Privacy Policy

We collect information in several ways depending on how you interact with our Service.

1.1 Information You Provide Directly

Account Information: When you create an account, we collect your name, email address, company name (if applicable), and password.

Payment Information: If you subscribe to a paid plan, our payment processor (such as Stripe) collects your payment card information. We do not store full payment card numbers on our servers.

Communications: When you contact us for support, provide feedback, or communicate with us, we collect the content of your messages and any information you choose to provide.

Profile Information: Any additional information you add to your account profile, such as job title, team name, or preferences.

1.2 Information Collected Automatically

Usage Data: We automatically collect information about how you interact with the Service, including:

• Features you use and actions you take
• Timestamps and frequency of use
• Error logs and performance data
• Device type, operating system, and browser type
• IP address and general location (city/country level)

Telemetry Data: With your consent (or as enabled by default, subject to your settings), we may collect anonymized telemetry data about Service performance, including latency metrics, detection patterns triggered (without the actual code content), and feature usage patterns.

1.3 Information from Third Parties

Authentication Providers: If you sign up or log in using a third-party service (such as GitHub or Google), we receive your name, email address, and profile information from that service.

Employers: If your employer provides you access to the Service through an enterprise plan, your employer may provide us with your name and email address.

2.1 Aegis Shield (Tokenization)

Your secrets never leave your machine. Aegis Shield tokenizes sensitive data (API keys, credentials, connection strings, passwords) locally on your machine or infrastructure before any code is sent to external AI services.

• Tokenization occurs client-side
• Only tokenized code (with placeholders replacing sensitive values) is transmitted
• Your actual secret values are never sent to Takumo servers or third-party AI providers
• Rehydration (replacing tokens with original values) also occurs locally

2.2 Sentinel (Code Validation)

Sentinel validates AI-generated code for security vulnerabilities, license violations, and compliance issues.

• Code snippets may be processed in real-time to provide validation results
• We do not store your source code beyond what is necessary for real-time processing
• After validation is complete, code snippets are deleted from memory

2.3 Sentinel Brain (Learning Engine)

Sentinel Brain learns patterns from your codebase to provide company-specific suggestions.

Cloud Deployment:

• Repository analysis occurs in isolated, encrypted environments
• We store pattern metadata and learned rules, not your actual source code
• Embeddings (numerical representations) may be stored; source code cannot be reconstructed from embeddings

On-Premise Deployment:

• All processing occurs within your infrastructure
• No code or patterns are transmitted to Takumo servers

2.4 Takumo Cloud (Dashboard)

Takumo Cloud stores:

• Audit logs (what was tokenized, what was flagged, when, by whom)
• Policy configurations
• Aggregated statistics and reports
• User account information

Takumo Cloud does not store:

• Your actual source code
• Secret values (API keys, passwords, credentials)
• Complete code files

2.5 Zero Data Retention Mode

For Enterprise and Teams plans, Zero Data Retention (ZDR) mode is enabled by default:

• Code inputs and outputs are processed in real-time only
• No code data is stored at rest
• Dedicated infrastructure ensures separation from non-ZDR processing

Individual and Pro users can enable ZDR mode in their account settings.

We use the information we collect to:

3.1 Provide and Operate the Service

• Create and manage your account
• Process transactions and send related information
• Deliver the features and functionality you request
• Provide customer support and respond to inquiries

3.2 Improve and Develop the Service

• Understand how users interact with the Service
• Identify and fix bugs, errors, and performance issues
• Develop new features and improvements
• Conduct research and analysis

3.3 Communicate with You

• Send service-related notices (updates, security alerts, support messages)
• Send marketing communications (with your consent, where required)
• Respond to your comments, questions, and requests

3.4 Security and Compliance

• Detect, prevent, and address fraud, abuse, and security issues
• Enforce our Terms of Use and other policies
• Comply with legal obligations

3.5 Aggregated and Anonymized Data

We may create aggregated, anonymized, or de-identified data from your information. This data cannot identify you and may be used for any purpose, including research, analytics, and improving the Service.

We do not sell your personal information. We may share your information in the following circumstances:

4.1 Service Providers

We share information with third-party vendors who perform services on our behalf, such as:

• Cloud Infrastructure: Amazon Web Services (AWS), Google Cloud Platform
• Payment Processing: Stripe
• Analytics: (anonymized usage data only)
• Customer Support: Help desk and ticketing systems
• Email Communications: Transactional email providers

All service providers are bound by contractual obligations to protect your data and use it only for the purposes we specify.

4.2 Third-Party AI Providers

When you use features that involve external AI services (such as code generation through ChatGPT, Claude, Copilot, etc.):

• Only tokenized code (with secrets replaced by placeholders) is sent to these providers
• We have data processing agreements with our AI provider partners
• These providers are contractually prohibited from using your data for training their models (for Enterprise and ZDR-enabled accounts)

4.3 Enterprise Administrators

If you access the Service through an employer or organization:

• Your organization’s administrators may access usage reports and activity logs
• Your organization may have additional policies governing your use of the Service
• Your organization controls data retention settings for your team

4.4 Legal Requirements

We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., court orders, subpoenas, government requests). We will notify you of such requests unless prohibited by law.

4.5 Business Transfers

If Takumo is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any change in ownership or use of your personal information.

4.6 With Your Consent

We may share your information with third parties when you give us explicit consent to do so.

We retain your information for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

5.1 Account Data

We retain your account information for as long as your account is active. If you delete your account, we will delete your personal information within 30 days, except as required for legal, accounting, or compliance purposes.

5.2 Code and Processing Data

• Real-time processing data: Deleted immediately after processing is complete
• Audit logs: Retained according to your plan settings (default: 90 days for Pro, 1 year for Teams, configurable for Enterprise)
• Aggregated statistics: May be retained indefinitely in anonymized form

5.3 Communications

We may retain communications and support tickets for quality assurance and to improve our services.

We implement industry-standard security measures to protect your information:

6.1 Technical Safeguards

• Encryption in Transit: All data transmitted between your devices and our servers is encrypted using TLS 1.3
• Encryption at Rest: Data stored on our servers is encrypted using AES-256
• Access Controls: Strict role-based access controls limit who can access your data
• Infrastructure Security: We use SOC 2 Type II compliant infrastructure providers

6.2 Organizational Safeguards

• Security awareness training for all employees
• Background checks for employees with access to sensitive systems
• Incident response procedures and breach notification protocols
• Regular security audits and penetration testing

6.3 Compliance

We are pursuing SOC 2 Type II certification and comply with applicable data protection laws, including GDPR and CCPA.

7.1 Account Settings

You can access, update, or delete your account information through your account settings at any time.

7.2 Communication Preferences

You can opt out of marketing communications by clicking “unsubscribe” in any marketing email or updating your preferences in your account settings. You cannot opt out of service-related communications (such as security alerts or billing notices).

7.3 Data Portability

You can request an export of your data by contacting us at privacy@takumo.io. We will provide your data in a commonly used, machine-readable format.

7.4 Data Deletion

You can request deletion of your personal information by:

• Deleting your account through account settings
• Contacting us at privacy@takumo.io

Upon deletion, we will remove your personal information within 30 days, except as required for legal or compliance purposes.

7.5 Privacy Mode / Zero Data Retention

You can enable Privacy Mode or Zero Data Retention in your account settings to ensure that your code is not stored beyond real-time processing.

Takumo is based in the United States, and your information may be processed and stored in the United States or other countries where our service providers operate.

If you are located outside the United States, please be aware that information you provide to us may be transferred to, stored, and processed in the United States or other countries. These countries may have data protection laws that are different from the laws of your country.

8.1 European Users

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on the following legal bases for processing your personal information:

• Contract: Processing necessary to perform our contract with you (providing the Service)
• Legitimate Interests: Processing for our legitimate business interests (improving the Service, security)
• Consent: Processing based on your consent (marketing communications)
• Legal Obligation: Processing required to comply with applicable laws

For transfers of personal data outside the EEA, we use Standard Contractual Clauses approved by the European Commission or other appropriate safeguards.

8.2 Data Protection Officer

For privacy-related inquiries from European users, contact our Data Protection Officer at dpo@takumo.io.

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

9.1 Right to Know

You have the right to request information about the categories and specific pieces of personal information we have collected about you, as well as the purposes for collection and categories of third parties with whom we share it.

9.2 Right to Delete

You have the right to request deletion of your personal information, subject to certain exceptions.

9.3 Right to Opt-Out

You have the right to opt out of the “sale” of your personal information. We do not sell your personal information.

9.4 Right to Non-Discrimination

We will not discriminate against you for exercising your privacy rights.

9.5 Exercising Your Rights

To exercise your CCPA rights, contact us at privacy@takumo.io or submit a request through your account settings. We will verify your identity before fulfilling your request.

9.6 Authorized Agents

You may designate an authorized agent to make requests on your behalf. We may require verification of the agent’s authority.

The Service is not intended for children under the age of 18. We do not knowingly collect personal information from children under 18. If we learn that we have collected personal information from a child under 18, we will delete that information promptly.

If you believe we have collected information from a child under 18, please contact us at privacy@takumo.io.

The Service may contain links to third-party websites or integrate with third-party services (such as GitHub, IDEs, or AI providers). This Privacy Policy does not apply to those third-party services. We encourage you to review the privacy policies of any third-party services you use.

12.1 Cookies We Use

We use cookies and similar technologies to:

• Essential Cookies: Enable core functionality (authentication, security)
• Analytics Cookies: Understand how you use the Service (anonymized)
• Preference Cookies: Remember your settings and preferences

12.2 Your Choices

Most web browsers allow you to control cookies through their settings. However, disabling cookies may affect your ability to use certain features of the Service.

12.3 Do Not Track

We do not currently respond to “Do Not Track” signals. If a standard for online tracking is adopted that we must follow, we will update this Privacy Policy accordingly.

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

• Posting the new Privacy Policy on this page
• Updating the “Last updated” date
• Sending you an email notification (for material changes)

Your continued use of the Service after any changes indicates your acceptance of the updated Privacy Policy.

If you have any questions about this Privacy Policy or our data practices, please contact us:

For your convenience, here is a summary of the most important points: