Data policy
Last updated April 2026 · Version 2.0
TL;DR
- • Your source code never leaves your machine.
- • Only aggregated numbers (scores, counts) are sent to the hub.
- • Data is hosted in the EU (Hetzner, Germany).
- • We never train AI on your data.
- • You can delete your account and all data at any time.
1. What we promise
DebtLens analyzes your repository locally on your machine. The CLI runs git commands against your code, computes scores, and produces a report. Your source code, file paths, function names, branch names, commit messages, and author emails never leave your machine.
2. What is sent to the hub
When you run debtlens report, the CLI sends a small JSON payload over HTTPS (TLS 1.3) to debtlens.tech. Here is the exact shape:
{
"license_key": "dl_abc123...",
"machine_hash": "sha256:8f4e2c...",
"cli_version": "0.3.1",
"repository_alias": "my-project",
"analyzed_at": "2026-04-17T14:32:00Z",
"metadata": {
"total_commits": 2847,
"total_files": 412,
"contributor_count": 18,
"age_days": 1243,
"primary_language": "PHP"
},
"scores": {
"health": 72,
"hotspot_density": 0.34,
"complexity_churn": 0.42,
"temporal_coupling": 0.28,
"silo_risk": 0.19,
"dead_code_ratio": 0.07,
"velocity_trend": 0.18,
"merge_discipline": 0.88,
"ai_governance": 0.65
},
"counts": {
"critical_hotspots": 3,
"warning_hotspots": 12,
"knowledge_silos": 5,
"dead_files": 27,
"ai_commits_detected": 142,
"ai_commits_unreviewed": 18
},
"signals": {
"merge_discipline_level": "adequate",
"ai_governance_level": "governed",
"velocity_direction": "improving"
}
}Every field is either a number, a boolean, or a short categorical label. No strings contain code, file names, author identifiers, or commit messages.
3. What is never sent
- • Source code, in any form (not even hashed).
- • File paths, file names, directory structures.
- • Function or class names.
- • Author names, email addresses, commit messages.
- • Branch names, tag names, remote URLs.
- • Diffs, blames, or any per-line information.
- • Environment variables,
.envfiles, or secrets.
The CLI is inspectable: the repo is open and the payload shape above is stable. A debtlens report --dry-run flag that prints the exact JSON without sending it is on the roadmap.
4. Hub API endpoints
For transparency, here is the complete list of endpoints the CLI communicates with:
| Endpoint | Purpose |
|---|---|
| POST /api/v1/reports | Submit an aggregated report. |
| POST /api/v1/license/activate | Register a license key on the current machine. |
| POST /api/v1/license/ping | Heartbeat: check license status and remaining quota. |
| POST /api/v1/license/revoke | Deactivate a machine. |
| GET /api/v1/reports/{id} | Fetch a specific report by id (owner or signed-URL only). |
5. Where the data lives
- • Primary hosting: Hetzner Online GmbH, Germany (Falkenstein & Nuremberg data centres).
- • Database: PostgreSQL 16, encrypted at rest (LUKS) and in transit (TLS 1.3).
- • Backups: Daily, encrypted, retained 30 days, stored in the same EU region.
- • Email delivery: Postmark (Wildbit), sub-processor agreement in place with SCCs.
- • AI processing: Anthropic (Claude), US-based, sub-processor agreement with SCCs + Anthropic zero-retention API option enabled.
6. Retention periods
| Data type | Retention | Reason |
|---|---|---|
| Aggregated reports | Lifetime of the subscription + 90 days | Historical trend analysis |
| Account & billing data | 10 years after account closure | Belgian accounting law |
| Backups | 30 days rolling | Operational recovery |
| Server access logs | 30 days | Security & diagnostics |
| Email audit logs (Postmark) | 45 days | Deliverability troubleshooting |
| AI conversation snapshots | Not retained (zero-retention API) | Privacy by design |
7. AI processing
The executive narrative is generated by Anthropic's Claude model. The only thing sent to Anthropic is the aggregated payload described in section 2 (scores, counts, signals). Your code is never sent to Anthropic.
We use Anthropic's zero-retention API: the prompts and completions are not stored on Anthropic's servers and are not used for model training. A Data Processing Agreement with Anthropic is in place under EU Standard Contractual Clauses.
8. Your rights (GDPR)
Under Regulation (EU) 2016/679 (GDPR), you have the following rights:
- • Access — request a copy of all data we hold about you.
- • Rectification — correct inaccurate or incomplete data.
- • Erasure (“right to be forgotten”) — request permanent deletion.
- • Restriction — limit how we process your data.
- • Portability — receive your data in a machine-readable format.
- • Objection — object to processing based on legitimate interests.
- • Complaint — lodge a complaint with the Belgian Data Protection Authority (APD/GBA).
To exercise any of these rights, email privacy@debtlens.tech. We respond within 30 days as required by GDPR.
9. How to delete your account
- Sign in and visit your account dashboard.
- Click “Delete my account” at the bottom of the page (or email privacy@debtlens.tech).
- We confirm the request via email within 24 hours.
- All your reports, repositories, and personal data are removed within 7 days.
- Billing records are retained for 10 years (Belgian accounting law) but are isolated from your account identity.
10. DPIA summary
A simplified Data Protection Impact Assessment has been performed. Key findings:
- • Lawful basis: Contract performance (Art. 6(1)(b) GDPR) for paid accounts; consent for marketing emails.
- • Special categories: No special-category data (Art. 9) is processed.
- • Risk to data subjects: Low. No source code, no identifiable individuals beyond the account holder.
- • Transfers outside the EU: Limited to Anthropic (US) under SCCs, only aggregated numerical data.
A full DPIA document is available to Enterprise customers on request.
11. Air-gapped environments
The free CLI runs 100% offline: debtlens analyze never makes a network call. That covers most air-gapped needs today. A fully-offline paid mode (skipping the hub activation step) is something we'll consider on request — get in touch if that's a blocker for you.
12. Contact
- • Data controller: Jean-Marc Strauven, Belgium.
- • Privacy & GDPR inquiries: privacy@debtlens.tech
- • Security issues: security@debtlens.tech
- • General: hello@debtlens.tech
We do not currently have a designated DPO (not required for our scale under Art. 37 GDPR), but the founder acts as the privacy contact and responds within 48 hours.