage (R2), agent sandboxes (Containers), inference gateway, and email routing.
  • GitHub — OAuth sign-in and the FlareCode GitHub App for repository access.
  • Stripe — billing, payments, and subscription management.
  • Model providers(OpenRouter, Anthropic, OpenAI, Google, Moonshot, and custom endpoints you configure) — routed inference. Keys you bring (BYOK) are decrypted only when routing to the provider. Each provider's own terms and privacy policy govern its handling of the prompts and code routed to it.
  • Axiom — operational log aggregation.
  • PostHog — first-party product analytics and session replay, only with your consent (see Cookies above).

We may also disclose data when required by law, to enforce our Terms, to protect the rights, safety, and property of FlareCode or others, or in connection with a merger, acquisition, or sale of assets (you will be notified of any such change in control).

International data transfers

We are incorporated in the United States and our subprocessors operate globally, including in the United States and the European Union. When personal data is transferred out of the EEA, the UK, or other regions with transfer rules, we rely on the recipient's adequacy status or on Standard Contractual Clauses (and the UK Addendum where applicable), together with technical safeguards such as encryption in transit and at rest.

Data retention

  • Account and repository metadata: for the lifetime of your account.
  • Authenticated sessions: roughly 30 days, then expired.
  • Agent session / task metadata (model, counts, cost, status): 90 days after the session ends.
  • Task / agent run logs (sanitized): 30 days, then auto-deleted.
  • Platform observability logs (request and system logs): 90 days, rolling.
  • Workspace snapshots: encrypted in private storage; kept for the life of the agent and deleted on agent destroy or account deletion. Deployed apps persist until you remove them.
  • Waitlist email: until you ask us to delete it or you create an account.
  • Charges and invoices: retained for tax and accounting compliance (currently 7 years).

After a retention period ends, data is deleted or irreversibly anonymized. We may retain limited records longer where a law requires it or to resolve a dispute.

How we protect your data

We encrypt workspace snapshots and data at rest and in transit, isolate each agent in its own sandbox, inject secrets at runtime rather than persisting them, and run a sanitizer over log streams to strip known credential patterns before storage. Access to production data is limited to what is necessary to operate the Service. Our full security posture is described at /security. No method of transmission or storage is perfectly secure, and we cannot guarantee absolute security.

Data breach notification

If a personal-data breach is likely to result in a risk to your rights, we will notify the relevant supervisory authority and affected users without undue delay and within the timeframes required by applicable law (for example, 72 hours under the GDPR), describing what happened and the steps we are taking.

Your rights

Subject to applicable law, you have the right to access, correct, delete, and export your personal data, to restrict or object to certain processing, to withdraw consent, and to data portability. You can self-serve most of this:

  • Delete your account from your account settings in the app — this removes your account data, destroys any running agents, and clears repository grants.
  • Remove a deployed app individually from the app.
  • Revoke repository access at any time from your GitHub account settings.

For access, correction, export, or anything else, email privacy@flarecode.sh. We respond within the timeframe the applicable law requires (generally within 30 days) and may ask you to verify your identity first. We will not discriminate against you for exercising any of these rights.

European Economic Area & United Kingdom

If you are in the EEA or UK, you may lodge a complaint with your local data protection authority. We would appreciate the chance to address your concern first — please contact us before doing so.

California (CCPA/CPRA)

If you are a California resident, you have the right to know what personal information we collect and how we use it, to request access and deletion, and to correct inaccurate information. We do notsell or "share" (as those terms are defined under the CPRA) your personal information, and we do not use or disclose sensitive personal information beyond the purposes permitted by law. We will not discriminate against you for exercising these rights. To make a request, email privacy@flarecode.sh.

India (DPDP Act, 2023)

If you are in India, you are a Data Principal and have the right to access a summary of your personal data, request correction or erasure, nominate another person to exercise your rights in the event of death or incapacity, and grievance redressal. To exercise these rights or raise a grievance, use the grievance contact below. If unresolved, you may approach the Data Protection Board of India.

Children

FlareCode is not intended for, and we do not knowingly collect personal data from, anyone under 18. If you believe a minor has provided us data, contact us and we will delete it.

Changes to this policy

We may update this policy from time to time. Material changes are announced via the email on file and an in-app banner at least 14 days before they take effect. The "last updated" date at the top always reflects the current version.

Contact

Roushan, Inc.
1111B S Governors Ave, STE 55131
Dover, DE 19904, USA

For any privacy question or to exercise your rights, email privacy@flarecode.sh.

Grievances (India, DPDP Act): privacy@flarecode.sh. We acknowledge grievances within 48 hours and aim to resolve them within the period prescribed by law.