Privacy Policy

Last updated: 26 June 2026

This Privacy Policy explains how we collect, use, and protect your personal data when you use this website ("the Service"). We are committed to protecting your privacy in accordance with the General Data Protection Regulation (EU GDPR, Regulation 2016/679).

1. Data Controller

The data controller for personal data processed through this Service is LMSCloud Limited, operating as MDL Shield, with its registered office at The Black Church, St. Mary's Place, Dublin 7, D07 P4AX, Ireland. For enquiries regarding your personal data, please use the contact form.

2. What Data We Collect

Account data (authenticated users)

When you sign in via GitHub OAuth, we receive and store:

• Your name
• Your email address
• Your profile image URL
• Your GitHub account identifier

Session data

When you sign in, we create a session record containing a session token, your IP address, and browser user agent. Sessions expire after 7 days.

Plugin reviews and connected repositories

When you request a review, we process the plugin source code being reviewed. When you connect your own Git repository, we store the repository address and a normalised identifier for it, the review results and findings produced, and, for a private repository, a deploy key we generate for the connection (its public half, and its private half encrypted at rest). To run a review, we clone the relevant source code to a temporary working area, analyse it, and delete that working copy once the review finishes. We do not retain a copy of your source code after the review.

Contact form submissions

If you submit the contact form, your name, email address, and message are delivered to us by email through Resend, our email service provider. We do not store contact form submissions in a database; the message remains in our support inbox for as long as needed to handle your enquiry. Resend's privacy policy applies to the data they process in transit.

Bot protection

The contact form uses Cloudflare Turnstile for bot protection. Turnstile may process your IP address and browser characteristics. No personal data from Turnstile is stored by us. Cloudflare's privacy policy applies.

Analytics

We share limited usage data with third-party analytics providers to understand how the Service is used.

Data we do not collect

• We do not use advertising cookies or cross-site tracking.
• We do not sell, rent, or share personal data with third parties for marketing purposes.

3. Lawful Basis for Processing

We process personal data under the following lawful bases (GDPR Article 6):

• Consent — By signing in via OAuth, you consent to the collection of your account data.
• Legitimate interests — Session management and bot protection are necessary for the secure operation of the Service.
• Legitimate interests — Aggregate analytics help us understand product usage and improve the Service.
• Legitimate interests — When you submit the contact form, we process your message to respond to your enquiry; it is delivered to us by email via Resend.
• Performance of a contract — When you request a review or connect a repository, we process the relevant code and connection details to provide the review service you have requested.

4. How We Use Your Data

• To authenticate you and manage your session.
• To assign roles and permissions for access control.
• To display your name and profile image within the Service where appropriate.
• To clone and analyse the plugin source code you submit or connect, and to produce review reports.
• To store your review results and findings and make them available to you.
• To respond to messages submitted via the contact form.

5. Data Retention

• Account data is retained for as long as your account exists. You may request deletion at any time.
• Session data expires automatically after 7 days.
• Contact form data is delivered to our support inbox via Resend and retained there for as long as needed to handle your enquiry.
• Connected repositories and deploy keys are retained until you delete the connection or your account; deleting a connection deletes its deploy key.
• Working copies of source code cloned to run a review are deleted as soon as the review finishes.
• Review results and findings are retained while your account exists. Deleting a connected repository does not delete its past reviews; they remain in your review history.
• When you delete your account, your private reviews (repository and pre-release reviews) are permanently deleted.

6. Data Storage and Security

We take appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or misuse.

Deploy keys for private repositories are encrypted at rest and are used only to clone your repository to produce a review.

7. Your Rights

Under the EU GDPR, you have the following rights:

• Right of access — Request a copy of the personal data we hold about you.
• Right to rectification — Request correction of inaccurate data.
• Right to erasure — Request deletion of your account and associated data.
• Right to restrict processing — Request that we limit how we use your data.
• Right to data portability — Request your data in a structured, machine-readable format.
• Right to object — Object to processing based on legitimate interests.
• Right to withdraw consent — Withdraw consent at any time by deleting your account.

To exercise any of these rights, please contact us via the contact form. We will respond within 30 days.

8. International Transfers

When you sign in via GitHub, your authentication is processed by GitHub (Microsoft). Contact form submissions are delivered by email via Resend (a US-based provider). Bot protection is provided by Cloudflare. We may also share usage data with analytics providers. These services may process data outside the European Economic Area. Each provider maintains their own data protection agreements and safeguards for international transfers in accordance with GDPR Chapter V.

To produce a review, the source code being reviewed is processed by our third-party AI review provider, which is located in the United States. When you connect a repository, we connect to your Git hosting provider to clone its contents. These providers may process data outside the European Economic Area under their own safeguards in accordance with GDPR Chapter V.

9. Cookies

The Service uses only essential cookies required for authentication and session management. We do not use advertising or tracking cookies. No cookie consent banner is required as the only cookies in use are strictly necessary for the Service to function.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be reflected on this page with an updated "Last updated" date. Continued use of the Service after changes constitutes acceptance of the revised policy.

11. Complaints

If you believe we have not handled your personal data correctly, you have the right to lodge a complaint with the data protection supervisory authority in your EU member state.