Privacy & Terms

This Privacy Policy explains how Critique ("Critique", "we", "us") collects, uses, stores, and shares information when you use our websites, dashboards, APIs, GitHub App, and related services (collectively, the "Services").

If you do not agree with this policy, please do not use the Services. We may update this policy from time to time; the "Last updated" date at the top reflects the latest revision.

The data controller for personal data processed through the Services is the Critique operating entity responsible for your contract or account.

For privacy requests, contact privacy@critique.sh. For general legal notices, contact legal@critique.sh.

We may collect:

Account and identity data — name, email address, authentication identifiers, and profile details you provide when you sign in (including via OAuth providers such as GitHub or Vercel).

GitHub and repository context — when you connect GitHub, we process installation metadata, repository names, pull request identifiers, commit metadata, file paths, and code content necessary to deliver automated reviews and related features you enable.

Usage and technical data — log data, IP address, device and browser type, timestamps, diagnostic events, and performance metrics needed to operate and secure the Services.

Support communications — messages you send to support or sales, including attachments you choose to provide.

Billing data — when applicable, billing contact details and payment status as processed by our payment processor; we do not store full payment card numbers on Critique servers.

In-product AI chat (dashboard) — when you use authenticated Critique Chat, messages may be stored according to your workspace chat settings to provide continuity across sessions.

This page only: the short legal assistant at the bottom of Privacy or Terms is a separate, anonymous flow. Those messages are not written to Critique chat history or your account records by Critique (see "Legal page assistant" below).

We use information to:

• Provide, maintain, and improve the Services
• Authenticate users and enforce access controls
• Run automated code review, remediation, and related workflows you request
• Communicate about the Services, security, and policy changes
• Detect abuse, fraud, and security incidents
• Comply with law and enforce our Terms
• Analyze aggregate or de-identified usage to improve reliability and product quality

Where GDPR or similar laws apply, we rely on one or more of:

• Contract — processing necessary to provide the Services you request
• Legitimate interests — securing the Services, improving reliability, and communicating operational updates, balanced against your rights
• Consent — where we ask for it (for example certain cookies or marketing)
• Legal obligation — where required to comply with law

We share information with service providers who process data on our instructions ("subprocessors"), including for example:

• Hosting and edge — application and static hosting (for example Vercel)
• Database and storage — managed databases and object storage for accounts and product data
• AI inference — model providers reached via gateways such as OpenRouter, and directly configured model endpoints where applicable
• Sandboxes — isolated execution providers such as E2B when you use features that run code or agents in a sandbox
• Source control — GitHub (and similar) for repository access you authorize
• Analytics — privacy-conscious analytics where enabled (for example Vercel Analytics)

We may also disclose information if required by law, to protect rights and safety, or in connection with a merger or acquisition.

A current subprocessor list may be provided on request or in your order form.

We may process data in the United States, the European Economic Area, the United Kingdom, and other regions where we or our providers operate. Where required, we use appropriate safeguards such as Standard Contractual Clauses.

We retain personal data only as long as needed for the purposes above, including legal, accounting, and security requirements. Technical logs may be retained for shorter rolling periods. Repository and review artifacts may be retained according to your plan, workspace settings, and operational backups until deleted or anonymized.

Depending on your jurisdiction, you may have rights to access, rectify, delete, restrict, or object to certain processing, and to data portability. You may withdraw consent where processing is consent-based. To exercise rights, contact privacy@critique.sh. You may lodge a complaint with a supervisory authority.

We implement administrative, technical, and organizational measures designed to protect information. No method of transmission or storage is completely secure; we encourage strong authentication and least-privilege access to GitHub organizations.

The Services are not directed to children under 16 (or the age required in your jurisdiction). We do not knowingly collect personal information from children.

The optional assistant below answers questions about this Privacy Policy or our Terms using a hosted large language model reached through OpenRouter (NVIDIA Nemotron 3 Super via the Nitro route, unless configured otherwise).

Critique does not store these assistant conversations in your Critique account or dashboard chat history. Each request is processed as a stateless API call for that interaction. For any logging or processing by OpenRouter, the model host, or network providers, see their respective privacy notices.

Do not paste secrets, credentials, or sensitive personal data into the assistant.

We use cookies and similar technologies for session authentication, preferences, security, and (where enabled) analytics. You can control cookies through browser settings; disabling some cookies may limit functionality.

We may update this policy to reflect product, legal, or operational changes. Material changes will be communicated as appropriate (for example by email or in-product notice).