Privacy Policy
Effective Date: March 11, 2026 | Last Updated: March 11, 2026
Joeyapp S.L., trading as Itera ("Itera," "we," "us," or "our"), is committed to protecting the privacy of individuals who visit our website at iteradev.ai (the "Website") and use the Itera platform (the "Service").
Joeyapp S.L.
Trading as: Itera
Ganduxer 18, 5-1, 08021 Barcelona, Spain
Tax Number: B70807300
Email: privacy@iteradev.ai
1. Data We Collect
1.1 Account Information
When you create an account, we collect your name, email address, company name, and role. If you sign up via a third-party identity provider (e.g., Google, GitHub), we receive basic profile information from that provider.
1.2 Customer Code and Product Data
To provide the Service, Itera connects to your company's GitHub repository. We access and process source code, component libraries, and related codebase content strictly to generate, render, and manage proposed product changes.
We do not store copies of your full repository. We access files on demand as needed to process a given change.
1.3 Usage Data
We collect information about how you use the Service, including features used, changes proposed, session duration, and interaction patterns. This data is used to improve the Service and provide support.
1.4 Technical Data
We automatically collect technical data such as IP address, browser type, operating system, device information, and server logs. This data is processed by our infrastructure and observability tools to ensure the Service operates correctly.
2. How We Use Your Data
2.1 Purposes
Providing the Service: Processing your codebase content through AI to generate proposed changes, rendering live previews, and managing the review and approval workflow.
Account management: Creating and maintaining your account, authenticating access, and managing permissions within your organization's workspace.
Service improvement: Analysing usage patterns to improve product functionality, reliability, and performance. We may use aggregated, anonymized usage data for this purpose.
Security and integrity: Detecting and preventing fraud, abuse, and security incidents.
Communications: Sending service-related notifications (e.g., review requests, deployment status). We will not send marketing communications without your separate consent.
Legal compliance: Meeting our obligations under applicable law, including GDPR.
2.2 Legal Bases (GDPR Art. 6)
Performance of a contract (Art. 6(1)(b)): Processing necessary to provide the Service you have contracted for.
Legitimate interest (Art. 6(1)(f)): Service improvement, security, and fraud prevention.
Consent (Art. 6(1)(a)): Where required, such as for optional marketing communications.
Legal obligation (Art. 6(1)(c)): Where processing is required by law.
3. AI Processing and Third-Party Model Providers
3.1 How AI Processing Works
Itera uses third-party AI model providers to generate code changes from natural language descriptions. When you describe a change, relevant portions of your codebase context and your instructions are sent to the following provider:
3.2 OpenAI
We use OpenAI's API under their enterprise data usage policy. Under this policy, data submitted through the API is not used to train or improve OpenAI's models. OpenAI may retain API inputs and outputs for up to 30 days for abuse monitoring purposes, after which they are deleted.
We send only the minimum codebase context necessary to generate the requested change. We do not send your entire repository. Prompts are constructed to include only the files and components relevant to the specific modification being requested.
4. Data Sharing and Sub-processors
4.1 Sub-processors
We share personal data and customer data only with the following sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Infrastructure and hosting (eu-central-1, Frankfurt) | EU (Germany) |
| OpenAI | AI code generation | United States |
| Datadog | Backend observability, logging, and monitoring | EU / United States |
| GitHub | Source code integration (customer's own repository) | United States |
4.2 No Sale of Data
We require all sub-processors to process data in accordance with our instructions and applicable data protection law. We maintain data processing agreements with each sub-processor.
We do not sell personal data. We do not share personal data with third parties for their own marketing purposes.
We may disclose data where required by law, regulation, or court order.
5. International Data Transfers
5.1 Transfer Mechanisms
Your data is primarily processed within the European Union (AWS eu-central-1, Frankfurt, Germany).
Where data is transferred to sub-processors located outside the EU/EEA (specifically OpenAI, Datadog, and GitHub, which operate in the United States), we rely on the EU-US Data Privacy Framework, Standard Contractual Clauses (SCCs), or other approved transfer mechanisms under GDPR Chapter V.
6. Data Retention
6.1 Retention Periods
Account data is retained for the duration of your active account and for 30 days after account closure or contract termination.
Customer code and codebase content is not stored persistently. Codebase files are accessed on demand via the GitHub integration and cached transiently during active sessions. Upon contract termination, all cached data and any stored artifacts (branches, preview environments) are deleted within 30 days, or sooner upon written request.
Usage and technical data is retained for up to 12 months for service improvement and security purposes, then deleted or anonymized.
Data sent to OpenAI via their API may be retained by OpenAI for up to 30 days for abuse monitoring, per their data usage policy.
7. Data Security
7.1 Security Measures
We implement appropriate technical and organizational measures to protect your data, including encryption in transit (TLS) and at rest, access controls based on the principle of least privilege, regular security assessments, and logging and monitoring of infrastructure access.
We are committed to obtaining SOC 2 Type II certification and will update this section as our security program matures.
8. Your Rights
8.1 Rights Under GDPR
Under the GDPR, you have the following rights regarding your personal data: the right to access and request a copy of the personal data we hold about you; the right to rectification of inaccurate or incomplete data; the right to erasure of your personal data, subject to legal retention requirements; the right to restrict processing of your data in certain circumstances; the right to data portability, receiving your data in a structured, commonly used, machine-readable format; the right to object to processing based on legitimate interest; and the right to withdraw consent at any time where processing is based on consent.
To exercise any of these rights, contact us at privacy@iteradev.ai. We will respond within 30 days.
You also have the right to lodge a complaint with the Spanish Data Protection Authority (Agencia Española de Protección de Datos, AEPD) or another competent supervisory authority.
9. Children's Privacy
9.1 Age Restriction
The Service is designed for business use and is not directed at individuals under 16. We do not knowingly collect personal data from children.
10. Changes to This Policy
10.1 Updates
We may update this Privacy Policy from time to time. Material changes will be communicated through the Service or by email to account holders. Continued use of the Service after changes take effect constitutes acceptance of the updated policy.
11. Contact
11.1 Contact Information
For questions about this Privacy Policy or our data practices, contact Joeyapp S.L. (trading as Itera) at Ganduxer 18, 5-1, 08021 Barcelona, Spain. Email: privacy@iteradev.ai.