Decoder
Home

Privacy

Privacy Policy

Decoder is a personal open-source case study. This page summarizes what data is processed, why, and how to exercise your rights.

What we process

Decoder processes only what is needed to deliver the demo:

  • Account: email, display name, language preference.
  • Uploaded ZIPs / imported repository files (private bucket, RLS-scoped).
  • AI-generated explanations and suggested comments you produce.
  • Encrypted BYOK API keys (AES-256-GCM) and a short key hint; provider configuration.
  • Local AI endpoint configuration (URL and default model).
  • Acknowledgement records (language, IP address, user agent, timestamp).
  • Operational logs from the hosting platform may include IP address, user agent and request metadata.

Data controller

The project is operated by the individual maintainer as a private individual, not a company. Contact: open a GitHub issue or a private Security Advisory on the repository.

Purposes

Provide the demo features (storage, BYOK forwarding, AI explanations), prevent abuse, and keep an audit trail of consent.

Legal basis (EU GDPR)

Performance of the service you request (Art. 6(1)(b)) and legitimate interest in operating a safe public demo (Art. 6(1)(f)).

Retention

Account, files, explanations, credentials and endpoints are retained until you delete them or the demo is decommissioned. Acknowledgement records and operational logs may be retained for up to 12 months as a consent / abuse-prevention audit trail.

Your rights

Access, rectification, erasure (full account or per item: project, repository, explanation, API key), portability (JSON export), restriction, objection. Exercise from Settings → Account, or via GitHub if Settings is unreachable.

Third parties

Hosting and database: managed cloud infrastructure (Supabase). Cloud AI providers you choose (OpenAI, Anthropic, Google Gemini, OpenRouter) receive your selected code and prompts under their own terms, using the API key you configure (BYOK). Local providers (Ollama / LM Studio) run on your machine — no AI provider transfer for inference, but uploaded files still live in server storage.

Minors

This demo is not directed at persons under 16. Do not create an account if you are below that age.

Security

BYOK keys are encrypted at rest with AES-256-GCM. The credentials table has no SELECT policy. Every user-data table uses Row-Level Security scoped to auth.uid(). The service-role key is never bundled into client code.

Disclaimer

Decoder is provided as-is, with no warranty. It is not a certified security audit, legal/compliance advice, or production decision system.

TermsData flow
DecoderDecoder is an open-source educational code-understanding case study. It is not a certified security audit tool, legal/compliance tool, or production decision system. AI-generated outputs may be inaccurate and must be reviewed by a qualified person.