This Privacy Policy describes how erabot.ai (“we,” “us,” or “our”) collects, uses, stores, and protects your personal data when you use our AI code cost analysis and optimization platform (the “Service”). This policy applies to all users worldwide, including users in the European Economic Area (EEA), United Kingdom, and other jurisdictions with data protection laws.
We are committed to protecting your privacy and handling your data transparently. Please read this policy carefully before using the Service.
Operated by: Rohan Shah (trading as erabot.ai)
Contact: privacy@erabot.ai
1. Information We Collect
1.1 Account Data
When you create an erabot.ai account, we collect:
- Email address -- used for authentication, account recovery, and service communications
- Name -- used for account identification and report personalization
- Password -- stored as an Argon2 hash; we never store plaintext passwords
- Authentication tokens -- JWT tokens stored in HTTP-only secure cookies
1.2 Code Analysis Data
When you submit code for analysis, we process:
- Source code -- submitted via paste, file upload, or GitHub repository connection
- File metadata -- file names, line counts, programming languages detected
- Scan results -- LLM API call patterns detected, token usage estimates, cost calculations, optimization recommendations
Important: Your raw source code is deleted immediately after the scan completes. See Section 3 for full details.
1.3 Usage Data
We automatically collect:
- Scan history -- timestamps, scan types, number of files scanned
- Feature usage -- which report formats you generate, features accessed
- Session data -- login timestamps, session duration, pages visited
- Device information -- browser type, operating system, screen resolution
1.4 Payment Data
If you subscribe to a paid plan:
- Payment processing -- handled entirely by Stripe. We do not store, process, or have access to your credit card numbers, CVV, or full card details.
- Billing metadata -- we store your Stripe customer ID, subscription plan, billing cycle, and payment status
1.5 GitHub Data (Optional)
If you connect your GitHub account:
- Repository metadata -- repository names, file structures, language statistics
- Source code -- fetched via GitHub API for analysis only, subject to the same immediate deletion policy
- GitHub authorization token -- encrypted at rest using Fernet symmetric encryption
2. How We Use Your Information
We use the information we collect for the following purposes:
- Providing the Service -- analyzing your code for AI API cost optimization, generating scan reports, producing code diffs and recommendations
- Generating reports -- creating PDF reports, Markdown files, and auto-fix diffs based on your scan results
- Account management -- authenticating your identity, managing your subscription, processing payments via Stripe
- Service improvement -- analyzing aggregate usage patterns to improve scan accuracy, report quality, and user experience
- Communications -- sending account-related emails (password resets, subscription changes, security alerts). We do not send marketing emails without explicit opt-in consent.
- Security -- detecting and preventing unauthorized access, abuse, and fraudulent activity
We do not sell, rent, or trade your personal data to third parties. We do not use your submitted code for training AI models.
3. Code Analysis Data
This section describes exactly how your source code is handled. This is the most important section of this policy for developers considering whether to trust erabot.ai with their code.
3.1 Code Processing Pipeline
When you submit code for analysis:
- Your code is received by our backend service hosted on Fly.io
- The code scanner detects LLM API call patterns, token usage, and cost-relevant code paths
- Detected code segments are sent to Google Gemini API for AI-powered analysis (with secrets redacted)
- The audit engine generates findings, cost estimates, and optimization recommendations
- Reports are generated (PDF, Markdown, auto-fix diffs) based on the findings
- Your raw source code is deleted immediately after the scan completes
3.2 What Is Retained After a Scan
After your scan completes and raw code is deleted, we retain only:
- Scan metadata -- timestamp, file count, languages detected, scan duration
- Findings -- specific issues found, cost estimates, savings projections
- Generated reports -- PDF reports, Markdown reports, and code diff patches
- Aggregate statistics -- total estimated cost, potential savings percentage, number of issues found
3.3 What Is NOT Retained
- Raw source code -- deleted immediately after scan. Zero retention period.
- ChromaDB vectors -- any vector embeddings derived from your code during the scan are deleted when the scan completes
- Temporary files -- any intermediate processing files are deleted immediately
3.4 Secrets Redaction
Before any code is sent to the Google Gemini API for analysis, we perform a pre-scan secrets detection pass. Detected secrets (API keys, passwords, tokens, credentials) are redacted from the payload before it is transmitted to Google.
4. API Key Handling
4.1 Your erabot.ai API Keys
- API keys are stored using Fernet symmetric encryption at rest in our database
- Keys are never stored in plaintext
- Keys are decrypted only at the point of use and immediately discarded from memory
- Keys are never logged at any verbosity level
- Keys are never sent to third-party services
4.2 Your Third-Party API Keys
- These keys are encrypted with the same Fernet symmetric encryption at rest
- Keys are decrypted only when needed for API calls on your behalf
- Keys are never logged, cached in plaintext, or shared with any third party
- You can delete your stored API keys at any time from your account settings
5. Data Retention
| Data Type | Retention Period | Deletion Trigger |
|---|---|---|
| Raw source code | Immediately deleted after scan completes | Automatic |
| ChromaDB vectors from code | Immediately deleted after scan completes | Automatic |
| Scan reports and findings | Retained until you delete your account | User-initiated or account deletion |
| Account data (email, name) | Retained while account is active + 30 days after deletion | Account deletion request |
| Authentication tokens (JWT) | 15-minute access token, 7-day refresh token | Automatic expiry |
| Encrypted API keys | Retained while account is active | Account deletion or key revocation |
6. Your Rights Under GDPR
If you are located in the European Economic Area (EEA) or the United Kingdom, you have the following rights under the General Data Protection Regulation (GDPR) and UK GDPR:
6.1 Right to Access (Article 15)
You have the right to request a copy of all personal data we hold about you.
6.2 Right to Rectification (Article 16)
You have the right to request correction of inaccurate personal data.
6.3 Right to Erasure (“Right to Be Forgotten”) (Article 17)
You have the right to request deletion of your personal data. You can delete individual scan results from your dashboard or delete your entire account.
6.4 Right to Data Portability (Article 20)
You have the right to receive your personal data in a structured, commonly used, machine-readable format.
6.5 Right to Restriction of Processing (Article 18)
You have the right to request that we restrict processing of your personal data in certain circumstances.
6.6 Right to Object (Article 21)
You have the right to object to processing of your personal data for certain purposes.
6.7 Subject Access Request (SAR)
To exercise any of these rights, submit a Subject Access Request to:
Email: privacy@erabot.ai
Subject line: “Subject Access Request -- [Your Right]”
We will respond to your request within 30 days, as required by GDPR.
6.8 Data Protection Officer (DPO)
Our Data Protection Officer can be contacted at: privacy@erabot.ai
6.9 Right to Lodge a Complaint
You have the right to lodge a complaint with your local supervisory authority. For UK residents, this is the Information Commissioner's Office (ICO).
7. Legal Basis for Processing (GDPR)
| Purpose | Legal Basis |
|---|---|
| Providing the Service | Performance of a contract (Article 6(1)(b)) |
| Account management | Performance of a contract (Article 6(1)(b)) |
| Service improvement | Legitimate interests (Article 6(1)(f)) |
| Security and fraud prevention | Legitimate interests (Article 6(1)(f)) |
| Legal compliance | Legal obligation (Article 6(1)(c)) |
8. International Data Transfers
Your data may be transferred to and processed in countries outside your country of residence:
8.1 Google Gemini API (United States)
Code segments (with secrets redacted) are sent to Google's Gemini API for AI-powered analysis. Google acts as a data processor. Standard Contractual Clauses (SCCs) apply.
8.2 Fly.io (Global)
Our application is hosted on Fly.io infrastructure under a Data Processing Agreement.
8.3 Stripe (United States)
Payment data is processed by Stripe, Inc. Stripe maintains Standard Contractual Clauses for international transfers.
9. Third-Party Services
| Service | Purpose | Data Shared |
|---|---|---|
| Google Gemini API | AI-powered code analysis | Redacted code segments |
| Stripe | Payment processing | Email, billing info |
| Fly.io | Application hosting | All app data (encrypted) |
| GitHub | Repository access (optional) | Repo metadata, code (temporary) |
We do not use advertising networks, tracking pixels, or third-party analytics that would share your data with advertisers.
10. Data Security
- Encryption at rest -- API keys encrypted with Fernet; database via PostgreSQL TLS
- Encryption in transit -- All connections require TLS 1.2+; HSTS enforced
- Authentication -- JWT in HTTP-only secure cookies; Argon2 password hashing
- Secret detection -- Pre-scan secrets redaction before external API calls
- Logging -- Structured logging excluding sensitive data
11. Children's Privacy
erabot.ai is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. Material changes will be communicated with at least 30 days' notice via email or prominent website notice.
13. Contact Us
Email: privacy@erabot.ai
Data Protection Officer: privacy@erabot.ai
14. Jurisdiction-Specific Provisions
14.1 California Residents (CCPA)
California residents have additional rights under the CCPA, including the Right to Know, Right to Delete, and Right to Opt-Out of Sale. We do not sell your personal information.
14.2 UK Residents
For UK residents, references to “GDPR” include the UK GDPR under the Data Protection Act 2018. Your supervisory authority is the Information Commissioner's Office (ICO).
This Privacy Policy is effective as of April 1, 2026. erabot.ai is operated by Rohan Shah.