Privacy Policy

Bitsness Technology & Solutions Co., Ltd. ("Bitsness", "we", "us", or "our") operates the Grapuco platform (grapuco.com). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.

1. Information We Collect

1.1 Account Information

• Email address (used for registration, login OTP, and communications)
• Account credentials (password stored as bcrypt hash - never in plaintext)
• Display name and profile preferences

1.2 Repository & Code Data

• Source code files you upload (ZIP) or push via delta updates
• Repository names and metadata
• Extracted code symbols (functions, classes, interfaces) and their relationships
• AI-enriched metadata (dependency maps, semantic labels, process flows)

Important: Uploaded source code files are processed in isolated worker environments and deleted after indexing. We only store the extracted knowledge graph - not your raw source code.

1.3 Usage Data

• API call frequency and feature usage patterns
• AI credit consumption and billing history
• MCP Server connection logs (API key prefix, timestamp - not the full key)
• Device information, browser type, and IP address for security

2. How We Use Your Information

• Provide, maintain, and improve the Grapuco platform
• Process your repositories into knowledge graphs
• Generate vector embeddings for semantic code search
• Send transactional emails (OTP codes, account notifications, billing receipts)
• Enforce usage limits based on your subscription plan
• Detect and prevent abuse, fraud, and security threats
• Provide customer support

3. Data Storage & Multi-Tenancy

Grapuco uses a multi-tenant architecture with strict data isolation:

• PostgreSQL: Relational data (accounts, subscriptions, symbols) isolated by tenant ID
• Neo4j: Graph data (code relationships, communities) isolated by tenant namespace
• Redis: Session data and rate limiting with per-tenant keys
• pgvector: Vector embeddings for semantic search, scoped per repository

No tenant can access another tenant's data. All database queries are scoped to the authenticated tenant.

4. Data Security

• All data in transit is encrypted via TLS 1.3
• Passwords are hashed using bcrypt with salt rounds
• API keys are hashed (bcrypt) - only the prefix is stored in plaintext for identification
• OTP codes expire after 10 minutes and are single-use
• JWT tokens have configurable expiration
• Rate limiting on authentication endpoints to prevent brute-force attacks

5. Third-Party Services

We use the following third-party services:

• AI Embedding Models: Used for semantic enrichment of code symbols. Code metadata sent for enrichment is processed according to the provider's data terms and is not used for model training.
• Stripe: Payment processing for subscriptions and credit top-ups. We do not store credit card information - Stripe handles all payment data.
• Email Provider: For sending OTP codes and transactional emails.

6. Data Retention

• Account data: Retained while your account is active
• Knowledge graph data: Retained according to your plan's data retention policy (30-365 days)
• Credit transaction history: Retained for 12 months for billing purposes
• Raw source code: Deleted immediately after indexing is complete
• Upon account deletion: All associated data is permanently removed within 30 days

7. Your Rights

You have the right to:

• Access your personal data
• Request correction of inaccurate data
• Request deletion of your account and associated data
• Export your knowledge graph data
• Revoke API keys at any time
• Withdraw consent for non-essential communications

8. Cookies

We use essential cookies only: a locale preference cookie (NEXT_LOCALE) and session authentication tokens. We do not use tracking cookies or third-party analytics cookies.

9. Children's Privacy

Grapuco is not intended for users under 16 years of age. We do not knowingly collect personal information from children.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated revision date. Continued use of the service after changes constitutes acceptance of the updated policy.

11. Contact

For privacy-related inquiries, contact us at: