Privacy Policy

1. Introduction and Scope

Crack Thump Pty Ltd ("we," "our" or "us") operates CodeMarine, a local-first AI code security platform distributed as desktop software (CLI, daemon, MCP server, VS Code extension). This Privacy Policy explains what data we process, what leaves your machine and what doesn't when you use our website (codemarine.ai), software and services.

CodeMarine is designed around a core principle: all security scanning, code analysis and file reading happens locally on your machine. We built it this way on purpose. A security tool that sends your code to a third party defeats the point.

By using CodeMarine you agree to the collection and use of information as described in this policy. If you do not agree, do not use our services.

2. Data We Process Locally (Never Transmitted)

The following data is processed entirely on your machine and is never sent to any CodeMarine server:

3. Data We Collect From Your Device

The following data is transmitted to CodeMarine-operated servers. Each category includes what is sent, what is not sent and how to opt out.

3a. Pattern Sync

• Destination: sarge.codemarine.ai (HTTPS)
• Data sent: License key/JWT, client version, last-synced manifest version
• Data NOT sent: Source code, file paths, file contents, project information
• Frequency: On demand or periodic background (every few hours)
• Purpose: Download updated vulnerability detection patterns
• Required: Yes, for paid features. Free tier patterns are bundled offline

3b. Intelligence Feed (CVE Matching)

• Destination: recon.codemarine.ai (HTTPS)
• Data sent: Package names and versions from your project's dependency files (package.json, requirements.txt etc.), ecosystem identifiers (npm, pypi, go etc.), dependency count and fingerprint hash
• Data NOT sent: Source code, file paths, file contents, lock file contents
• Purpose: Match your project's dependencies against known CVE database for targeted vulnerability alerts
• Privacy controls:

3c. License Validation

• Destination: sarge.codemarine.ai (HTTPS)
• Data sent: License key (JWT), machine fingerprint (SHA-256 hash of machine ID + hostname. Anonymous and not reversible)
• Data NOT sent: Source code, file paths, username, email (email only sent during initial activation)
• Frequency: On startup, then cached locally for 24 hours (7-day stale cache, 30-day grace period)
• Storage: Encrypted local cache at ~/.codemarine/license.cache (AES-256-GCM + HMAC-SHA256, file permissions 600)

3d. Behavioral Telemetry

• Destination: recon.codemarine.ai/collector (HTTPS)
• Data sent: Anonymous user ID (SHA-256 hash, not reversible), session ID, content hash of git diffs (SHA-256 of the diff, NOT the diff itself), programming language, security pattern IDs matched (NOT the matched code), AI assistant name detected, AI risk score, edit interval, hour of day and day of week, filename (NOT full path) and extension
• Data NOT sent: Source code, file contents, git diffs, full file paths, user identity
• Frequency: Batch upload every 15 minutes
• Purpose: Aggregate behavioural intelligence for AI coding risk research and product improvement
• Opt-out: Set TELEMETRY.enabled=false in CodeMarine configuration
• Local queue: Pending events stored at ~/.cache/codemarine/telemetry_queue/ until uploaded

3e. Pattern Quality Feedback (Opt-in Only)

• Destination: sarge.codemarine.ai/feedback/submit (HTTPS)
• Data sent: Pattern ID, feedback type (e.g. "false_positive"), programming language, timestamp, anonymous installation ID
• Data NOT sent: Source code, file paths, matched text, user identity
• Opt-in requirement: Disabled by default. Must be explicitly enabled
• Purpose: Improve pattern quality across all users (reduce false positives)

4. Prompt Interception Proxy

CodeMarine includes an optional prompt interception proxy that can analyse HTTP traffic between your AI coding tools (Cursor, Copilot, Claude etc.) and their API providers. This is the most privacy-sensitive feature and requires explicit opt-in.

How It Works

1. You explicitly start the proxy (start_prompt_proxy tool or CLI command)
2. You configure your AI tools to route through http://127.0.0.1:47124
3. The proxy relays requests to the real API endpoint (streaming passthrough)
4. Before any storage: mandatory redaction of 50+ credential patterns (API keys, tokens, JWTs, SSH keys, passwords, file paths)
5. Redacted metadata stored in RAM-only ring buffer (max 100 entries, 30-second TTL)

Hard Safety Limits (Cannot Be Changed)

What Is Never Captured

• Raw API keys or authentication tokens
• Streaming response bodies (never persisted)
• Full file paths (normalised to [USER])
• Unredacted prompt content

If the proxy is not started, no prompt data is captured at all. If it fails, requests route directly to the API provider (fail-open design, no blocking).

5. AI Conversation History Access

CodeMarine includes tools that can read conversation history from other AI coding assistants installed on your machine (Claude Code, Cursor, GitHub Copilot, Windsurf, Aider, Continue, JetBrains AI, Cody, Amazon Q, Tabnine, Codex and Gemini Code Assist). These tools exist for security auditing purposes: detecting leaked credentials, sensitive data in prompts and prompt injection patterns.

Privacy Guarantees

• Read-only access: CodeMarine never modifies, deletes or writes to these files
• No transmission: Conversation content is never sent to any CodeMarine server
• No persistence: Data is returned via MCP response and not cached or stored
• User-initiated only: These tools only execute when you explicitly invoke them through your AI assistant

6. Data We Do NOT Collect

To be explicit about what we never receive:

• Your source code or file contents
• Git diffs or commit contents
• AI conversation text or chat history
• Full file paths or directory structures
• Raw LLM prompts or responses
• API keys, tokens or credentials from your environment
• Lock file contents (package-lock.json, yarn.lock etc.)

7. Website, Account and Subscription Data

7.1 Waitlist Signup

• Email address: When you sign up for the beta waitlist at codemarine.ai/enlist
• Referral information: Your referral code and who referred you (if applicable)
• Storage: Email addresses stored in Cloudflare KV (encrypted at rest) and Resend (email delivery provider)
• Purpose: Send product updates, beta access notifications and track referral programme rank

7.2 Account Creation

When you create a CodeMarine account (to activate a license or manage a subscription), we collect:

• Email address: Used for account identification, license delivery and service communications
• Name: If provided during registration
• Company name: If provided (optional, for team/enterprise licences)
• Authentication credentials: Securely hashed. We never store plaintext passwords

7.3 Subscription and Payment

• Payment processing: Handled by our payment processor (Stripe). We do not store your full credit card number, CVV or bank details on our servers
• What we store: Subscription tier, billing cycle, payment status, last four digits of your card (for your reference) and Stripe customer ID
• Invoices: Generated and stored by Stripe. Accessible through your account dashboard
• Purpose: Process payments, manage subscription lifecycle, send billing notifications and provide receipts

7.4 Communications

• Transactional emails: License keys, billing receipts, security alerts and account notifications. These are not marketing and cannot be opted out of while you have an active account
• Product updates: New features, security advisories and release notes. You can unsubscribe at any time
• Email provider: We use Resend for email delivery. Your email address is shared with Resend solely for delivery purposes

8. Third-Party Sharing

We do not sell, trade, rent or share your personal information with third parties. All data transmitted from the CodeMarine software goes to CodeMarine-operated servers only:

• sarge.codemarine.ai - Pattern sync and license validation (Firebase/GCP hosted)
• recon.codemarine.ai - Intelligence feed and behavioural collector (DigitalOcean hosted)

Service Providers

We use the following third-party service providers who process limited data on our behalf under strict confidentiality agreements:

• Stripe: Payment processing. Receives your payment details directly. We never see or store your full card number
• Resend: Email delivery. Receives your email address solely to deliver transactional and product emails
• Cloudflare: Website hosting and KV storage for waitlist data (encrypted at rest)
• Firebase/GCP: License validation and pattern sync infrastructure
• DigitalOcean: Intelligence feed and telemetry collector infrastructure

None of these providers are permitted to use your data for their own purposes.

We may also share information in the following limited circumstances:

• Legal requirements: When required by law, court order or government regulation
• Business transfers: In connection with a merger, acquisition or sale of assets (with notice to users)

9. Data Storage and Security

We implement the following security measures:

• Encryption in transit: All server communication over HTTPS/TLS
• Encryption at rest: License cache encrypted with AES-256-GCM + HMAC-SHA256
• File permissions: Credential files (proxy token, daemon token, encryption keys) set to 600 (owner-only read/write)
• Anonymous identifiers: User IDs derived from SHA-256 hashes (not reversible to identity)
• Localhost binding: Daemon and proxy bind to 127.0.0.1 only (not network-accessible)
• Mandatory redaction: 50+ credential patterns always redacted before any prompt storage
• Data minimisation: We collect only what is necessary for the specific feature

Local Data Storage

CodeMarine stores the following data on your machine:

• ~/.codemarine/ - Configuration, encrypted license cache, auth tokens, pattern blocklist
• ~/.cache/codemarine/ - Pattern database (SQLite), intelligence briefings, logs, telemetry queue, pattern cache

You can delete all local data at any time by removing these directories.

10. Data Retention

Server-Side

• Account data: Retained while your account is active and for 90 days after account closure, then permanently deleted
• Subscription and billing records: Retained for the duration of your subscription + 2 years for tax and accounting compliance
• License records: Duration of subscription + 30 days grace period
• Behavioural telemetry: 90 days, then permanently deleted
• Pattern quality feedback: Retained indefinitely (anonymised, contains no PII)
• Intelligence feed requests: Not stored server-side (processed and discarded)
• Waitlist emails: Retained until you unsubscribe or request deletion

Client-Side

• All local data: Retained until you delete ~/.codemarine/ and ~/.cache/codemarine/
• Prompt buffer: 30 seconds (auto-expires in RAM)
• Telemetry queue: Deleted after successful upload
• License cache: 24h fresh, 7 days stale, 30 days grace. Automatically refreshed

11. Your Rights and Controls

You have the following controls over your data:

• Disable telemetry: Set TELEMETRY.enabled=false in CodeMarine configuration
• Disable fingerprint sync: Set CODEMARINE_FINGERPRINT_ENABLED=false to stop sending package names
• Use hash-only mode: Set CODEMARINE_FINGERPRINT_MODE=hash_only to send hashes instead of package names
• Never enable prompt proxy: Fully opt-in. No prompt data is captured if you don't start it
• Delete all local data: Remove ~/.codemarine/ and ~/.cache/codemarine/
• Block specific patterns: Use block_pattern to suppress specific detections locally
• Revoke license: Deactivate via CLI or website
• Opt out of pattern feedback: Disabled by default. Don't enable it
• Request data deletion: Contact us at [email protected]
• Access your data: Request a copy of any personal information we hold

12. Children's Privacy

CodeMarine is a professional software development tool. It is not directed at children under 13 years of age (or the applicable age in your jurisdiction). We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child under 13, we will take steps to delete such information.

13. International Data Transfers

CodeMarine is operated by Crack Thump Pty Ltd from Australia. Server infrastructure is hosted in the United States (DigitalOcean and Google Cloud Platform / Firebase). If you access our services from outside these regions, data transmitted to our servers may be processed in the US. We ensure appropriate safeguards are in place for international data transfers.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. We encourage you to review this policy periodically.

15. Contact Information

If you have questions about this Privacy Policy or our data practices, please contact us: