Privacy Policy

Last updated: April 1, 2026

2ndOpinion ("we," "us," or "our") operates the get2ndopinion.dev platform and related services. This Privacy Policy explains how we collect, use, share, and protect your personal information when you use our Service. We are committed to protecting your privacy and complying with applicable data protection laws, including the GDPR and CCPA.

1. Information We Collect

Account Information

  • Email address (required for account creation)
  • Password (stored as a bcrypt hash — we never store plaintext passwords)
  • Subscription tier and billing status

Usage Data

  • API request logs: timestamp, endpoint, model used, credit cost, response time, status code (retained for 30 days)
  • Authentication events: login attempts, token refreshes (retained for 30 days)
  • Credit usage and balance information

Code Data

  • Code diffs and questions you submit for analysis
  • These are processed in real time and cached for up to 5 minutes for performance
  • We do not store your source code beyond the 5-minute cache
  • We do not use your code to train any models

Payment Information

  • Payment processing is handled entirely by Stripe
  • We never see, store, or have access to your full credit card numbers
  • We store your Stripe customer ID and subscription status

Analytics Data

  • We use Google Analytics 4 with anonymized IP addresses
  • Page views, session duration, referral sources, and device type
  • No personally identifiable information is sent to Google Analytics

2. How We Use Information

We use the information we collect to:

  • Provide, maintain, and improve the Service
  • Process your code analysis requests through LLM providers
  • Manage your account, subscriptions, and billing
  • Enforce rate limits and prevent abuse
  • Send transactional emails (account confirmation, password reset, billing receipts)
  • Monitor service health and debug issues
  • Generate aggregated, anonymized analytics for service improvement

3. Data Sharing

We share data with the following third parties, strictly as required to provide the Service:

LLM Providers

Code diffs and questions are sent to Anthropic (Claude), OpenAI (Codex), and/or Google (Gemini) for analysis. Each provider processes data under their own privacy policies and data processing agreements.

Stripe

Payment and subscription data is processed by Stripe (PCI DSS Level 1 compliant). See Stripe's privacy policy at stripe.com/privacy.

Infrastructure Providers

Our application runs on Vercel (SOC 2 compliant) and our database is hosted on Neon (SOC 2 compliant).

We do not sell your personal data to any third party. We do not share your data with advertisers or data brokers.

4. Data Retention

  • Code diffs: Cached for up to 5 minutes, then deleted
  • API request logs: Retained for 30 days, then automatically purged
  • System logs: Retained for 7 days, then automatically purged
  • Account data: Retained while your account is active, deleted upon account deletion
  • Billing records: Retained as required by tax and accounting regulations

5. Security

We implement industry-standard security measures to protect your data, including:

  • TLS 1.3 encryption for all data in transit
  • AES-256 encryption for data at rest (Neon PostgreSQL)
  • Bcrypt password hashing with salt
  • SHA-256 hashed API keys (we never store plaintext keys)
  • JWT with refresh token rotation for session management
  • Per-user rate limiting and brute-force protection

No system is 100% secure. If you discover a vulnerability, please report it to security@get2ndopinion.dev.

6. Your Rights

GDPR Rights (EU/EEA residents)

  • Right of access: Request a copy of the personal data we hold about you
  • Right to rectification: Correct inaccurate personal data
  • Right to erasure: Request deletion of your personal data
  • Right to data portability: Receive your data in a structured, machine-readable format
  • Right to restrict processing: Limit how we use your data
  • Right to object: Object to processing based on legitimate interests

CCPA Rights (California residents)

  • Right to know: What personal information we collect, use, and share
  • Right to delete: Request deletion of your personal information
  • Right to opt-out: We do not sell personal information, so this right is automatically satisfied
  • Right to non-discrimination: We will not discriminate against you for exercising your rights

To exercise any of these rights, contact us at privacy@get2ndopinion.dev. We will respond within 30 days.

7. Cookies

We use minimal cookies:

  • Authentication cookies: Essential session cookies for logged-in users
  • Google Analytics: First-party analytics cookies with anonymized IP. You can opt out using browser-level cookie controls or a GA opt-out extension.

We do not use advertising cookies, tracking pixels, or third-party marketing cookies.

8. Children's Privacy

The Service is not intended for children under 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.

9. International Data Transfers

Our Service is hosted in the United States (Vercel, Portland region). If you access the Service from outside the US, your data may be transferred to and processed in the United States. We rely on standard contractual clauses and provider compliance (Vercel SOC 2, Neon SOC 2) to ensure adequate data protection.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or a prominent notice on the Service. Your continued use after changes constitutes acceptance of the updated policy.

Contact

For privacy-related questions or to exercise your data rights, contact us at privacy@get2ndopinion.dev.