Back to Home

Privacy Policy

Last updated: January 2025

1. Introduction

BambooSnow ("we," "our," or "the Company") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered software development automation platform (the "Service").

By using our Service, you consent to the data practices described in this policy. If you do not agree with our policies and practices, please do not use our Service.

This policy applies to information we collect through the Service, including our website at bamboosnow.co, APIs, and any related services.

2. Information We Collect

2.1 Account Information

When you create an account via GitHub OAuth, we collect:

  • GitHub Profile Data: Username, display name, email address, and avatar URL
  • GitHub ID: Your unique GitHub identifier for authentication
  • OAuth Tokens: Access tokens to interact with GitHub on your behalf (encrypted at rest)

2.2 Repository Data

When you connect repositories to BambooSnow, we access:

  • Repository Metadata: Name, description, language, visibility status
  • Code Content: Source code files for analysis by AI agents (processed in-memory, not permanently stored)
  • Pull Request Data: Diffs, comments, and metadata for code review agents
  • Issue Data: Issue content, labels, and metadata for triage agents
  • Commit History: Recent commits for context in agent analysis

2.3 Usage and Analytics Data

  • Agent Run Logs: Records of agent executions, including timestamps, run types, token usage, and status
  • Work Cycle Consumption: Usage metrics tied to your subscription
  • Feature Usage: Which features and agents you use, and how frequently
  • Error Logs: Technical errors for debugging (sanitized to remove sensitive data)

2.4 Payment Information

Payment processing is handled by Stripe. We do not store your full credit card number, CVV, or other payment credentials. We receive from Stripe:

  • Last four digits of your card
  • Card brand and expiration date
  • Billing address (if provided)
  • Transaction history and subscription status

2.5 Technical Data

  • IP Address: For security, rate limiting, and fraud prevention
  • Browser/Device Info: User agent string for compatibility
  • Cookies: Session cookies for authentication (see Section 8)

3. How We Use Your Information

We use collected information for the following purposes:

3.1 Service Delivery

  • Authenticate your identity and authorize repository access
  • Execute AI agents on your repositories (code review, test analysis, documentation, etc.)
  • Post comments, labels, and pull requests on your behalf
  • Track Work Cycle usage and enforce subscription limits
  • Process payments and manage your subscription

3.2 AI Processing

  • Send code snippets and context to AI models (Anthropic Claude) for analysis
  • Generate code reviews, documentation updates, and other agent outputs
  • Apply security guardrails to detect and redact secrets in AI inputs/outputs

3.3 Service Improvement

  • Analyze usage patterns to improve agent quality and user experience
  • Debug issues and fix bugs in the Service
  • Develop new features based on user needs

3.4 Communication

  • Send service-related notifications (subscription updates, agent alerts)
  • Respond to support requests
  • Send product updates and announcements (you can opt out)

3.5 Security and Compliance

  • Detect and prevent fraud, abuse, and security threats
  • Enforce our Terms of Service
  • Comply with legal obligations

4. AI Model Data Handling

Important: BambooSnow uses third-party AI models (primarily Anthropic's Claude) to power our agents. Here's how your data is handled:

4.1 Data Sent to AI Models

  • Code snippets relevant to the agent task (e.g., PR diffs, test output)
  • Context about your repository (language, framework indicators)
  • Agent instructions and system prompts

4.2 AI Provider Commitments

We use Anthropic's API with the following data handling guarantees:

  • No Training: Your code is NOT used to train AI models
  • No Retention: Anthropic does not retain your data after processing
  • Zero Data Retention: We use API settings that ensure no data logging by the provider

4.3 Security Guardrails

Before sending data to AI models, we apply guardrails to detect and redact potential secrets (API keys, passwords, tokens). However, you should never commit secrets to your repositories. See our Terms of Service for user responsibilities.

5. Data Sharing and Disclosure

We do not sell your personal information. We share data only in the following circumstances:

5.1 Service Providers

We share data with trusted third parties who help us operate the Service:

  • Anthropic: AI model provider (receives code snippets for analysis)
  • GitHub: Source code platform (we access repositories you authorize)
  • Stripe: Payment processor (receives billing information)
  • Railway: Cloud infrastructure provider (hosts our backend services)
  • Vercel: Frontend hosting (serves our web application)
  • PostgreSQL/Redis: Database services (store account and usage data)

5.2 Legal Requirements

We may disclose information if required to:

  • Comply with legal process (subpoenas, court orders)
  • Protect our rights, privacy, safety, or property
  • Enforce our Terms of Service
  • Respond to emergency situations

5.3 Business Transfers

If BambooSnow is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email and/or prominent notice on our website of any change in ownership.

6. Data Security

We implement industry-standard security measures to protect your data:

6.1 Encryption

  • In Transit: All data transmitted over HTTPS/TLS 1.3
  • At Rest: Sensitive data encrypted using AES-256
  • OAuth Tokens: Encrypted with application-level encryption before storage
  • Agent Secrets: One-way hashed; we cannot retrieve them after initial display

6.2 Access Controls

  • Role-based access control for internal systems
  • Principle of least privilege for service accounts
  • Multi-factor authentication for administrative access

6.3 Infrastructure Security

  • Hosted on SOC 2 compliant infrastructure
  • Regular security audits and penetration testing
  • Automated vulnerability scanning
  • DDoS protection and rate limiting

6.4 Incident Response

In the event of a data breach, we will notify affected users within 72 hours of discovery, as required by applicable law. Notifications will include the nature of the breach, data affected, and remediation steps.

7. Data Retention

7.1 Active Accounts

  • Account Data: Retained while your account is active
  • Agent Run Logs: Retained for 90 days for debugging and analytics
  • Usage Metrics: Aggregated metrics retained indefinitely (non-personally identifiable)
  • Code Content: Processed in-memory and not permanently stored

7.2 Repository Disconnection

When you disconnect a repository:

  • Agent run history for that repository is deleted within 30 days
  • Repository metadata is removed immediately
  • Any cached code analysis is purged

7.3 Account Deletion

When you delete your account:

  • All personal data is deleted within 30 days
  • OAuth tokens are revoked immediately
  • Billing records retained as required by law (typically 7 years for tax purposes)
  • Anonymized, aggregated analytics data may be retained

7.4 Legal Holds

We may retain data longer if required by law or legal proceedings.

8. Cookies and Tracking

8.1 Essential Cookies

We use essential cookies required for the Service to function:

  • Session Cookie: Maintains your authenticated session
  • CSRF Token: Protects against cross-site request forgery

8.2 Analytics

We may use privacy-respecting analytics to understand how the Service is used. We do not use invasive third-party trackers or sell data to advertisers.

8.3 Do Not Track

We honor Do Not Track (DNT) browser signals. When DNT is enabled, we disable non-essential analytics.

9. Your Rights

Depending on your jurisdiction, you may have the following rights:

9.1 Access and Portability

You can request a copy of your personal data in a machine-readable format. Contact privacy@bamboosnow.com to request an export.

9.2 Correction

You can update your account information through your dashboard. For other corrections, contact us.

9.3 Deletion

You can delete your account at any time through Settings > Account > Delete Account. This will remove your personal data as described in Section 7.

9.4 Restriction and Objection

You can disconnect repositories to stop agent processing. You can also contact us to restrict certain processing activities.

9.5 Withdraw Consent

You can revoke GitHub OAuth access at any time through GitHub's settings. This will prevent BambooSnow from accessing your repositories.

9.6 Complaint

If you believe we have violated your privacy rights, you may file a complaint with your local data protection authority.

10. Regional Privacy Rights

10.1 California Residents (CCPA/CPRA)

California residents have additional rights under the California Consumer Privacy Act:

  • Right to Know: What personal information we collect, use, and disclose
  • Right to Delete: Request deletion of your personal information
  • Right to Opt-Out: We do not sell personal information, so this does not apply
  • Non-Discrimination: We will not discriminate against you for exercising your rights

10.2 European Economic Area (GDPR)

For EEA residents, we process data under the following legal bases:

  • Contract: To provide the Service you requested
  • Legitimate Interest: For security, fraud prevention, and service improvement
  • Consent: For optional marketing communications
  • Legal Obligation: To comply with applicable laws

Data transfers outside the EEA are conducted using Standard Contractual Clauses approved by the European Commission.

10.3 UK Residents

UK residents have similar rights under the UK GDPR. We use the UK International Data Transfer Agreement for cross-border transfers.

11. Children's Privacy

The Service is not intended for children under 18. We do not knowingly collect personal information from children. If you believe we have inadvertently collected data from a child, please contact us at privacy@bamboosnow.com, and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via:

  • Email notification to the address on file
  • Prominent notice on our website
  • In-app notification

We will provide at least 30 days' notice before material changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the revised policy.

13. Contact Us

For privacy-related questions or to exercise your rights, contact us:

  • Email: privacy@bamboosnow.com
  • General inquiries: hello@bamboosnow.com
  • Security issues: security@bamboosnow.com

We aim to respond to all privacy requests within 30 days.

14. Data Protection

For GDPR-related inquiries, you may contact our data protection team at dpo@bamboosnow.com. We take our responsibility to protect your data seriously and are committed to transparency in our data practices.