Privacy Policy
Last updated: July 2, 2026
Comber is an every-click QA checker: you point it at an app you own, it walks every inch of it, and it reports what washed up. This policy explains what data that involves, what we can and can't see, and who processes it. Plain-language summary up top; the specifics follow.
The short version
We collect the minimum needed to run the service and bill you. We don't sell your data, we don't run ad trackers, and Comber redacts known secrets from run data before it ever reaches us. Because Comber exercises real applications, run reports can contain data from your app — including your end-users' information — so we handle that as your processor, and you stay in control of it.
What we collect
- Account & contact — the email address you sign up and receive keys with, and the hashed API keys your runs authenticate with.
- Billing — handled by Stripe. We store your plan and Stripe customer/subscription identifiers; we never see or store your card number.
- Run data you send us — the reports Comber produces: findings, coverage, screenshots/artifacts (screenshots are raw pixels and are not redacted), and redacted URLs, ingested over your API key.
- Operational logs — standard request/error logs to keep the service running and secure. We keep logs free of run contents and secrets.
What Comber redacts before it reaches us
Comber strips known secret shapes — tokens, keys, and sensitive URL parameters (?token=, #access_token=, signed-URL params) — from findings and URLs before a run record leaves your machine or CI. Redaction is best-effort pattern-matching, not a guarantee that every sensitive value is caught (see the next section).
Data Comber discovers while testing your app
This is the honest part. Comber's job is to exercise flows — including authentication and access-control paths — on the app you point it at. In doing so, a report or screenshot can legitimately capture content from your application, and that content may include your own users' personal information. When it does, we act as your data processor: we store that data only to deliver the service back to you, we don't use it for anything else, and it's covered by the retention and deletion terms below. You remain the controller of your users' data and are responsible for your lawful basis to test with it. If you handle regulated data, run Comber against staging, and contact us for a data-processing addendum.
How the AI works — and your key
Comber uses Anthropic's Claude models to pick and judge actions. You bring your own Anthropic API key: those model calls happen under your Anthropic account and don't pass through us. The run's page content is sent to Anthropic to classify. Anthropic is a sub-processor for that inference.
Sub-processors
- Anthropic — the Claude models that drive and judge a crawl (inference).
- Stripe — payments and subscription billing.
- Resend — transactional email (API-key delivery, receipts, service notices).
- Our cloud hosting & managed PostgreSQL provider — runs the service and stores your account and run records.
How we use your data
To operate the service (store and show your runs), authenticate your API keys, bill your subscription, send you service email, and keep the platform secure and working. That's the whole list — no profiling for advertising, no resale.
Retention
We keep your account and run records while your account is active. When you close your account, we delete your run data and artifacts within 30 days, except where we must retain limited billing records for legal and accounting obligations. Ask us to delete sooner — including specific runs — and we will.
What we don't do
We don't sell your data. We don't run ad SDKs, tracking pixels, or cross-site trackers. We don't use your run contents to train models. We don't access your run data except to operate the service or when you ask us to for support.
Your rights
You can view your run data from the dashboard. To export or correct your data, delete specific runs, or erase your whole account — or exercise any privacy right (access, portability, or erasure) — email support@codecomber.io.
Children
Comber is a developer tool for business use and is not directed to children. You must be 18 or older to use it.
International transfers
We operate from the United States; if you use Comber from elsewhere, your data is processed in the U.S. under this policy and the safeguards our sub-processors provide.
Changes
We'll update the date at the top when this policy changes. For material changes — a new sub-processor, a new data category, a changed retention window — we'll give notice in-app or by email before they take effect.
Contact
The controller of your personal data is RADLAB LLC, a Wyoming limited liability company. Reach us at support@codecomber.io.
Comber is a product of RADLAB LLC, a Wyoming limited liability company. Questions about this page? support@codecomber.io.