Privacy Policy

Last Updated: February 19, 2026

TL;DR: Critiq doesn't collect, transmit, or store any of your code, repositories, or usage data. Everything runs locally on your machine. We only process payment and license information through our payment processor.

Our Commitment to Privacy

Critiq is a desktop application that runs entirely on your local machine. We fundamentally believe that your code and development workflow are private, and we've built Critiq to respect that principle.

What We Don't Collect

Critiq does not collect, transmit, or store:

Your source code or repository contents
Git commit history, branches, or metadata
File names, paths, or directory structures
Usage analytics or telemetry data
Crash reports or error logs
AI prompts or responses
Language server protocol (LSP) data
Any personally identifiable information from the application

What We Do Collect

Payment and License Information

When you purchase Critiq, payment processing is handled by Lemon Squeezy, our merchant of record. Lemon Squeezy collects:

Your email address (for license delivery and receipts)
Payment information (processed securely by Lemon Squeezy, we never see your payment details)
Billing address (if required for tax purposes)
License key associated with your purchase

Lemon Squeezy's privacy policy can be found at: https://www.lemonsqueezy.com/privacy

License Validation

When you activate Critiq with your license key, the application makes a secure API call through our licensing functions to Lemon Squeezy to validate that the license is legitimate and active. This validation request may include:

Your license key
A hashed machine identifier used as an instance/device identifier
An activation or instance identifier returned by Lemon Squeezy

Paid licenses may be re-validated periodically (approximately every 14 days) so the app can continue to run while allowing short offline periods. Trial licenses are limited to one 14-day trial per device hash.

Website Analytics

Our marketing website (getcritiq.dev) does not use tracking cookies or analytics services. We do not track your browsing behavior or collect visitor data.

Third-Party Services

AI Providers

If you choose to use Critiq's AI features, you must provide your own API key for your chosen AI provider (Claude, ChatGPT, Gemini, or custom). When you use AI features:

Your API key is stored locally on your machine only
AI prompts and code context are sent directly from your machine to your chosen AI provider
We never see, store, or have access to your AI interactions
Refer to your AI provider's privacy policy for how they handle data

Git Provider OAuth (GitHub, GitLab, Bitbucket)

Critiq lets you connect GitHub, GitLab, and Bitbucket via OAuth using apps we own. During OAuth, the provider shares basic profile info (e.g., username and email) with our app. We do not send this data to our servers; we display it locally and store the OAuth tokens only in your system keychain for cloning/fetch/push and PR APIs directly from your machine. Repo data stays local—we do not proxy or store your repositories.

Licensing

When you activate a Critiq license, we call our licensing provider (Lemon Squeezy) and pass your license key and a hashed machine identifier as the instance name. This identifier helps manage activation slots. For trial enforcement, we store a device hash and trial start/expiry timestamps in our Supabase project. We also store licensing receipt data locally on your machine so activation and validation state can persist between app restarts.

Supabase Edge Functions

Certain features (license activation/validation, trial start checks, checkout, lead capture, and OAuth token exchange for GitHub/GitLab/Bitbucket) are proxied through Supabase Edge Functions we control. These functions may log basic request metadata (e.g., timestamp, IP, user agent) for security and abuse prevention. We do not persist or analyze your code, repo contents, or AI data through Supabase; only the minimal data needed for the specific function (e.g., license key for activation/validation, device hash for trial eligibility, OAuth code for token exchange) is forwarded to the downstream provider.

Git and Language Servers

Critiq integrates with your local git installation and language servers. All operations are performed locally. Critiq does not intercept, modify, or transmit any data from these integrations.

Data Storage

All application data is stored locally on your machine, including:

Application settings and preferences
Your AI provider API keys (stored in your system's secure credential storage)
Your license key
Signed license receipt and expiry metadata
LSP server configurations

This data never leaves your machine unless you explicitly choose to sync it using your own backup or sync solutions.

Security

Because Critiq operates entirely locally and doesn't transmit your code or usage data, the security of your code and workflow is under your control. We recommend:

Keeping your operating system and Critiq up to date
Using secure credential storage for your git and API keys
Following your organization's security best practices for local development tools

Children's Privacy

Critiq is not directed to individuals under the age of 13. We do not knowingly collect personal information from children under 13.

Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify users by updating the "Last Updated" date at the top of this policy. Your continued use of Critiq after changes are posted constitutes acceptance of the updated policy.

Your Rights

Because we don't collect or store your usage data, there is no user data for us to access, modify, or delete. For payment and license data held by Lemon Squeezy, you may contact them directly to exercise your data rights under GDPR, CCPA, or other applicable privacy laws.

Data Protection and Jurisdiction

Critiq is operated from Denmark and complies with the European Union's General Data Protection Regulation (GDPR). For any data protection matters, the Danish Data Protection Authority (Datatilsynet) has jurisdiction. While we process minimal personal data as described in this policy, we are committed to maintaining the highest standards of data protection and privacy.

Contact

If you have questions about this Privacy Policy or Critiq's privacy practices, please contact us at hello@getcritiq.dev.