Privacy Policy

1. Introduction

This Privacy Policy explains how FinishKit ("we," "us," or "our") collects, uses, shares, and protects your personal information when you use our website, platform, and services (collectively, the "Service").

FinishKit is operated from New South Wales, Australia (ABN: 37 788 448 354). You can contact us at support@finishkit.app.

FinishKit is the finish layer for AI-built web apps. We connect to your code repository, analyze your codebase using AI, and generate a prioritized Finish Plan to help you ship a production-ready product.

This Privacy Policy serves as our collection notice under the Australian Privacy Principles (APPs) contained in the Privacy Act 1988 (Cth). It explains how we handle your personal information when you use the Service. By using the Service, you acknowledge and agree to the practices described in this Privacy Policy. If you do not agree, please do not use the Service.

Beta Notice: FinishKit is currently in beta. Our data handling practices may evolve as the product matures. We will update this Privacy Policy to reflect any material changes and notify you accordingly.

2. Information We Collect

Information You Provide Directly

• Account information: When you sign up, we collect your name, email address, and profile details from your authentication provider (GitHub or Google).
• Repository access: When you connect a repository, we receive access to repository metadata, file contents, branch information, and commit history as permitted by your GitHub App installation settings.
• Payment information: When you purchase a paid plan or top-up, your payment details are collected and processed by our third-party payment processor, Stripe. We do not store your full credit card number; we receive only a tokenised reference and transaction metadata from Stripe.
• Newsletter subscription: If you subscribe to our newsletter, we collect your email address. Newsletter subscription is entirely optional and is not a condition of using the Service.
• Communications: If you contact us for support or feedback, we collect the contents of your messages and any contact information you provide.

Information Collected Automatically

• Usage data: We collect information about how you interact with the Service, including pages viewed, features used, analysis runs initiated, and actions taken within the dashboard.
• Device and browser data: We collect your IP address, browser type and version, operating system, device type, and screen resolution.
• Performance data: We collect page load times, error logs, and other technical metrics to monitor and improve the Service.

Information from Third Parties

• Authentication providers: When you sign in with GitHub or Google, we receive your public profile information and email address from those providers.
• GitHub App events: We receive webhook events from GitHub related to your installed repositories, including push events and installation changes.

3. How We Use Your Information

We use the information we collect for the following purposes:

• To provide, operate, and maintain the Service.
• To analyze your code repositories and generate Finish Plans, findings, and patches.
• To authenticate your identity and manage your account.
• To communicate with you about the Service, including sending transactional emails and responding to support requests.
• To send you marketing communications, including newsletters, product updates, and promotional content, where you have opted in to receive such communications. You can opt out of marketing communications at any time (see Section 12).
• To monitor usage patterns, diagnose technical issues, and improve the Service.
• To track token consumption and compute costs for analysis runs.
• To enforce our Terms of Service and protect against fraud or abuse.
• To comply with legal obligations and respond to lawful requests.

4. AI and Code Processing

FinishKit uses third-party AI providers to analyze your code. When you initiate an analysis run, portions of your repository data (including code snippets, file structures, and configuration details) are sent to our AI providers for processing. Currently, we use:

• OpenAI (GPT models) for code analysis and finding generation.
• Google (Gemini models) as an alternative analysis provider.

These providers process your code solely to generate analysis results for the Service. They operate under data processing agreements that restrict how your data may be used.

We do not use your code to train AI models. Your repository data is processed for analysis only and is not retained by our AI providers for model training or improvement purposes.

What we store: We retain metadata, analysis findings, generated patches, diffs, run logs, token usage counts, and cost metrics. We do not store full copies of your source code in our database.

Temporary processing: During an analysis run, your repository is temporarily cloned to our runner infrastructure for processing. This temporary copy is deleted when the run completes or is cancelled.

Automated Decision-Making and AI Analysis

FinishKit uses automated processing, including AI models, to analyse your code repositories. This automated analysis generates findings with severity levels (critical, high, medium, low) and categorises them into areas such as security, stability, deployment readiness, testing, and UI.

These AI-generated assessments are advisory only and are not used to make decisions that have legal or similarly significant effects on you. You are responsible for reviewing all AI Output before acting on it. No automated decision is made about your access to the Service or your rights based on these analyses.

We are committed to transparency about our use of automated processing in accordance with evolving Australian privacy law requirements.

5. How We Share Information

We do not sell your personal information. We share information only in the following circumstances:

• AI providers: As described in Section 4, portions of your repository data are sent to OpenAI and Google for code analysis.
• Infrastructure providers: We use Supabase (database and authentication), Vercel (web hosting), and Fly.io (worker infrastructure) to operate the Service. These providers may process data on our behalf in accordance with their privacy policies.
• Payment processor: We use Stripe to process payments. When you make a payment, Stripe receives your payment details directly. Stripe's handling of your data is governed by Stripe's privacy policy.
• Analytics providers: We use analytics tools (described in Section 8) that collect aggregated usage data to help us understand how the Service is used.
• Legal compliance: We may disclose information if required by law, regulation, legal process, or governmental request, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
• Business transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change.

6. Cross-Border Data Disclosure

Under Australian Privacy Principle 8 (APP 8), we are required to inform you when your personal information is disclosed to overseas recipients and identify the countries involved.

Your personal information may be disclosed to, and processed by, service providers located in the following country:

All overseas disclosures are made under data processing agreements or equivalent contractual protections that require the recipients to handle your personal information in accordance with the Australian Privacy Principles. We take reasonable steps to ensure that overseas recipients do not breach the APPs in relation to your personal information.

7. GitHub Integration

FinishKit integrates with GitHub through a GitHub App. When you install the FinishKit GitHub App:

• We receive access to the repositories you explicitly select during installation. We do not access repositories outside your selected scope.
• We receive repository metadata including names, branches, commit history, and file contents for the purpose of analysis.
• We receive webhook events (such as push events and installation changes) to keep your project data in sync.
• We may create pull requests on your behalf when you choose to apply suggested patches. We do not modify your repository without your explicit action.

You can revoke access at any time by uninstalling the FinishKit GitHub App from your GitHub account settings.

8. Cookies and Tracking

We use cookies and similar technologies to operate the Service and understand usage patterns:

• Authentication cookies: Supabase Auth sets cookies to maintain your session and keep you signed in. These are essential for the Service to function.
• Vercel Analytics: We use Vercel Analytics to collect anonymized performance and usage metrics for our web application.
• PostHog: We use PostHog for product analytics, including feature usage tracking, session recording, and event analytics to improve the user experience.
• Google Ads: We use Google Ads conversion tracking and remarketing tags to measure the effectiveness of our advertising campaigns.

9. Data Retention

We retain different types of data for different periods:

• Account data: We retain your account information for as long as your account is active. If you delete your account, we will remove your personal information within a reasonable timeframe, except where retention is required by law.
• Analysis artifacts: Findings, patches, run logs, and related artifacts are retained for as long as your account is active and the associated project exists.
• Temporary runner data: Cloned repository data used during analysis runs is deleted upon run completion or cancellation.
• Analytics data: Aggregated usage and performance data may be retained indefinitely, as it does not identify individual users.

10. Data Security

We implement reasonable technical and organisational measures to protect your information:

• All data in transit is encrypted using HTTPS/TLS.
• All data at rest in our database is encrypted.
• Database access is protected by Row Level Security (RLS) policies, ensuring users can only access their own data.
• Authentication is managed through Supabase Auth with support for OAuth providers and magic link sign-in.
• API endpoints are protected by rate limiting to prevent abuse.
• Sensitive data in logs is redacted before storage.
• Access to production systems is restricted to authorised personnel and protected by multi-factor authentication.
• We conduct periodic reviews of our security practices and third-party provider security postures.
• We have incident response procedures to detect, investigate, and respond to potential security breaches.

Beta caveat: While we take security seriously, the Service is in beta and our security practices are still maturing. We cannot guarantee absolute security. Please do not submit highly sensitive credentials, secrets, or confidential material through the Service.

11. Notifiable Data Breaches

In accordance with Part IIIC of the Privacy Act 1988 (Cth), in the event of a data breach that is likely to result in serious harm to any individual whose personal information is involved, we will:

• Take immediate steps to contain the breach and mitigate potential harm.
• Assess the breach within 30 days to determine whether it is an eligible data breach under the Privacy Act 1988.
• If the breach is an eligible data breach, notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as soon as practicable.
• Provide affected individuals with information about the breach, including what information was involved, what we are doing in response, and steps they can take to protect themselves.

12. Your Rights and Choices

Under the Australian Privacy Principles, you have the following rights regarding your personal information:

• Access (APP 12): Request access to the personal information we hold about you. We will respond to your request within 30 days.
• Correction (APP 13): Request correction of inaccurate, out-of-date, incomplete, irrelevant, or misleading personal information. We will respond to your request within 30 days.
• Deletion: Request deletion of your personal information, subject to legal retention requirements.
• Portability: Request a copy of your data in a structured, commonly used, and machine-readable format.
• Direct marketing opt-out (APP 7): You may opt out of receiving direct marketing communications from us at any time by clicking the unsubscribe link in any marketing email, or by contacting us at support@finishkit.app. We will process your opt-out request within a reasonable timeframe and at no cost to you.
• Anonymity and pseudonymity (APP 2): Where practicable, you have the option to deal with us without identifying yourself or by using a pseudonym. However, to use the Service, you must create an account, which requires your name and email address (provided via GitHub or Google authentication). We cannot provide the core Service without this information.

To exercise any of these rights, please contact us at support@finishkit.app. We will respond to your request within 30 days in accordance with the Australian Privacy Principles.

Complaints

If you believe we have breached the Australian Privacy Principles or you are dissatisfied with how we have handled your personal information, you may lodge a complaint with us by contacting support@finishkit.app. Please include sufficient detail about your concern so that we can investigate.

We will acknowledge your complaint within 7 days and aim to resolve it within 30 days. If you are not satisfied with our response, you may escalate your complaint to the Office of the Australian Information Commissioner (OAIC):

• Website: www.oaic.gov.au
• Phone: 1300 363 992
• Email: enquiries@oaic.gov.au
• Post: GPO Box 5218, Sydney NSW 2001

13. Children's Privacy

The Service is not directed at individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16, we will take steps to delete that information promptly. If you believe we have inadvertently collected information from a child under 16, please contact us at support@finishkit.app.

14. Newsletter and Electronic Communications

Our newsletter and marketing email practices comply with the Spam Act 2003 (Cth). This means:

• We will only send you commercial electronic messages (including newsletters and marketing emails) if you have provided your express consent (opt-in).
• All commercial electronic messages we send will clearly identify FinishKit as the sender, include our contact details, and contain a functional unsubscribe mechanism.
• If you unsubscribe from marketing communications, we will honour your request within 5 business days.
• Transactional messages related to your account or use of the Service (such as run completion notifications, billing receipts, and security alerts) are not commercial messages under the Spam Act and will continue to be sent as necessary for the operation of the Service.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. If we make material changes, we will notify you by email or through a prominent notice on the Service before the changes take effect.

Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Privacy Policy. We encourage you to review this page periodically for the latest information.

16. Contact Us

If you have questions about this Privacy Policy, our data practices, or wish to exercise your privacy rights, please contact us at:

If you are not satisfied with our response to a privacy-related inquiry, you have the right to complain to the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.

This Privacy Policy is governed by the laws of New South Wales, Australia, and the Privacy Act 1988 (Cth).

For information about our terms and conditions, please see our Terms of Service.