Compliance · Privacy

Privacy Policy

This policy explains how Orqent Labs (“Orqent”, “we”, “us”) handles information when you use Indicode — a hosted Model Context Protocol (MCP) service that serves engineering guidance to your coding agent and installs configuration artifacts into your repository. By creating an account or connecting Indicode to your editor, you agree to the practices described here.

Last updated: June 2026 · Orqent Labs

What Indicode is — and what it never touches

Indicode is a hosted MCP that serves engineering guidance and installs config artifacts. It does not proxy or store the content of your prompts. Your conversations with your coding agent, your source code, and the completions your model returns stay between you, your editor, and your model provider. When Indicode installs a guardrail or scaffolds a task, that file is written locally in your repository — we do not receive a copy of it. This is the single most important fact about how we treat your data.

Because Indicode answers questions like “what is the right practice here?” and “which artifact enforces this gate?”, the only request payloads we see are the structured tool arguments your agent sends — for example a practice identifier, a maturity level, or a path to install an artifact. We do not ingest your prompt history or your codebase to fulfil those calls.

Information we collect

  • Account data: your name, email address, and country, captured at sign-up and used for authentication, billing, and support.
  • License & device data: your sealed one-machine license token and a derived machine fingerprint, used to enforce the single-machine binding and to detect license sharing.
  • Billing data: subscription status and payment-processor references. Card details are handled by our payment processors; we never see or store your full card number.
  • Service metadata: which tools were called, timestamps, response status, and error events — used for quotas, reliability, abuse prevention, and improving guidance. This metadata excludes prompt and code content.

How we use information

We use the information above to operate and secure the Service: to authenticate you, enforce your sealed license, process the $5/mo subscription, prevent abuse, provide support, improve our engineering guidance, and meet our legal obligations. We do not sell personal information, and we do not use your data to train third-party models.

Processors we rely on

We share the minimum necessary data with trusted processors: payment providers (for billing), hosting and database infrastructure (to run the Service and store account records), and email/support tooling. Each processor acts under contract and only for the purpose of delivering its function.

India — Digital Personal Data Protection Act (DPDP)

If you are in India, we process your personal data as a Data Fiduciary under the DPDP Act, 2023, on the lawful basis of your consent and the performance of our contract with you. You have the right to access and correct your data, to withdraw consent, to nominate a representative, and to grievance redressal.

  • Consent is sought in clear language and may be withdrawn at any time from your account or by email.
  • Grievances are handled by our Grievance Officer — see our Grievance page for the named officer and timelines.
  • You may escalate unresolved complaints to the Data Protection Board of India.

United States — California (CCPA/CPRA)

If you are a California resident, the CCPA as amended by the CPRA gives you rights over your personal information. Orqent Labs does not sell or share personal information as those terms are defined by the CCPA, and we do not use sensitive personal information beyond what is necessary to provide the Service.

  • Right to know the categories and specific pieces of personal information we collect.
  • Right to delete personal information we hold about you, subject to legal exceptions.
  • Right to correct inaccurate personal information.
  • Right to non-discrimination for exercising any of these rights.

To exercise these rights, email us using the contact below. We will verify your request against your account and respond within the statutory timeframe.

European Union / EEA / UK — GDPR

If you are in the EU, EEA, or UK, we process personal data under the GDPR (and UK GDPR). Our lawful bases are contract (to provide Indicode to you), legitimate interests (to secure the Service and prevent abuse), consent (for non-essential cookies), and legal obligation (for accounting).

  • Rights of access, rectification, erasure, restriction, portability, and objection.
  • The right to withdraw consent at any time, without affecting prior lawful processing.
  • The right to lodge a complaint with your local supervisory authority.
  • International transfers are protected by Standard Contractual Clauses where applicable.

See our Data Processing Addendum for processor terms, sub-processors, and transfer mechanisms relevant to business customers.

Security

We use encryption in transit and at rest, scoped access controls, least-privilege practices, and the sealed one-machine license to limit account abuse. No system is perfectly secure, but we work to protect your data and to notify you of material incidents as required by applicable law.

Data retention

We retain account and billing records while your account is active and for as long as required for legal, tax, and accounting purposes. License and device fingerprints are deleted when you close your account. Because we do not store prompt or code content, there is nothing of that nature to retain.

Contact

Questions or requests about this policy? Email privacy@orqentlabs.com. Orqent Labs acts as the controller / data fiduciary for Indicode.