GetCodeReviews
GetCodeReviews
Sign InStart Free →
Security & Privacy

How we handle your code

This page describes exactly what happens to code you submit, what we store, how authentication works, and how to report a security issue.

1. What happens to code you submit

When you paste code or connect a repository, the code is sent directly to the Claude API (provided by Anthropic) for analysis. The response — a structured list of issues and fixes — is returned to your browser.

GetCodeReviews does not store the code content on our servers. It passes through our API layer transiently and is not written to any database or log file. Once the Claude API responds, the code is no longer held anywhere on our infrastructure.

Anthropic's API usage policies govern how the Claude API handles data on their side. By default, Anthropic does not use API inputs to train their models. You can review Anthropic's data handling at anthropic.com/privacy.

Data flow summary
  1. Your browser sends the code to the GetCodeReviews API endpoint over HTTPS.
  2. The API forwards it to the Claude API (Anthropic) with a review prompt.
  3. Anthropic returns a structured analysis result.
  4. The result is returned to your browser.
  5. No code content is written to our database at any point in this flow.

2. Authentication

Authentication is handled by Clerk. GetCodeReviews does not implement its own auth stack or store passwords. Clerk manages sign-up, sign-in, session tokens, and OAuth connections (e.g. GitHub).

Session tokens are short-lived JWTs issued by Clerk and validated server-side on each authenticated request. Clerk's security practices are documented at clerk.com/security.

3. What we store in the database

Our database is Neon PostgreSQL, a serverless Postgres provider. The following data is stored:

User account
User ID (from Clerk), email address, plan tier, account creation date.
Review metadata
Timestamp, language detected, quality score, and issue category counts for each review. The code itself is not stored.
Subscription data
LemonSqueezy subscription and order IDs, plan name, renewal date. Payment card details are never stored — they go directly to LemonSqueezy's payment processor.
Blog posts
Published blog content authored by the GetCodeReviews team. No user-submitted content.

4. Transport security & encryption

  • All traffic is served over HTTPS (TLS 1.2+). HTTP requests are redirected to HTTPS automatically.
  • The application is deployed on Vercel's edge network. Vercel provides DDoS protection, automated TLS certificate renewal, and infrastructure-level security.
  • Neon PostgreSQL encrypts data at rest using AES-256. Connections to the database are encrypted in transit via TLS.
  • API keys and secrets (Claude API key, LemonSqueezy API key, database connection string) are stored as environment variables and never included in client-side bundles.
  • Security headers are set on all responses: Content-Security-Policy, X-Frame-Options (DENY), X-Content-Type-Options (nosniff), Referrer-Policy, Permissions-Policy.

5. Reporting a security vulnerability

If you discover a security vulnerability in GetCodeReviews, please report it by email. Do not open a public GitHub issue for security-related findings.

Security contact
hello@getcodereviews.com

Please include a description of the issue, steps to reproduce it, and the potential impact. We aim to acknowledge reports within 2 business days and will keep you updated as we investigate.

Privacy Policy →Terms of Service →Contact →