Privacy Policy

StoD Inc. ("we", "us" or "our") respects your privacy. This Privacy Policy explains how we collect, use, disclose and protect information in connection with our service "Gitty" (the "Service").

1. Scope

This Policy applies to all personal information and related data that we collect in connection with the Service.

Compliance with Laws and Guidelines

We handle personal information lawfully and appropriately in compliance with the Act on the Protection of Personal Information of Japan and other applicable laws, guidelines issued by the Personal Information Protection Commission, and this Policy.

2. Information We Collect

• GitHub account information (username, public profile, public email address, etc.)
• Public repository data (repository name, language, commit history, stars, forks, etc.)
• Metadata and statistical information for Private Repositories authorized by you
• Evaluation Data generated by AI analysis (scores, comments, summaries, etc.)
• Information you provide when contacting us (name, email address, etc.)
• Technical information such as cookies, IP address, browser type, access logs

3. Methods of Collection

We collect the above information through user input, GitHub OAuth API access, automatic collection via cookies, or generation during the AI analysis process.

4. Purposes of Use

1. Provision of skill visualization and scoring
2. Job/company matching, hackathon, ranking and other Service features
3. Providing additional features including evaluation of Private Repositories
4. Statistical analysis for Service improvement and new feature development
5. Detection and prevention of fraudulent activities and ensuring security
6. Notifications of important updates or changes to the Terms
7. Responding to inquiries
8. Any other purposes ancillary to the above

For the service "Gitty" operated by us, in addition to the purposes set forth in the above items, we may provide users' personal information to recruiting companies that are our corporate clients for the purpose of providing career transition and recruitment support to users. Please refer to the Terms of Use of Gitty for the service contents and definitions of terms used in this paragraph.

5. Handling of Private Repository Data

1. We will evaluate Private Repositories only if you explicitly grant us access.
2. We do not store the full source code of Private Repositories. However, for execution, audit and reproducibility of evaluations, aggregated text (evaluation prompts) that concatenates directory structure and multiple file contents may include excerpts of source code, and we may store such aggregated text.
3. We convert collected information into text and index it, and use it for evaluation, search and display within the Service. To avoid handling secrets, we apply exclusion patterns for .env, keys/credentials, images/binaries, large data and build artifacts.
4. Retention and deletion follow Section 7 (Data Retention): as a rule, we delete data within 30 days after revocation or account deletion, and backups are removed on a rolling basis within up to 90 days unless otherwise required by law.

5-1. User Deep Wiki（コーパス化とインデックス）

当社は、リポジトリに関する技術的要約テキスト等をコーパス化し、RAG（検索拡張生成）のために利用する場合があります。

6. Data Transfer to AI Services

For evaluations, we may send aggregated text (evaluation prompts)—which concatenate directory structure and multiple file contents—and statistical information to external AI services such as Google Cloud Generative AI (Gemini) over encrypted channels. We apply exclusion patterns (e.g., .env, keys/credentials, images/binaries, large data, build artifacts) to avoid sending secrets.

We require providers, via configuration and contractual measures, not to use sent data for model training. Some portions of prompts may be stored in our storage for auditability; retention/deletion follows Section 7 (Data Retention).

7. Data Retention

We retain personal information only as long as necessary for the purposes described. As a rule, we delete data within 30 days after revocation or account deletion, and backups are removed on a rolling basis within up to 90 days, unless retention is required by law.

8. Disclosure to Third Parties

We do not disclose personal information to third parties except in the following cases:

• With your consent
• Provision of anonymized statistical information
• When required by law
• When necessary to protect the life, body or property of a person and obtaining consent is difficult
• When particularly necessary for improving public health or promoting the sound growth of children and obtaining consent is difficult
• When cooperating with government agencies or local public bodies to perform duties prescribed by law

(Processors and Sub-processors)

We may outsource all or part of the processing of personal information to external service providers for the purpose of providing the Service. We impose confidentiality obligations, prohibit use for purposes other than those specified, and require appropriate security measures by contract, and we exercise appropriate supervision. Representative categories and purposes include:

• Supabase (authentication and database services)
• Google Cloud (infrastructure services such as Cloud Run / Pub/Sub / Cloud Storage)
• Google Cloud Generative AI / Vertex AI (execution of AI inference)

We publish a Sub-processor List on our website describing key providers, locations and safeguards. Where cross-border transfers occur, we provide information about the destination country's legal framework and contractual safeguards, and obtain consent where required.

9. User Deep Wiki (Corpus and Index)

We may create a technical text corpus (e.g., summaries about repositories) and use it for Retrieval-Augmented Generation (RAG). The corpus is limited to the minimum information necessary for evaluation and search, and we take care to avoid handling highly sensitive information.

10. Security Measures

We implement appropriate security measures such as TLS/SSL encryption, access control, data encryption at rest, and vulnerability management to protect personal information from leakage, loss or damage.

In the event of a personal data breach, we will promptly notify the Personal Information Protection Commission of Japan and affected individuals as required by law, and document and disclose causes, impacts and remediation measures.

11. Cross-Border Transfers

Personal data may be processed outside Japan when we use services such as Google Cloud (Cloud Run / Pub/Sub / Cloud Storage) or Google Cloud Generative AI / Vertex AI, and Supabase. We implement contractual safeguards (data processing agreements and addenda comparable to standard contractual clauses) and technical and organizational measures to comply with applicable laws. We publish a Sub-processor List on our website describing key providers, locations and safeguards, and obtain consent where required.

11. Cookies

We use cookies and similar technologies for user experience enhancement and access analytics. You can disable cookies via your browser settings; however, some features of the Service may not function properly.

12. Your Rights

You may request access, correction, addition, deletion, or restriction of your personal information. Please contact us using the details below. We will respond promptly in accordance with applicable laws. We may ask you to complete certain identity verification steps (e.g., confirming your name and contact details and, where reasonable, providing supporting documentation). As a general rule, we aim to complete responses within 30 days unless otherwise required by law.

For notification of purposes of use and disclosure of retained personal data or records of third-party provision, a fee of 1,000 yen per request will be charged.

13. Use by Minors

If you are a minor, please use the Service only with the consent of your parent or legal guardian.

14. Changes to this Policy

We may revise this Policy from time to time to comply with laws or to reflect changes in our business. The revised Policy will become effective when posted on the Site.

15. Contact

For requests regarding retained personal data and other inquiries about our handling of personal information, please contact the following:

965-0006
145-2 Tsuruga Shimoiai, Ikkimachi, Aizuwakamatsu City, Fukushima Prefecture
Personal Information Controller: Kowa Nose
info@matchstod.com

For other inquiries about this Policy, please contact us at info@matchstod.com.

Effective: 2025/10/1