Privacy Policy

• We store your activity metadata. Never your prompts or Claude’s responses.
• All event data lives on EU servers (Hetzner, Frankfurt).
• Team dashboards are aggregate-first. Individual rankings require explicit opt-in.
• You can download or delete your data any time from /me.

Infinite Labs OÜ (registry code 16832129), Tallinn, Estonia. Contact privacy@scoreflow.dev.

When you sign in: email, display name, OAuth provider, optional Google avatar URL.

When Claude Code (or a connected AI tool) sends events: metadata only — prompt length, token counts, tool name, tool acceptance (yes/no), timing, service name, session identifier, repository name (if the tool reports it). No prompt text. No response text. No source code content.

We also log standard security metadata (IP address, user-agent) for 30 days to detect abuse. This is not joined with your event data for scoring.

All event data is stored in ClickHouse and PostgreSQL on Hetzner servers in Frankfurt, Germany. It never leaves the EU. Identity (WorkOS) and payments (Lemon Squeezy, as Merchant of Record for VAT) run on US-hosted providers — but event data and scores never leave the Frankfurt boundary.

Legal basis under GDPR Article 6(1)(b) — performance of contract: you asked us to score your AI usage, we do that.

For team dashboards aimed at managers, we enforce a k-anonymity floor of 5 distinct users: aggregates shown to managers always include at least 5 people, otherwise we redact. Individual rankings require the scored user to have flipped individualOptIn to true — this is the default for community teams (on signup) and disabled for enterprise teams until the user opts in.

Raw events: 90 days. After that, daily aggregates remain (scores + component breakdowns) but the raw event rows are deleted.

Score history (daily CCS): kept as long as your account is active.

Sessions: 14 days. Magic link tokens: 15 minutes.

You: your full history on /me and /u/<handle>.

Your team lead: aggregate scores only, unless you opted into individual visibility. They never see your prompts (we don’t store them).

Other users: nothing, unless you picked a public handle. Picking a handle flips individualOptIn and makes your level, XP, top skills, and achievements visible at /u/<handle>. You can clear the handle at any time.

Processors we use: Resend (transactional email, EU region), Lemon Squeezy (payments, MoR), Google (OAuth only, identity). We share only the minimum needed for each service. No data broker sharing. No advertising.

You have the right to access (Art. 15), rectify (Art. 16), erase (Art. 17), restrict (Art. 18), port (Art. 20), and object (Art. 21) to processing. Exercise any of these by emailing privacy@scoreflow.dev or clicking Delete Account on /me. We respond within 30 days.

You can also complain to your local data-protection authority. In Estonia: the Data Protection Inspectorate (aki.ee).

Encryption in transit (TLS 1.2+) everywhere. Per-tenant admin keys (Anthropic, GitHub) encrypted at rest via AES-256-GCM with scrypt KDF on a master key stored outside the database. k-anonymity floor = 5 on every aggregate surfaced to managers.

We may update this Policy. Material changes are emailed to your account 14 days before they take effect.