Privacy Policy

Last updated: June 17, 2026

The privacy of your data — and it is your data, not ours — is a big deal to us. In this policy we lay out what data we collect and why, how your data is handled, and your rights with respect to your data. We never sell your data.

This policy applies to Klarix, operated by Kodaxa, LLC ("Klarix", "we", "us"). It covers our handling of information about site visitors, prospective customers, and customers and authorized users in relation to their use of the service.

It does not cover information about a customer's developers and end users that Klarix receives from a customer, or processes on a customer's behalf, in connection with the service (for example, the developer personal data contained in connected Git repositories). For that data the customer is the "data controller" or "business" and Klarix acts as a "data processor" or "service provider", as described in the section "Data From Connected Developer Tools" below and in our Data Processing Agreement. If you are a developer whose data was provided to us by your organization and you have questions about how it is processed, please contact that organization.

California residents: see the section "Your California privacy rights" below for the CCPA Notice at Collection describing the personal information we collect and the rights you have.

What we collect and why

Our guiding principle is to collect only what we need.

Identity and access

When you sign up for Klarix we ask for identifying information such as your name, email address, and company name. That is so you can personalize your account and we can send you product updates and other essential information. If you sign in with a third-party provider such as Google or GitHub, we receive your basic profile information (name, email address, and avatar) from that provider to create and secure your account. With your consent we will send you our newsletter and other updates. Every marketing email includes an unsubscribe link, and you can opt out at any time; we will still send essential account and service messages.

We will never sell your personal information to third parties, and we will not use your name or company in marketing statements without your permission.

How we handle Google user data

If you choose to sign in with Google, Klarix uses Google OAuth to authenticate you. We request only your basic Google profile information — your name, email address, and profile picture — and we use it solely to create and secure your Klarix account and to sign you in. We do not use Google user data for advertising, we do not sell it, and we do not share or transfer it to others except as necessary to provide and secure this sign-in feature, to comply with applicable law, or in connection with a merger or acquisition. No humans read your Google user data except where necessary for security purposes, to comply with the law, or with your explicit consent.

Klarix's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Billing information

If you sign up for a paid plan, you will be asked to provide your payment information and billing address. Credit card information is submitted directly to our payment processor and does not hit Klarix servers. We store a record of the payment transaction, including the last four digits of the card number, for account history, invoicing, and billing support.

Product interactions

We store the content and configuration you create within Klarix — such as workspaces, teams, and settings — so you can use the product as intended. We keep this content as long as your account is active.

General geolocation data

We log the IP address used to access your account for security and fraud-prevention purposes, and we keep this login data for as long as your account is active.

Website interactions

We collect information about your browsing activity for analytics and statistical purposes, such as your browser and operating system versions, your IP address, which pages you visited, and which website referred you to us.

Cookies

We use first-party cookies and a limited set of third-party cookies to keep you signed in, store preferences, and support analytics. A cookie is a small piece of text stored by your browser. You can adjust cookie settings in your browser, although parts of the service may not function properly if you turn cookies off. We do not currently respond to "Do Not Track" browser signals, as no common standard has been adopted. We do not sell or share your personal information as those terms are defined under the CCPA, and we treat a Global Privacy Control (GPC) signal as a valid request to opt out of any sale or sharing.

Analytics and your consent

When you first visit our website we show a cookie consent banner. Until you make a choice, all analytics and advertising storage is set to "denied" by default (using Google Consent Mode), and no analytics or session-recording tools run. For these non-essential cookies we rely on your consent as the legal basis, and you can change or withdraw your choice at any time using the "Manage cookies" link in the website footer.

We group cookies into the following categories:

  • Strictly necessary — required to run the site and keep you signed in. Always active; these cannot be switched off.
  • Analytics — help us understand how the site and product are used so we can improve them. Off until you consent.
  • Marketing — used to measure campaigns and relevance. Off until you consent.

Where you consent to analytics, we use the following providers, each acting as our processor and listed on our Subprocessors page:

  • Google Analytics 4 and Google Tag Manager (Google LLC) — aggregate website and product usage statistics. We use Google Consent Mode v2, so Google receives no analytics or advertising identifiers until you consent.
  • PostHog (PostHog, Inc., EU Cloud) — product usage analytics, hosted in the European Union.
  • Microsoft Clarity (Microsoft Corporation) — website usage analytics and session replay (for example, aggregated heatmaps and recordings of page interactions) used to diagnose usability issues. Session replay runs only with your consent, and sensitive fields are masked.

Some of these providers are located in the United States; where personal data is transferred outside the EEA/UK, we rely on appropriate safeguards as described in "When transferring personal data from the EU" below.

Voluntary correspondence

When you email Klarix with a question or for help, we keep that correspondence, including your email address, so we have a history to reference if you reach out again.

Data From Connected Developer Tools

When you connect Klarix to a source-code provider such as GitHub or GitLab, Klarix accesses and processes data from the repositories and organizations you explicitly authorize. This is the core of how Klarix works, so we describe it in detail.

Your role and ours (controller and processor). The data Klarix ingests includes personal data about the developers in your organization — for example, the names and email addresses recorded in Git commits. Most of these individuals are your employees or contributors, not people who signed up for Klarix directly. For this developer data, you (our customer) are the data controller and Klarix is the data processor, acting only on your documented instructions. You are responsible for having a lawful basis to connect these tools and for informing your developers as required by applicable law. Where required, we make a Data Processing Agreement (DPA) available to govern this relationship.

What we collect. From the providers you connect, and limited to the repositories and organizations you authorize, we process:

  • Git history metadata — commit identifiers (hashes), commit messages, authorship and timestamps, and merge status.
  • Change metadata — file paths, the type of change (added, modified, deleted, renamed), lines added and removed, and detected programming language. We do not store the contents of your source files (see below).
  • Pull/merge request metadata — titles, descriptions, branch names, state, review decisions, comment counts, and associated commits.
  • Deployment and delivery metadata — deployment events, releases, tags, environments, and outcomes, used to compute delivery metrics.
  • Developer personal data — the names, email addresses, provider usernames, and avatar images associated with the above activity, used to attribute work to contributors and resolve individual identities across systems.
  • Organization and access metadata — organization, team, and repository names and membership, and the scopes of the access you granted.

What we deliberately do not do.

  • We do not retain your source code. To analyze a repository, Klarix may temporarily clone it in an isolated, ephemeral environment to extract the metadata described above. Once analysis completes, the working copy is discarded. We persist only derived metadata — never the contents of your files.
  • We do not send your data to any third-party AI or large-language-model provider. Our AI-assistance detection works by inspecting commit-message signatures within our own systems; it does not transmit your data to an external model.
  • We do not use your data, or your developers' data, to train machine-learning or AI models.
  • We do not sell your data or your developers' personal data, and we do not share it with data brokers or for advertising.

Our legal bases for processing

If you are in the European Union or the United Kingdom, we process your personal data under the following legal bases (GDPR Article 6):

  • Performance of a contract — to create your account, provide and maintain the service, and process billing.
  • Legitimate interests — to secure the service, prevent fraud, and analyze and improve the product, balanced against your rights and freedoms.
  • Consent — to send our newsletter and other marketing, which you can withdraw at any time.
  • Legal obligation — to comply with applicable law, including tax and accounting requirements.

For developer data from connected tools, our customer is the data controller and determines the legal basis for the processing; Klarix acts as the data processor on the customer's instructions.

Automated decisions and profiling

Klarix computes software-delivery and engineering metrics, which may include aggregating activity associated with individual developers. We do not use these metrics to make decisions that produce legal or similarly significant effects about an individual without human involvement. Klarix is an analytics tool for engineering teams; how a customer uses the metrics within their organization is determined by that customer as the data controller.

When we access or disclose your information

To provide the service. We use a limited set of third-party subprocessors to run our application (for example, cloud hosting and database infrastructure). The current list is available on our Subprocessors page.

To help you troubleshoot, with your permission. If we need to access your content to help with a support case, we will ask for your consent first.

Aggregated and de-identified data. We may aggregate or de-identify information collected through the service and use it for any purpose, including analytics.

When required under applicable law. Klarix is a U.S. company. Our policy is not to respond to government requests for user data unless compelled by valid legal process, and to notify affected users beforehand unless legally prohibited.

Finally, if Klarix is acquired by or merges with another company, we will notify you before any of your personal information is transferred or becomes subject to a different privacy policy.

Your rights with respect to your information

We strive to apply the same data rights to all customers, regardless of location:

  • Right to Know what personal information is collected, used, or shared.
  • Right of Access to the personal information we hold about you.
  • Right to Correction of your personal information.
  • Right to Erasure ("to be forgotten"), subject to limitations under applicable law. Fulfilling some deletion requests may prevent you from using the service and may result in closing your account.
  • Right to Restrict Processing, including opting out of any sale of personal information (we never sell it).
  • Right to Object to how or why your personal information is processed.
  • Right to Portability — to receive and transmit the personal information we have about you.
  • Right to Complain to the appropriate supervisory authority.
  • Right to Non-Discrimination for exercising any of these rights.

Many of these can be exercised by signing in and updating your account information. To make a request or ask a question, contact us at privacy@klarix.io. We may need to verify your identity before responding. If you are in the EU or UK, you may also lodge a complaint with your local data protection authority.

How we secure your data

All data is encrypted in transit using TLS. Access credentials and integration tokens that let Klarix connect to your providers are encrypted at rest using AES-256-GCM authenticated encryption. Customer data is logically separated per organization, and access is restricted to authorized personnel and the automated processing required to provide the service.

If we become aware of a personal data breach affecting your information, we will notify affected customers and, where required, the relevant supervisory authority without undue delay and consistent with applicable law.

Data retention

We keep your information for as long as needed for the purposes for which it is processed. You can disconnect a provider or repository at any time, and you may request deletion of your data by contacting us. On account termination, your content becomes inaccessible immediately; we permanently delete or anonymize it from active systems within 30 days and from our backups within 60 days. We retain a limited set of security and audit logs — which may include actor identifiers and IP addresses — for longer where necessary for security, fraud prevention, and to meet legal and accounting obligations.

Even after we purge your content and the integration tokens we held, you should remove or revoke Klarix's access tokens, OAuth authorizations, and any installed apps directly in your connected developer tools (such as GitHub, GitLab, and Bitbucket) to fully sever the connection. We cannot revoke credentials on your behalf within your provider accounts.

Location of site and data

Klarix is a service of Kodaxa, LLC, a Delaware (United States) company, and is operated from Romania, in the European Union. Our application and the data you provide are hosted in the United States (US East, Virginia). If you are located in the United Kingdom, the European Union, or elsewhere, please be aware that information you provide to us is processed in both the European Union and the United States.

When transferring personal data from the EU

Personal data transferred out of the EU must be treated with the same level of protection granted under EU privacy law. Accordingly, Klarix has adopted a Data Processing Agreement based on the Common Paper Standard DPA with Standard Contractual Clauses to help ensure this protection. To put a signed DPA in place, contact us at legal@klarix.io.

Your California privacy rights

This section is the "Notice at Collection" required by the California Consumer Privacy Act, as amended ("CCPA"), and applies to California residents. It describes the categories of personal information we collect, why, and the rights you have. The fuller detail is in the sections above; this is the California-specific summary.

Categories we collect, and why. In the past twelve months we have collected the following categories of personal information, in each case for the business purposes described above (providing and securing the service, billing, support, analytics, and fraud prevention):

  • Identifiers — such as your name, email address, company name, account identifiers, and IP address, including basic profile information received from a third-party login provider (Google or GitHub) if you choose to use one.
  • Commercial information — billing address and a record of payment transactions, including the last four digits of your card. Full card numbers are handled by our payment processor and do not reach Klarix servers.
  • Internet or other network activity — pages you visit, your referring website, and your browser and operating system versions.
  • Geolocation data — general location inferred from your IP address.

Sources. We collect this information directly from you, automatically from your device when you use the service, and from third-party login providers when you choose to sign in with one.

Sensitive personal information. We do not collect sensitive personal information beyond account login credentials, and we do not use any information to infer characteristics about you.

We do not sell or share your personal information. We have not sold or "shared" (as the CCPA defines that term, meaning disclosure for cross-context behavioral advertising) personal information in the past twelve months, and we will not. We disclose personal information only to service providers — such as our hosting provider, payment processor, and analytics provider — who process it on our behalf for the purposes above.

Your rights. Subject to the limits in the law, California residents may request to:

  • Know what personal information we have collected, used, and disclosed about you;
  • Delete personal information we have collected from you;
  • Correct inaccurate personal information;
  • Opt out of the sale or sharing of personal information (we do not sell or share, so there is nothing to opt out of); and
  • exercise these rights without being discriminated against for doing so.

How to exercise your rights. Email us at privacy@klarix.io. We will verify your request using the account information we hold before acting on it. You may use an authorized agent to submit a request on your behalf.

Children's privacy

Klarix is a business tool and is not directed to children. We do not knowingly collect personal information from anyone under 16. If you believe a child has provided us with personal information, contact us at privacy@klarix.io and we will delete it.

Changes and questions

We may update this policy as needed to comply with relevant regulations and reflect new practices. Whenever we make a significant change, we will refresh the date at the top of this page. Questions about this policy, your data, or your rights? Email us at privacy@klarix.io.