Privacy Policy

1. Who We Are

Maguyva is a code intelligence service operated by UT INTERNATIONAL PTE. LTD., a company registered in Singapore.

2. What We Collect

We collect three categories of data:

• Account data: your name, email address, and GitHub OAuth token (used to access repositories you authorize)
• Code data: your source code (stored to serve file content and power search), abstract syntax trees, symbol graphs, and semantic embeddings derived from your code
• Usage data: which tools you call, timestamps, and aggregate query patterns

Browser Storage. This website stores a small amount of data in your browser's local storage to remember your color mode preference (key: "maguyva-color-mode"). If you trigger the optional CRT easter egg, the active visual theme is stored in session storage for the current tab only. This data never leaves your browser and is not transmitted to our servers. We do not use cookies for tracking or analytics. Cloudflare, our infrastructure provider, may set functional cookies for security purposes.

3. How We Use It

We use your data to index your code and serve search results, process payments via Stripe, send transactional emails (account confirmations, billing receipts), and compute aggregate usage statistics. We do not use your code to train machine learning models. We do not sell your data.

4. Your Code

When you connect a repository, your source code is stored in our infrastructure to power code intelligence features including file retrieval and search. We parse it into an abstract syntax tree using tree-sitter, generate semantic embeddings via Voyage AI (AST-aware code chunks are sent for embedding generation - not complete files, and no customer-identifiable metadata such as repository names, usernames, or file paths is transmitted), and build a symbol graph of definitions and references. Voyage AI, now part of MongoDB, processes chunks transiently under API terms that prohibit training on customer data. Indexed repository data is stored in PostgreSQL, and access to that data is controlled through organization- and namespace-scoped access controls. Your data is accessible only to members of your organization. When you disconnect a repository, its source code and all derived data are removed from active systems. When you cancel your account, the same applies. Residual copies in encrypted backups are purged within 30 days.

5. Third Parties

We use the following services to operate Maguyva:

• Supabase (database hosting, AWS US regions)
• Cloudflare (CDN, edge compute, DNS)
• Voyage AI, now part of MongoDB (embedding generation - receives AST-aware code chunks without customer identifiers, not complete files or repositories)
• Stripe (payment processing)
• GitHub (OAuth authentication and repository access)

6. Data Security

Data is transmitted over HTTPS/TLS. Indexed repository data is stored on managed infrastructure that provides encryption at rest. Repository access is controlled through organization- and namespace-scoped access controls. API keys are validated against stored metadata and repository access restrictions.

7. Your Rights

Under Singapore PDPA and EU GDPR (where applicable), you have the right to:

• Access the personal data we hold about you
• Correct inaccurate data
• Request deletion of your data and indexed repositories
• Export your account data
• Object to processing or withdraw consent

8. Data Retention

Active accounts: data is retained while your account is active. Deleted accounts: code data is purged within 30 days, database backups within 90 days. Billing records are retained for 7 years as required by law.

9. Changes and Contact

We will email you about material changes to this policy. For questions or data requests, contact privacy@maguyva.ai.