Privacy

Privacy Policy

Last updated: April 9, 2026

CHKDSK Labs (“we,” “us,” or “our”) operates a suite of software products and services. This Privacy Policy is an umbrella document that applies to all products and services operated by CHKDSK Labs, including websites, web applications, browser extensions, and open-source tools. Individual products that collect additional personal data beyond what is described here publish supplemental product-specific policies — see Section 11 for links.

1. Personal Information We Handle

For the purposes of this policy, “personal information” (or “PII”) means any data that identifies or can be used to identify an individual, directly or indirectly. This includes but is not limited to: names, email addresses, payment processor identifiers (e.g. Stripe customer IDs), device identifiers, and browser analytics data that can be combined to form a fingerprint.

2. Information We Collect

Automatically Collected Data

  • Analytics — page views, referrer, browser type, and approximate geographic region. Collection method varies by product (Vercel Analytics is cookieless; PostHog requires consent).
  • Server logs — IP addresses, request paths, HTTP status codes, and response times retained for up to 30 days for security and reliability monitoring
  • Error and performance data — error reports and performance traces via Sentry where configured. No PII is included in error reports.

Applicable projects

Third Party Account Data

When you create an account or sign in via a third-party provider (e.g. GitHub OAuth), we receive and store account identifiers such as user ID, username, display name, and avatar URL. The specific data depends on the authentication provider.

Applicable projects

Account Data

When you create an account or sign in via a login form (email/password), we collect and store only the information you supply, such as your email address and a hashed version of your password. We do not collect or store any personal information unless explicitly provided by you during account creation or profile setup. We do not require the provision of personal information to utilize out product, but certain features may be inaccessible without an account. For products that allow anonymous usage, we do not associate any collected data with a persistent identifier. For products that require an account, we associate collected data with a unique account identifier, but we do not require or collect any additional personal information beyond what you choose to provide.

Applicable projects

User-Generated Content

Some products allow you to create, post, and share content with other users. This includes text entries, reactions, follows, and profile information you choose to provide. We collect and store this content as part of your account data. We do not require you to provide any personal information to create or share content, but any content you create may be visible to other users and may be associated with your account identifier. We recommend not including sensitive personal information in user-generated content, as it may be visible to others and is not protected by any special privacy controls. In addition, by providing any user-generated content, you expressly consent to the moderation of that content by CHKDSK Labs LLC. Moderation may include automated analysis using AI models, manual review by our team, and removal of content that violates our community guidelines or terms of service. By posting user-generated content, you agree to hold harmless CHKDSK Labs LLC and its affiliates from any claims arising out of or related to that content, including but not limited to claims of defamation, invasion of privacy, or intellectual property infringement. You are solely responsible for the content you create and share on our platforms.

Applicable projects

Support Tickets

When you submit a support request, we collect your name, email address, the subject and body of your message, and any attachments you choose to include. This information is used solely to respond to and resolve your inquiry. We do not use support ticket data for any purpose other than providing support. We do not share support ticket data with any third parties, and we do not use it for advertising or analytics.

Applicable projects

Payment Data

All payment processing is handled by Stripe. We store only opaque Stripe identifiers (customer ID, subscription ID) and subscription status. We never receive, process, or store credit card numbers or banking details. Any amounts paid via buymeacoffee.com are processed by Buy Me a Coffee and are subject to their privacy policy. We do not receive any personal information from Buy Me a Coffee transactions beyond what you choose to share in your support ticket or account profile.

Applicable projects

Local Device Storage

Some products store configuration and session data locally on your device using browser extension storage or localStorage. This data is not transmitted to our servers unless explicitly required for functionality (e.g. license verification). By utilizing products of ours that store data loacally, you acknowledge and consent to the storage of such data on your device; and you understand that this data's security is your responsibility. You also agree to hold harmless CHKDSK Labs LLC and its affiliates from any claims arising out of or related to local data storage, including but not limited to claims of data loss, unauthorized access, or privacy breaches resulting from that storage.

Applicable projects

AI Interaction Data

Products that offer AI-powered features send limited metadata to AI model providers via the Vercel AI Gateway. All providers operate under a Zero Data Retention (ZDR) policy — your data is not stored, logged, or used for model training. See Section 5 for details.

Applicable projects

Cookie Preferences

Your cookie consent choice is stored in browser local storage. No preference data is transmitted to our servers. See our Cookie Policy for full details.

Applicable projects

3. How We Use Your Information

  • Service operation — serving pages, maintaining uptime, and diagnosing errors
  • Authentication and access — securely identifying you and maintaining your session
  • Support — responding to inquiries and resolving issues you report
  • Billing — managing subscriptions and processing payments via Stripe
  • Analytics — understanding aggregate traffic patterns to improve our products
  • AI features — generating opt-in insights and automated moderation using ZDR models
  • Content moderation — detecting and preventing abuse on platforms with user-generated content
  • Security — detecting and preventing abuse, unauthorized access, and attacks
  • Legal compliance — meeting our obligations under applicable law

We do not use your data for advertising, sell it to third parties, or share it for any purpose beyond what is described in this policy.

CHKDSK Labs LLC. does not provide any data or information to law enforcement agencies, governmnet entities, or any other third parties, except as required by law.

4. Cookies and Tracking

Our web-based products use only essential cookies (session management, authentication) and opt-in analytics cookies where applicable. We do not use advertising cookies or cross-site tracking. Full details and preference controls are available on our Cookie Policy page.

Applicable projects

5. AI Data Processing Policy

All CHKDSK Labs products that use AI inference route requests exclusively through the Vercel AI Gateway and use only models that support Zero Data Retention (ZDR). Under ZDR:

  • Your data is not stored, logged, or used for model training by AI model providers
  • Data exists in the provider's infrastructure only for the duration of the inference request and is discarded immediately after the response is generated
  • All communication with the AI Gateway is encrypted via TLS

Products that use AI features publish supplemental documentation describing exactly what data is sent to AI models — see Section 11.

Applicable projects

6. How We Protect Your Information

  • Encryption in transit — all data is transmitted over TLS/HTTPS with HSTS preload enabled
  • Encryption at rest — sensitive credentials (OAuth tokens, webhook URLs, API keys) are encrypted using AES-256-GCM where applicable
  • Minimal data collection — we collect only what is necessary for the stated purpose and discard it as soon as it is no longer needed
  • Access controls — internal access to personal data is restricted to personnel who require it to perform their responsibilities. Database-level row-level security (RLS) is enforced where applicable.
  • Input validation — all API inputs are validated to prevent injection attacks
  • Webhook verification — inbound webhooks from GitHub, Stripe, and other providers are verified via HMAC signatures before processing

7. Data Sharing and Third Parties

We share data with third-party providers only as necessary to operate our products. We do not sell, rent, or trade your personal information. For detailed information about each provider, see our Third-Party Services page.

ServiceData SharedPurpose
VercelRequest logs, anonymized analyticsHosting, CDN, serverless compute
Fly.ioRequest metadataStatic site & service hosting
CloudflareRequest metadata, application data (R2/D1)Pages, Workers, object storage, database
StripeCustomer ID, subscription status, metered usagePayment processing
GitHubOAuth tokens, API calls for repository dataAuthentication, repository access
NeonAll stored application data (encrypted)Database hosting (PostgreSQL)
SupabaseAccount data, application state, auth sessionsDatabase hosting, authentication
SanityPublished contentCMS content delivery
Vercel AI GatewayProduct-specific metadata (no source code, no PII)AI inference (ZDR policy)
SentryError messages, stack traces, request metadata (no PII)Error monitoring
PostHogPage views, feature usage, session dataProduct analytics (consent-based)
SlackName, email, ticket content, notification digestsSupport ticket management, notifications
PushoverNotification digests (counts only)Optional push notifications

Not all services are used by every product. See the Third-Party Services page for per-product breakdowns.

8. Data Retention

Data TypeRetention Period
Server / access logs30 days
Support tickets2 years from last activity, then deleted on request
Analytics data90 days (aggregated, no PII)
Cookie preferencesLocal storage only — not transmitted to our servers
Account dataUntil you delete your account or revoke access
Payment / subscription recordsRetained by Stripe per their policies; we store only opaque IDs
AI insight cacheTemporary (cleared on redeploy or TTL expiry)
Extension local storageUntil you remove the extension or clear storage

Product-specific retention schedules may apply. See supplemental policies in Section 11.

9. Your Rights

You have the following rights regarding your personal data:

  • Access — request a copy of the personal data we hold about you
  • Deletion — request that we delete your personal data; we will comply unless retention is required by law
  • Correction — request correction of inaccurate data
  • Portability — receive your data in a machine-readable format where technically feasible
  • Withdraw consent — revoke cookie or analytics consent at any time

EU / EEA Residents (GDPR)

Under the General Data Protection Regulation you additionally have the right to restriction of processing and to object to processing based on legitimate interest. Our legal basis for processing is:

  • Legitimate interest — server logging and security monitoring
  • Contract performance — account management, support, service delivery
  • Consent — analytics cookies and optional AI features (opt-in)

California Residents (CCPA)

You have the right to know what personal information we collect, to request its deletion, and to opt out of sale. We do not sell personal information.

10. Children's Privacy

Our products are not directed to children under 13 years of age (some products require users to be 18 or older). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will promptly delete it.

11. Product-Specific Privacy Policies

Some CHKDSK Labs products collect additional personal data beyond what is described in this company-wide policy. Each such product publishes a supplemental privacy policy that should be read alongside this one. This policy sets the baseline; product policies add detail specific to that product's data practices.

ProductSupplemental Privacy Policy
Ridge Sightridgesight.app/privacy— covers GitHub OAuth, PR data, payment data, AI insights, and notifications
ConVerselycnvrsly.app/privacy— covers user-generated content, social interactions, moderation, and analytics consent
PomoTokPublished in the Microsoft Store listing— covers local SQLite storage for session data, system proxy modification for website blocking, Win32 window enumeration for app blocking, and Windows Store license verification
RefressoPublished in the extension's browser store listing— covers local device storage, licensing, and payment data

Open-source projects (HissCheck, L-BOM, GUI-BOM) are distributed under the MIT license and do not collect any personal data or connect to CHKDSK Labs servers.

12. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or applicable law. The “Last updated” date at the top of this page reflects the most recent revision. For material changes we will post a notice on the site. Continued use of our services after changes constitutes acceptance of the updated policy.

13. Contact

To exercise your rights, ask a question, or report a privacy concern:

Contact

Email: jay@chkdsklabs.io

Support: chkdsklabs.io/support