Privacy Policy
This Policy describes how Rethunk.Tech, LLC. ("we," "us," or "Citadel"), operator of src.land, collects, uses, and protects personal information. It applies to all users of src.land, the Citadel API, and the Citadel CLI.
1. Data We Collect
Account and profile data
When you register, we collect your email address and a display name (handle/slug). You may optionally provide a biography, location, website URL, pronouns, and a profile avatar. For organizations, you may provide a legal entity name.
Repository and content data
We store the Git repositories, files, issues, wiki pages, and other content you push or create. We build a per-namespace knowledge graph from your repository structure to power search and code-intelligence features. This index is used solely to provide features to you and your authorized collaborators; it is never shared with third parties or used to train AI models.
Usage and activity data
We log the following to provide and secure the service:
- Audit log entries for account and namespace actions (sign-ins, permission changes, pushes, deletions). Audit rows include an action type, timestamp, and actor identifier.
- Agent-action counts for metering and billing purposes.
- Per-repo aggregate traffic counts (views, clones) over a rolling 14-day window. Unique-visitor counts use a salted daily hash of IP address and User-Agent; raw IP addresses are not stored. Anonymous requests carrying DNT: 1 or Sec-GPC: 1 are excluded from unique-visitor series.
- Support thread content when you contact us.
Analytics data (consent-gated)
If you consent to analytics cookies, we load Plausible Analytics, a privacy-preserving analytics service. Plausible does not use cookies for analytics, does not fingerprint individual users, and does not track you across sites. We collect aggregate page views, referrer paths, and named funnel events (e.g., signup stage reached). No personally identifiable information is included in Plausible events. Signed-in users who opt out via Settings → Privacy generate no analytics events.
Payment data
Payment card details are collected and processed by Polar.sh. We do not store your card number, CVV, or full billing address on our infrastructure. We receive billing status, subscription tier, and invoice history from Polar.sh.
2. How We Use Your Data
- To provide, operate, and improve the src.land service.
- To authenticate you and enforce access controls on namespaces, repositories, and agent tokens.
- To meter agent-action usage and calculate billing overages.
- To send transactional email (sign-in links, notifications, export completion).
- To investigate and respond to security incidents, abuse reports, and support requests.
- To comply with legal obligations.
We do not use your data for targeted advertising. We do not sell your data to third parties.
3. Processors and Sub-processors
We engage the following third-party sub-processors to provide the service. Each processes data only as directed by us and under data processing agreements.
| Processor | Purpose | Data transferred |
|---|---|---|
| Supabase | Authentication (GoTrue), managed Postgres database | Email address, hashed credentials, profile rows, all application data |
| Polar.sh | Subscription billing and metered usage invoicing | Email address, subscription tier, usage counts |
| Mailgun | Transactional email delivery (domain: mg.src.land) | Email address, message content of transactional emails |
| Plausible Analytics | Aggregate product analytics (consent-gated; no cookies; no PII) | Page path, referrer, event name (no user identifiers) |
| DigitalOcean | Cloud compute (Droplet), object storage (Spaces), and DNS | All data stored on-disk: Git repositories, exports, avatars, binary logs |
4. Data Retention
We retain data for as long as your account is active or as needed to provide the service. Specific retention windows:
| Data type | Free | Pro | Enterprise |
|---|---|---|---|
| Audit log entries | 90 days | 365 days | 2,555 days (~7 years, legal-hold capable) |
| Data export bundles | 14 days from creation (signed download URL; deleted on expiry) | ||
| Repository data (post-deletion) | Soft-deleted immediately on account closure; hard-purged on standard cleanup schedule (typically days to weeks) | ||
| Aggregate repo traffic | 14-day rolling window | ||
| Support thread messages | Retained for the lifetime of the support relationship; deleted on account erasure | ||
Audit log purge runs daily. Rows older than the plan retention window are deleted on each purge cycle.
5. Your Rights
Depending on your jurisdiction (including GDPR and PIPEDA), you may have the following rights:
- Access: request a copy of personal data we hold about you.
- Portability (export): Settings → Privacy → Export my data produces a portable ZIP bundle (profile, repo metadata, audit log rows, support threads, avatars) available for 14 days via signed URL. Bare repository bytes are not included; clone the repo directly.
- Erasure (deletion): Settings → Danger Zone → Delete my account. A 7-day cooling window follows, during which you may cancel. After the window, your account and associated personal data are removed from active systems per the retention schedule above.
- Correction: update profile fields directly in Settings → Profile.
- Objection / restriction: contact us at legal@rethunk.tech to request that we restrict processing while a complaint is resolved.
To exercise rights that are not self-service, email legal@rethunk.tech. We will respond within 30 days. We may ask you to verify your identity before acting on a request.
6. Cookies and Local Storage
Essential cookies
We use an HttpOnly session cookie and a CSRF protection token for authentication. These are required for the service to function and cannot be declined.
Analytics cookies (consent-gated)
Plausible Analytics is loaded only if you have given analytics consent via the cookie banner. Plausible does not set cookies for tracking purposes; it uses an in-memory script that does not persist between sessions.
Marketing cookies (consent-gated)
If you consent to marketing cookies, we record UTM parameters and referral codes from your landing URL in local storage to measure which channels brought you to src.land. This data is not shared with advertising networks.
Cookie consent
Your consent preferences are stored in a first-party cookie. You may update your preferences at any time via the cookie settings panel in the application footer.
7. Security
We use industry-standard measures to protect data in transit (TLS) and at rest (encrypted volumes). Authentication supports multi-factor authentication (TOTP and passkeys). We maintain an audit log of sensitive account actions. Notwithstanding these measures, no system is perfectly secure; we will notify affected users in the event of a breach affecting personal data as required by applicable law.
8. Children
src.land is not directed at children under 13 (or under 16 in jurisdictions where a higher minimum age applies). We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child without appropriate consent, we will delete it.
9. Changes to This Policy
We may update this Policy to reflect changes in our practices or applicable law. Material changes will be communicated by email or prominent in-app notice at least 14 days before taking effect.
10. Contact
For privacy inquiries, data subject rights requests, or questions about this Policy, contact us at legal@rethunk.tech.
Governing law: British Columbia, Canada. See our Terms of Service for the full dispute resolution clause.