Privacy Policy

Effective Date: January 28, 2026 Last Updated: March 21, 2026

1. Introduction

Welcome to CodeSalvage ("we," "us," "our," or "the Platform"), operated by Hanamori Labs, LLC, a Delaware limited liability company located at 1111b South Governors Avenue, Dover, DE 19904, United States. We are committed to protecting your privacy and handling your personal information responsibly.

This Privacy Policy explains:

  • What information we collect
  • How we use your information
  • How we share your information
  • Your privacy rights
  • How we protect your information

By using CodeSalvage, you agree to the collection and use of information in accordance with this Privacy Policy.

Platform Description: CodeSalvage is an online marketplace connecting sellers of unfinished code projects with buyers seeking starter code for development projects.

2. Information We Collect

2.1 Information You Provide Directly

Account Information (via GitHub OAuth):
  • GitHub username
  • GitHub user ID
  • Email address (from GitHub)
  • Full name (from GitHub profile)
  • Profile avatar (from GitHub)
  • GitHub repository information (when linking projects)
Profile Information (optional):
  • Bio/description
  • Location
  • Website URL
  • Custom avatar (if you replace GitHub avatar)
Project Listings (sellers only):
  • Project title and description
  • Tech stack and frameworks used
  • Known issues
  • Documentation URLs
  • Demo URLs
  • GitHub repository URLs
  • Screenshots and demo videos
  • Pricing information
Payment Information (via Stripe):
  • Bank account details (sellers only, stored by Stripe)
  • Payment method information (buyers, stored by Stripe)
  • Billing address
  • Tax identification information (sellers only)
Transaction Information:
  • Purchase history
  • Payout history (sellers)
  • Refund requests
  • Dispute information
Communications:
  • Messages sent via Platform messaging system
  • Email correspondence with support
  • Review content and ratings

2.2 Information Collected Automatically

Usage Information:
  • Pages visited
  • Features used
  • Search queries
  • Time spent on pages
  • Click patterns
  • Session duration
Device Information:
  • IP address
  • Browser type and version
  • Operating system
  • Device type (desktop, mobile, tablet)
  • Screen resolution
  • Referring URL
Cookies and Tracking Technologies:
  • Session cookies (required for login)
  • Analytics cookies (optional, can be disabled)
  • Preference cookies (optional, remember settings)
  • See our Cookie Policy for details
Error and Performance Data (via Honeybadger):
  • Error messages and stack traces
  • Performance metrics (page load times)
  • Browser console errors
  • API response times

2.3 Information from Third Parties

GitHub OAuth:
  • Public profile information
  • Email address
  • Repository information (when you link projects)
Stripe:
  • Payment verification status
  • Payout eligibility
  • Identity verification results
  • Transaction status
Cloudflare R2:
  • File upload metadata (timestamps, file sizes)

3. How We Use Your Information

3.1 To Provide and Improve Our Services

  • Create and manage your account
  • Process transactions and payments
  • Facilitate communication between buyers and sellers
  • Deliver code files and project access
  • Manage escrow periods (7-day buyer protection)
  • Handle disputes and refunds
  • Provide customer support
  • Improve Platform functionality
  • Develop new features

3.2 For Security and Fraud Prevention

  • Verify user identity (via GitHub OAuth and Stripe)
  • Detect and prevent fraudulent transactions
  • Monitor for suspicious activity
  • Enforce our Terms of Service
  • Protect intellectual property rights
  • Comply with legal obligations

3.3 For Communication

  • Send transaction confirmations
  • Notify you of escrow releases
  • Send review reminders
  • Respond to support inquiries
  • Send security alerts (e.g., new device login)
  • Send marketing emails (optional, can unsubscribe)

3.4 For Analytics and Research

  • Understand how users interact with the Platform
  • Analyze search patterns to improve results
  • Measure feature usage
  • Identify performance issues
  • Conduct A/B testing
  • Generate anonymized usage statistics

3.5 Legal Compliance

  • Comply with applicable laws and regulations
  • Respond to legal requests (subpoenas, court orders)
  • Enforce our Terms of Service
  • Protect rights, property, and safety
  • Prevent illegal activities

4. How We Share Your Information

4.1 Publicly Visible Information

The following information is publicly visible to all Platform users:

Seller Profiles:
  • Username
  • Full name (if provided)
  • Avatar
  • Bio
  • Project listings
  • Reviews and ratings received
  • Seller analytics (total sales, average rating)
Project Listings:
  • All project information (title, description, tech stack, etc.)
  • Screenshots and demo videos
  • Seller information
Reviews:
  • Review text, ratings
  • Reviewer username (unless marked anonymous)
  • Review date

4.2 Shared with Transaction Counterparties

Buyers can see:
  • Seller username, avatar, and profile
  • Seller contact information (via Platform messaging)
Sellers can see:
  • Buyer username, avatar
  • Buyer contact information (via Platform messaging)

4.3 Shared with Service Providers

We share information with third-party services that help operate the Platform:

Stripe (payment processing):
  • Transaction details
  • Payment method information
  • Seller payout information
  • Identity verification data
  • Privacy Policy: https://stripe.com/privacy
GitHub (authentication):
  • Email address (for account matching)
  • User ID (for authentication)
  • Privacy Policy: https://docs.github.com/en/site-policy/privacy-policies/github-privacy-statement
Cloudflare R2 (file storage):
  • Uploaded files (code zips, images, videos)
  • File metadata (timestamps, sizes)
  • Privacy Policy: https://www.cloudflare.com/privacypolicy/
SendGrid (email delivery):
  • Email addresses
  • Email content (transaction confirmations, notifications)
  • Privacy Policy: https://www.twilio.com/legal/privacy
Honeybadger (error monitoring):
  • Error logs and stack traces
  • Performance metrics
  • User ID (for error context, not personally identifiable)
  • Privacy Policy: https://www.honeybadger.io/privacy/
Railway (hosting):
  • Server logs
  • Application data
  • Privacy Policy: https://railway.app/legal/privacy
Redis Cloud (caching):
  • Cached data (search results, user profiles)
  • Rate limiting data (IP addresses, request counts)
  • Privacy Policy: https://redis.io/legal/privacy-policy/

4.4 Legal Requirements

We may disclose your information if required by law or in response to:

  • Court orders or subpoenas
  • Government investigations
  • Legal proceedings
  • Protection of our rights or property
  • Prevention of illegal activities

4.5 Business Transfers

If CodeSalvage is acquired, merged, or sold, your information may be transferred to the new owner. You will be notified of any such change via email.

4.6 With Your Consent

We may share your information with other third parties if you explicitly consent.

5. Data Retention

5.1 Active Accounts

We retain your information as long as your account is active.

5.2 Closed Accounts

After account closure:
  • Public information (project listings, reviews) may remain visible (anonymized)
  • Transaction records retained for 7 years (legal/tax requirements)
  • Payment information deleted immediately (stored by Stripe only)
  • Personal identifiers (email, name) deleted after 30 days

5.3 Legal Retention

Some information must be retained longer for legal compliance:

  • Transaction records: 7 years (IRS requirements)
  • Dispute records: 7 years (legal defense)
  • Tax documents: 7 years (US tax law)

5.4 Backups

Deleted data may persist in backups for up to 90 days.

6. Your Privacy Rights

6.1 Access and Correction

You have the right to:
  • View your personal information
  • Update your profile information
  • Correct inaccurate data
How to exercise: Log in to your account → Settings → Profile

6.2 Data Portability

You have the right to:
  • Download your data in machine-readable format (JSON)
  • Includes: profile info, project listings, transactions, messages
How to exercise: Settings → Privacy → Download My Data

6.3 Deletion

You have the right to:
  • Delete your account and personal information
How to exercise: Settings → Account → Delete Account Limitations:
  • Transaction records retained for legal compliance (7 years)
  • Public content (reviews) may be anonymized but not deleted

6.4 Marketing Opt-Out

You have the right to:
  • Unsubscribe from marketing emails
  • Opt out of analytics cookies
How to exercise:
  • Email: Click "Unsubscribe" link in any marketing email
  • Cookies: Settings → Privacy → Cookie Preferences

6.5 Do Not Track

We currently do not respond to "Do Not Track" browser signals.

7. International Users and GDPR Compliance

7.1 Data Transfer

CodeSalvage is operated by Hanamori Labs, LLC, based in Delaware, United States. By using the Platform, you consent to the transfer of your information to the United States, which may have different data protection laws than your country.

7.2 GDPR Rights (EU Users)

If you are located in the European Union, you have additional rights under GDPR:

Right to Access: Request a copy of your personal data Right to Rectification: Correct inaccurate personal data Right to Erasure: Request deletion of your personal data ("right to be forgotten") Right to Restrict Processing: Request limitation on how we use your data Right to Data Portability: Receive your data in a structured, machine-readable format Right to Object: Object to processing based on legitimate interests Right to Withdraw Consent: Withdraw consent for data processing Right to Lodge a Complaint: File a complaint with your local data protection authority How to exercise GDPR rights: Email [email protected] Response time: We will respond within 30 days of your request.

7.3 Legal Basis for Processing (GDPR)

We process your personal data based on:

Consent: You provided explicit consent (e.g., marketing emails) Contract Performance: Necessary to provide Platform services (account creation, transactions) Legal Obligation: Required by law (tax reporting, fraud prevention) Legitimate Interests: Improve Platform, prevent fraud, ensure security

8. Children's Privacy

CodeSalvage is not intended for users under 18 years of age. We do not knowingly collect personal information from children.

If we discover that a user is under 18, we will:

  • Delete their account immediately
  • Delete all associated personal information
  • Notify the user (via email if available)

If you believe a user is under 18, please report it to [email protected].

9. Data Security

9.1 Security Measures

We implement industry-standard security measures:

Technical Safeguards:
  • HTTPS encryption for all communications
  • Encrypted storage of sensitive data (at rest)
  • Regular security audits
  • Intrusion detection systems
  • Automated vulnerability scanning
Administrative Safeguards:
  • Access controls (role-based permissions)
  • Employee background checks
  • Security training for employees
  • Incident response procedures
Physical Safeguards:
  • Data centers with physical security (Railway, Stripe)
  • Redundant systems and backups
  • Disaster recovery procedures

9.2 Payment Security

Stripe PCI Compliance:
  • We do not store credit card numbers or bank account details
  • All payment information stored by Stripe (PCI DSS Level 1 compliant)
  • Tokenized payment methods only

9.3 Code File Security

Cloudflare R2:
  • Private buckets (not publicly accessible)
  • Pre-signed URLs with expiration (7 days)
  • Encryption at rest
  • Access logging

9.4 Limitations

No system is 100% secure. While we implement strong security measures, we cannot guarantee absolute security. You are responsible for:
  • Keeping your password secure
  • Logging out of shared devices
  • Monitoring your account for suspicious activity

10. Cookies and Tracking Technologies

10.1 Types of Cookies

Essential Cookies (required):
  • Session management (login)
  • Security tokens (CSRF protection)
  • Load balancing
Analytics Cookies (optional):
  • Google Analytics (traffic analysis)
  • Cloudflare Analytics (performance monitoring)
Preference Cookies (optional):
  • Language preferences
  • Theme selection (dark/light mode)
  • Notification settings

10.2 Third-Party Cookies

Google Analytics:
  • Tracks page views, user behavior
  • Privacy Policy: https://policies.google.com/privacy
  • Opt-out: https://tools.google.com/dlpage/gaoptout

10.3 Cookie Management

Control cookies via:
  • Settings → Privacy → Cookie Preferences
  • Browser settings (block all cookies or specific domains)
Limitations: Disabling essential cookies will prevent you from logging in. Learn more: See our Cookie Policy

11. Your Choices

11.1 Account Settings

Control what information is public:
  • Settings → Profile → Privacy

- Show email publicly (default: hidden)

- Show transaction count (default: visible)

- Allow buyers to contact via Platform messaging (default: enabled)

11.2 Communication Preferences

Control what emails you receive:
  • Settings → Notifications

- Transaction confirmations (required)

- Security alerts (required)

- Review reminders (optional)

- Product updates (optional)

- Marketing emails (optional)

11.3 Data Sharing

Opt out of analytics:
  • Settings → Privacy → Analytics

- Google Analytics (default: enabled)

- Honeybadger error reporting (default: enabled for production)

12. California Privacy Rights (CCPA)

12.1 CCPA Rights

If you are a California resident, you have the right to:

Right to Know: Request disclosure of personal information collected Right to Delete: Request deletion of personal information Right to Opt-Out: Opt out of sale of personal information (we do not sell your information) Right to Non-Discrimination: Not be discriminated against for exercising your rights

12.2 Categories of Personal Information Collected

  • Identifiers: Name, email, username, IP address
  • Financial Information: Payment method, bank account (via Stripe)
  • Commercial Information: Purchase history, project listings
  • Internet Activity: Browsing history, search queries
  • Geolocation: IP-based location (city/country level)

12.3 How to Exercise CCPA Rights

Email: [email protected] Subject: "CCPA Request - [Your Name]" Include:
  • Full name
  • Email address
  • Specific request (access, deletion, etc.)
Verification: We may ask for additional information to verify your identity. Response time: We will respond within 45 days.

13. Changes to This Privacy Policy

13.1 Notification of Changes

We may update this Privacy Policy from time to time. Changes will be effective:

  • Immediately for new users
  • 30 days after notice for existing users

13.2 How We Notify You

We will notify you of material changes via:

  • Email to your registered address
  • Notice on the Platform homepage
  • In-app notification

13.3 Continued Use

Continued use of the Platform after changes constitutes acceptance of the updated Privacy Policy.

14. Contact Us

If you have questions about this Privacy Policy or wish to exercise your privacy rights:

Hanamori Labs, LLC (operating as CodeSalvage) Address: 1111b South Governors Avenue, Dover, DE 19904, United States Phone: +1 (484) 291-8909 Email: [email protected] Subject: "Privacy Inquiry - [Your Name]" Response time: We aim to respond within 5 business days.

For general support inquiries, contact: [email protected]

15. Data Protection Officer

For GDPR-related inquiries, contact our Data Protection Officer:

Email: [email protected]

16. Supervisory Authority

EU users have the right to lodge a complaint with their local data protection authority if they believe their data protection rights have been violated.

Find your authority: https://edpb.europa.eu/about-edpb/board/members_en

17. Additional Disclosures

17.1 Analytics and Tracking

Google Analytics:
  • We use Google Analytics to understand user behavior
  • Data collected: page views, session duration, device type
  • Opt-out: https://tools.google.com/dlpage/gaoptout
Honeybadger Error Monitoring:
  • We use Honeybadger to monitor application errors
  • Data collected: error messages, stack traces, user ID (not personally identifiable)
  • Purpose: Improve Platform stability and fix bugs

17.2 Social Media

GitHub OAuth:
  • We use GitHub for authentication only
  • We do not post to your GitHub account
  • We do not access private repositories without permission

17.3 Sensitive Personal Information

We do not collect sensitive personal information such as:

  • Social Security numbers (except tax ID for sellers, stored securely)
  • Health information
  • Racial or ethnic origin
  • Political opinions
  • Religious beliefs
  • Genetic or biometric data

18. International Data Transfers

18.1 Standard Contractual Clauses

For data transfers from the EU to the US, we use Standard Contractual Clauses (SCCs) approved by the European Commission.

18.2 Privacy Shield

We are not currently certified under the EU-US Privacy Shield framework (program discontinued in 2020).

19. Automated Decision-Making

19.1 Automated Decisions

We do not use fully automated decision-making that produces legal effects or significantly affects you.

19.2 Profiling

We may use profiling for:

  • Fraud detection (flagging suspicious transactions)
  • Recommendation algorithms (suggesting projects based on browsing history)
You have the right to:
  • Object to profiling
  • Request human review of automated decisions

20. Third-Party Links

The Platform may contain links to third-party websites (e.g., GitHub repositories, demo URLs). We are not responsible for the privacy practices of these websites. Please review their privacy policies before providing personal information.

21. Data Breach Notification

In the event of a data breach that affects your personal information, we will:

  • Investigate the breach within 72 hours
  • Notify affected users via email within 72 hours
  • Report to authorities as required by law (GDPR, CCPA)
  • Take corrective action to prevent future breaches

22. Employee and Contractor Access

22.1 Access Controls

Only authorized employees and contractors have access to personal information, and only to the extent necessary for their job functions.

22.2 Confidentiality Agreements

All employees and contractors sign confidentiality agreements and receive privacy training.

23. Glossary

Personal Information: Information that identifies or can identify an individual (name, email, IP address) Sensitive Personal Information: Categories requiring extra protection (SSN, health data, financial data) Controller: Entity that determines purposes and means of processing personal data (Hanamori Labs, LLC, operating as CodeSalvage) Processor: Entity that processes personal data on behalf of the controller (Stripe, SendGrid, etc.) GDPR: General Data Protection Regulation (EU data protection law) CCPA: California Consumer Privacy Act (California data protection law) PII: Personally Identifiable Information

24. Acknowledgment

BY USING THE PLATFORM, YOU ACKNOWLEDGE THAT:

  • You have read and understood this Privacy Policy
  • You consent to the collection, use, and sharing of your information as described
  • You are at least 18 years old
  • You understand your privacy rights and how to exercise them
Last Updated: March 21, 2026 Effective Date: January 28, 2026

© 2026 Hanamori Labs, LLC. All rights reserved.