Critiq logo

Legal

Privacy Policy

Privacy Policy

Last Updated: April 13, 2026

TL;DR: Critiq doesn't collect, transmit, or store any of your code, repositories, or usage data. Everything runs locally on your machine. We only process payment and license information through our payment processor. If you choose to include an email when submitting a bug report or feature request, we store it securely for support follow-up and delete it on request.

Our Commitment to Privacy

Critiq is a desktop application that runs entirely on your local machine. We fundamentally believe that your code and development workflow are private, and we've built Critiq to respect that principle.

What We Don't Collect

Critiq does not collect, transmit, or store:

  • Your source code or repository contents
  • Git commit history, branches, or metadata
  • File names, paths, or directory structures
  • Usage analytics or telemetry data
  • Crash reports or error logs
  • AI prompts or responses
  • Language server protocol (LSP) data
  • Personally identifiable information from the application unless you explicitly provide it

What We Do Collect

Payment and License Information

When you purchase Critiq, payment processing is handled by Lemon Squeezy, our merchant of record. Lemon Squeezy collects:

  • Your email address (for license delivery and receipts)
  • Payment information (processed securely by Lemon Squeezy, we never see your payment details)
  • Billing address (if required for tax purposes)
  • License key associated with your purchase

Lemon Squeezy's privacy policy can be found at: https://www.lemonsqueezy.com/privacy

License Validation

When you activate Critiq with your license key, the application makes a secure API call through our licensing functions to Lemon Squeezy to validate that the license is legitimate and active. This validation request may include:

  • Your license key
  • A hashed machine identifier used as an instance/device identifier
  • An activation or instance identifier returned by Lemon Squeezy

Paid licenses may be re-validated periodically (approximately every 14 days) so the app can continue to run while allowing short offline periods. Trial licenses are limited to one 14-day trial per device hash.

Optional Bug Report / Feature Request Contact Email

When submitting a bug report or feature request, you may optionally provide an email address so we can follow up for troubleshooting. Before submission, we ask for explicit consent via a checkbox: "I consent to email storage for troubleshooting".

  • Email collection is optional and only used for support communication
  • The email is stored securely in our Supabase project
  • You can request deletion at any time by contacting us

Website Analytics

Our marketing website (getcritiq.dev) does not use tracking cookies or analytics services. We do not track your browsing behavior or collect visitor data.

Third-Party Services

AI Providers

If you choose to use Critiq's AI features, you must provide your own API key for your chosen AI provider (Claude, ChatGPT, Gemini, or custom). When you use AI features:

  • Your API key is stored locally on your machine only
  • AI prompts and code context are sent directly from your machine to your chosen AI provider
  • We never see, store, or have access to your AI interactions
  • Refer to your AI provider's privacy policy for how they handle data

Git Provider OAuth (GitHub, GitLab, Bitbucket, Azure DevOps)

Critiq lets you connect GitHub, GitLab, Bitbucket, and Azure DevOps via OAuth using apps we own. During OAuth, the provider shares basic profile info (e.g., username and email) with our app. We do not send this data to our servers; we display it locally and store the OAuth tokens only in your system keychain for cloning/fetch/push and PR APIs directly from your machine. Repo data stays local—we do not proxy or store your repositories.

Licensing

When you activate a Critiq license, we call our licensing provider (Lemon Squeezy) and pass your license key and a hashed machine identifier as the instance name. This identifier helps manage activation slots. For trial enforcement, we store a device hash and trial start/expiry timestamps in our Supabase project. We also store licensing receipt data locally on your machine so activation and validation state can persist between app restarts.

Supabase Edge Functions

Certain features (license activation/validation, trial start checks, checkout, lead capture, and OAuth token exchange for GitHub/GitLab/Bitbucket/Azure DevOps) are proxied through Supabase Edge Functions we control. These functions may log basic request metadata (e.g., timestamp, IP, user agent) for security and abuse prevention. We do not persist or analyze your code, repo contents, or AI data through Supabase; only the minimal data needed for the specific function (e.g., license key for activation/validation, device hash for trial eligibility, OAuth code for token exchange, optional bug-report or feature-request contact email when consented) is forwarded to the downstream provider.

Git and Language Servers

Critiq integrates with your local git installation and language servers. All operations are performed locally. Critiq does not intercept, modify, or transmit any data from these integrations.

Binary Downloads

Critiq downloads optional runtime components (such as the local AI inference server and security scanning tools) from Cloudflare R2 storage. These downloads are made directly from your machine, and Cloudflare may log basic request metadata (IP address, user agent) per their standard practices. We do not track which users download these components.

Data Storage

All application data is stored locally on your machine, including:

  • Application settings and preferences
  • Your AI provider API keys (stored in your system's secure credential storage)
  • Your license key
  • Signed license receipt and expiry metadata
  • LSP server configurations

This data never leaves your machine unless you explicitly choose to sync it using your own backup or sync solutions.

Exception: if you choose to submit a bug report or feature request with an optional contact email and provide consent, that email is stored securely in Supabase for support follow-up and removed on request.

Security

Because Critiq operates entirely locally and doesn't transmit your code or usage data, the security of your code and workflow is under your control. We recommend:

  • Keeping your operating system and Critiq up to date
  • Using secure credential storage for your git and API keys
  • Following your organization's security best practices for local development tools

Children's Privacy

Critiq is not directed to individuals under the age of 13. We do not knowingly collect personal information from children under 13.

Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify users by updating the "Last Updated" date at the top of this policy. Your continued use of Critiq after changes are posted constitutes acceptance of the updated policy.

Your Rights

We do not collect or store usage telemetry data from the app. For payment and license data held by Lemon Squeezy, you may contact them directly to exercise your data rights under GDPR, CCPA, or other applicable privacy laws. If you provided an optional bug-report or feature-request contact email, you may request access, correction, or deletion by contacting us.

Data Protection and Jurisdiction

Critiq is operated from Denmark and complies with the European Union's General Data Protection Regulation (GDPR). For any data protection matters, the Danish Data Protection Authority (Datatilsynet) has jurisdiction. While we process minimal personal data as described in this policy, we are committed to maintaining the highest standards of data protection and privacy.

Contact

If you have questions about this Privacy Policy or Critiq's privacy practices, please contact us at hello@getcritiq.dev.