Privacy Policy

Effective May 21, 2026

Grupr Inc. (“Grupr”, “we”, “us”) builds a multi-LLM Code Review product. This page explains what data we collect, what we do with it, who we share it with, and the rights you have over it. It’s written to be readable. If anything is unclear, email hello@grupr.ai and we’ll clarify.

What we collect

When you create an account we store your email address, a username, a display name, a hashed password, and your subscription state. If you set up two-factor authentication we store a TOTP secret (encrypted at rest) and a set of one-time recovery codes (hashed). If you sign in with a passkey we store the public-key credential.

When you submit a code review we receive the code (or public Git URL) you submit, the reviewer roles you selected, and metadata about the run (timestamps, tier, outcome). For Deep tier reviews, the code is loaded into an ephemeral E2B sandbox so that Claude Code can run against it; the sandbox is destroyed when the run ends.

When you bring your own API keys (BYOK), we encrypt them at rest with a server-held key and decrypt them just-in-time to call the provider on your behalf. We never log the decrypted key value.

When you visit our marketing site, web app, or docs, our hosts (AWS, Vercel, Cloudflare) record standard request metadata — IP address, user agent, timestamps. Product analytics (PostHog) only loads after you opt in via the cookie banner.

What we do with it

We use your data to run the service: to log you in, to dispatch your code review to the model providers, to surface the verdict and any verified patch, to bill you, to send transactional email (signup verification, receipts, payment-failed notices), and to debug incidents. We do not train any models on your code.

We use aggregated, anonymized counts (number of reviews per day, average verdict distribution) to improve the product. Individual submissions are not used for that purpose.

Sub-processors

We share data with the third parties listed below in order to operate the service. Each one is bound by a Data Processing Agreement (DPA) or equivalent contract. A signed DPA is available on request for Team/Enterprise customers — email hello@grupr.ai.

Sub-processor	Purpose	Data shared	Location
Amazon Web Services (AWS)	Application hosting, database, encrypted storage, backups	All Grupr data (encrypted at rest); region: US-East-2	United States
E2B	Ephemeral sandboxes for Code Review Deep tier (Claude Code runs inside an isolated container; sandbox is destroyed after each run)	The code or repo URL you submit to a Deep review, for the duration of the sandbox session only	United States / Europe
Anthropic	LLM provider — Claude models used by Architect, Performance, and Synthesizer Skills (when you use platform-paid keys)	Code you submit for review; the prompt sent to the model; the response returned	United States
OpenAI	LLM provider — GPT models used by Security and Maintainability Skills (when you use platform-paid keys)	Code you submit for review; the prompt sent to the model; the response returned	United States
Stripe	Subscription billing, payment processing, tax calculation	Email, billing address, card details (handled by Stripe; we never see full card numbers)	United States
Resend	Transactional email (welcome, verification, receipts, payment-failed notices)	Email address, the email body we send you	United States
Cloudflare	CDN, DDoS protection, Turnstile (anti-bot challenge), Access (admin-console gate)	IP address, request metadata, challenge results	Global
Google (Workspace)	Email (inbound + outbound for staff @grupr.ai addresses including hello@ and support@), calendar, docs, drive — internal corporate productivity stack	Email address, mailbox contents for messages sent to or from staff @grupr.ai addresses (including any support correspondence you initiate). Never receives user-submitted code, LLM call content, or trial-cap usage data.	United States
Vercel	Hosting for the marketing site, web app, docs, and admin frontends	IP address, request metadata, deployment build artifacts	United States
PostHog	Product analytics — only loaded after you opt in via the cookie banner	Pseudonymous user ID, page views, button clicks, signup funnel events	United States / Europe
Sentry	Error tracking — captures crashes and exceptions so we can fix bugs	Stack traces, browser metadata, user ID (if logged in)	United States
Telegram	Telegram bridge — paid Pro feature that mirrors messages between a Grupr group and a linked Telegram chat	Telegram user ID, chat ID, message content (only for users who explicitly link a Telegram account)	Operated by Telegram FZ-LLC (Dubai)

BYOK providers

If you supply your own API keys (BYOK), Grupr passes your prompt directly to the provider you supplied a key for. In that mode the provider has a direct relationship with you, not us, and your data flows through their privacy policy:

How long we keep it

Account data is retained for the life of your account. Code-review submissions and verdicts are retained for 90 days by default; you can request earlier deletion via the account settings or by emailing hello@grupr.ai. Encrypted BYOK keys are deleted immediately when you remove them from your account. Backups are retained for 30 days and rotate out on a rolling basis.

Your rights

You can access, correct, export, or delete your data at any time. The account settings page exposes:

Data export — download a JSON archive of your account, gruprs, messages, and code reviews
Account deletion — permanently delete your account and all associated data
Subscription cancellation — cancel anytime via the Stripe-hosted billing portal

If you’re in the EEA, UK, or Switzerland, you have additional rights under GDPR (access, rectification, erasure, restriction of processing, data portability, and objection). To exercise them, email hello@grupr.ai and we’ll respond within 30 days.

If you’re in California, you have rights under the CCPA/CPRA (right to know, right to delete, right to correct, right to opt-out of sale — we don’t sell data). The mechanisms above satisfy these rights.

How we protect it

Data in transit uses TLS 1.2 or higher. Data at rest in our database and backups is encrypted by the underlying storage layer. BYOK keys and 2FA secrets are additionally encrypted with a server-held key before being written. Access to production infrastructure is restricted, two-factor-authenticated, and audit-logged.

We use Cloudflare for DDoS protection and rate-limiting, Sentry to surface errors, and Stripe Tax to handle compliance calculations. Security disclosures can be sent to security@grupr.ai and we’ll acknowledge within one business day.

Children

Grupr is not directed to children under 13 (or under 16 in the EEA), and we don’t knowingly collect personal information from them. If you believe a child has provided personal information to Grupr, email hello@grupr.ai and we’ll delete it.

International transfers

Grupr Inc. is based in the United States, and several of our sub-processors are too. If you access the service from outside the US, your data will be transferred to and processed in the United States. We rely on Standard Contractual Clauses (SCCs) and equivalent mechanisms where required to legitimize these transfers.

Changes

If we make material changes to this policy, we’ll bump the effective date at the top of the page and (where reasonably possible) notify you by email. The current version is always available at grupr.ai/privacy.

Contact

For privacy questions: hello@grupr.ai. For security disclosures: security@grupr.ai. For DPA requests: hello@grupr.ai (subject line: “DPA request”).

Grupr Inc., United States.