Privacy Policy
Last updated: July 16, 2026
NRD Insight is operated by NRD Tech LLC ("NRD Tech," "we," "us"). This policy explains what we collect, why, and the controls you have. We have tried to write it the way we write our code reviews: plainly, and with the reasoning attached.
The short version. We analyze source code you explicitly connect, inside AWS, to produce engineering insight for your organization. Your code is never used to train AI models, never sold, and never visible to any other customer. You choose exactly which repositories we may read, and you can revoke access or request deletion at any time.
1. What we collect
Source code and development data (Customer Data)
- Repository content you enable: when you install our read-only GitHub App and enable a repository for analysis, we fetch commits, pull requests, diffs, reviews, and related metadata for those repositories only. Nothing is fetched from repositories you have not enabled.
- Project management data you connect: if you connect Linear, we sync issues, projects, and related metadata to link code changes to the work they served.
- Analysis artifacts: the AI-generated scores, findings, evidence quotes, and model responses produced from your code, retained so every score remains auditable by you.
Account and usage data
- Account information: name, work email, workspace name, and role, via our authentication provider (Amazon Cognito).
- Billing information: handled by Stripe. Card numbers never touch our servers; we store only Stripe's references (customer and subscription identifiers) and your plan state.
- Operational logs and metering: service logs, API activity, and per-tenant AI-usage metering needed to run the service, enforce spend caps, and bill accurately. We log the minimum necessary and keep secrets and code out of logs.
2. How we use it
- To provide the service: analyzing enabled repositories against our published rubric and presenting the results to your workspace.
- To link code to business context when you connect Linear.
- To generate training content for your developers from their own work.
- To operate, secure, meter, and bill the service.
- To communicate with you about the service (verification codes, invites, alerts, billing).
We do not: sell or rent your data; use your code or any Customer Data to train AI models; use one customer's data to benefit another; or advertise to you or anyone based on your data.
3. AI processing — exactly how it works
- Analysis runs on Amazon Bedrock within our AWS environment in the United States (us-west-2). Your code is transmitted to the model solely to produce your analysis.
- Under AWS Bedrock's terms, prompts and outputs are not used to train or improve the underlying models and are not shared with model providers for that purpose.
- Raw model responses are stored encrypted in your tenant's audit trail so you can always trace a score to its evidence.
4. Where your data lives and how it's protected
- Encryption: TLS 1.2+ in transit, everywhere. Encryption at rest for databases, object storage (AWS KMS), and secrets (AWS Secrets Manager).
- Tenant isolation: every row of Customer Data is bound to your workspace and enforced with PostgreSQL row-level security at the database layer — isolation by construction, not just by application code.
- Least-privilege access: credentials you provide (e.g., Linear keys) are stored per-tenant in AWS Secrets Manager, never in the database or application config. Our GitHub access is read-only and limited to repositories you enable.
- Infrastructure: AWS data centers holding SOC 2, ISO 27001, and PCI DSS attestations.
- Personnel: production access is restricted, logged, and used only for operating the service or supporting you at your request.
5. Subprocessors
| Provider | Purpose | Location |
|---|---|---|
| Amazon Web Services (incl. Bedrock) | Hosting, storage, AI analysis, email delivery | United States |
| Stripe | Payments and subscription billing | United States |
| GitHub | Source repository access you authorize | United States |
| Linear (optional) | Project data you choose to connect | United States |
We will update this list before adding a subprocessor that processes Customer Data.
6. Retention and deletion
- Customer Data is retained while your subscription is active so trends and audit trails keep working.
- Disabling a repository stops new analysis immediately; uninstalling the GitHub App severs our access entirely.
- On termination, we will delete your Customer Data within 30 days of a written request (or after a 60-day export window following account closure, whichever you prefer), except minimal records we must keep for legal, billing, or security purposes.
- You may request an export of your data at any time.
7. Your rights
Depending on where you are, you may have rights to access, correct, export, restrict, or delete personal information, and to object to certain processing (including under GDPR and CCPA/CPRA). We honor these requests regardless of jurisdiction where practical. To exercise any right, email us at the address below; we will respond within 30 days. We do not "sell" or "share" personal information as those terms are defined under the CCPA/CPRA.
If you are in the EEA/UK: we act as a processor for the Customer Data your organization submits and as a controller for your account and billing information. A Data Processing Addendum incorporating Standard Contractual Clauses is available on request.
8. Important boundaries
- Your developers: the service produces evaluations of work product for your organization's internal use. You are responsible for using it consistently with your employment obligations and local law.
- Not for children: the service is for business use by people 16 or older.
- Cookies: we use only what sign-in requires (session tokens). No advertising trackers, no third-party analytics cookies on the application.
9. Incidents and changes
If we become aware of a breach affecting your Customer Data, we will notify you without undue delay with what we know, what we're doing, and what we recommend. If we make material changes to this policy, we will notify workspace admins by email before they take effect.
10. Contact
Privacy questions, rights requests, or DPA requests: nic.delorme@nrdtech.io
NRD Tech LLC, United States.