← Back to Coval

Privacy Policy

Last updated June 22, 2026

The local tool is free and account-less

Coval's local tools — the CLI, the MCP server, and the VS Code extension — run entirely on your machine. They require no account, no sign-in, and no network connection to analyze your code. They store their analysis in a local SQLite database under your own workspace or profile directory. We never see that data, because it never leaves your computer.

Nothing in this policy applies to the local tools except this: they do not transmit your source code, your reports, or any telemetry to us. The only optional network call the local tool makes is to download an embedding model the first time you run it — and that is a one-way download from a model host, not an upload of your data.

When data reaches us: the hosted dashboard

This privacy policy governs the hosted Coval dashboard (this website). Data only reaches our servers when you explicitly create an account and push a report from the local tool using a personal API token. Pushing is always an explicit, opt-in action — there is no background sync.

What we store

When you push a report, we store the contents of the analysis report you sent, scoped to your account:

  • Account identity. Your authentication identity is managed by our auth provider (Clerk). We keep a minimal profile row keyed to your user id, plus your current plan tier.
  • Projects. A name and a repository identifier you choose, the project's visibility (private by default), and its latest health grade and score.
  • Reports. The report payload itself — health grade and score, finding text, file paths and function names, and architecture metrics. Each report is one point in your project's health history.
  • API tokens. Only a SHA-256 hash and a short prefix of each token, never the raw token. The raw token is shown to you exactly once at creation and is never stored.

For an exact, line-by-line breakdown of what is and is not contained in a pushed report, see What's in a report. In short: raw source code is never uploaded, and secret values are never included.

What we do not do

  • We do not upload or store your raw source code.
  • We do not store secret values from your environment files.
  • We do not sell or rent your data to anyone.
  • We do not run advertising or third-party tracking on your reports.
  • We do not collect telemetry from the local tools. Server-side, we keep only the operational logs needed to run and secure the service.

Retention

We keep your reports for as long as your account exists, subject to your plan's history window. On the Free plan, report history is retained and shown for 14 days; older reports are hidden from your dashboard and trend chart and may be pruned. On the Pro plan, history retention is unlimited. We retain data only as long as needed to provide the service or as required by law.

Deletion

You are in control of your stored data:

  • Delete an individual report or project from your dashboard to remove its stored payload from our database.
  • Revoke an API token at any time from the API tokens page; revoked tokens can no longer push.
  • Request full account deletion by contacting us. We will delete your profile, projects, reports, and tokens. Authentication records held by our auth provider are removed when your account is deleted.

Service providers

We rely on a small number of processors to run the hosted service: an authentication and billing provider (Clerk), a managed database host (Supabase), and our application hosting platform. These providers process data on our behalf under their own terms and only to deliver the service.

Contact

Questions about this policy or a deletion request? Reach out and we will respond. See also our Terms of Service.