PanDev Extensions Privacy Policy

Version: 1.0
Effective Date: January 1, 2025
Rights Holder (Provider): PanDev Ltd

This Policy describes how PanDev extensions for code editors and IDEs handle data. The document aligns in meaning and terminology with the Extensions EULA and the Extensions ToS. Access to PanDev cloud services is governed by the Cloud Terms. Server software deployed at the Customer is governed by the Self-Managed EULA.

1. Scope and Purpose

1.1. The Policy applies only to PanDev extensions as a channel for transferring data from an IDE to the Server.
1.2. The Policy does not set processing rules inside the SaaS. For the cloud, the Cloud Terms and a separate SaaS privacy policy (to be published) apply.
1.3. For on-prem deployments, processing takes place within the Customer's infrastructure under the Self-Managed EULA. This Policy describes only what data the extensions transmit and how PanDev treats it.

2. Roles and Allocation of Responsibilities

2.1. SaaS. The Customer is the controller of personal data. PanDev acts as a processor for the cloud. The rules are captured in the Cloud Terms. A DPA may be signed upon request.
2.2. On-prem. Data is processed and controlled by the Customer in its infrastructure. PanDev is not a processor and does not receive access unless separately agreed.
2.3. Extension diagnostic telemetry. To improve quality PanDev may process anonymized telemetry about the extensions themselves. In on-prem mode diagnostic telemetry is not used.

3. Data Transmitted by the Extensions

3.1. Activity Data is metadata about events in the Editor without source code content. It includes:

Event time and sequence of actions.
Project and repository context: project name, modules, repository path or identifier, active branch, links to commits and their parent records.
File and language context: file path, file name, programming language, total line count, current line, and cursor position.
Environment and extension context: IDE name and version, PanDev extension type and version.
Execution context: run type (for example run, debug, or tests), final status, run profile name, executable class name, execution module.
User and organizational context: actor or commit author, user ID in the system, company or tenant identifier in PanDev.
System and network parameters: user's local timezone, system timezone, device network attributes including IP address, country, and hardware network identifier.
Short textual event description, such as a commit message, without embedding file contents.

3.2. Diagnostic telemetry consists of anonymized information about the extensions and compatible environment: versions, crashes, performance. In on-prem mode diagnostic telemetry is not used.

3.3. Not transmitted: source code content, secrets, keys, tokens, passwords, binary artifacts, or full copies of configuration files. By default the extensions do not send file contents and strive to exclude sensitive areas.

3.4. Authentication data. Credentials may be transmitted to sign in to the cloud or on-prem. Transmission uses secure channels, passwords are not logged and are not part of Activity Data. After authentication, tokens with limited validity are used.

3.5. The set of categories and the level of detail are synchronized with the PanDev extension technical specification and aligned with the EULA and ToS.

4. Data Sources

4.1. The primary source is the extension running on the User's machine.
4.2. Additionally, data may come from the Customer during project configuration and from infrastructure logs in SaaS mode.

5. Processing Purposes

We use extension-related data for the following purposes:

delivering Activity Data to the Server and ensuring reliable delivery during outages
maintaining integration functionality and version compatibility
diagnosing and resolving incidents
improving extension quality and performance
security and abuse prevention
performing Customer contracts and meeting legal requirements

6. Legal Bases

6.1. SaaS. The Customer determines legal bases as the controller. PanDev acts as a processor under the Cloud Terms and any applicable DPA.
6.2. On-prem. Processing is determined by the Customer. PanDev is not a processor.
6.3. Extension diagnostic telemetry. Processed by PanDev under its legitimate interest in product quality and security. Telemetry is not used for profiling Users and does not include code content.

7. Storage

7.1. Extension local cache. When the Server is unavailable, the extension temporarily stores events in a local cache and sends them once connectivity is restored. By default the cache is not limited in duration or volume and is not configurable inside the extension. The Customer may limit storage through corporate device policies and operating system controls.
7.2. SaaS. Cloud storage and deletion are governed by the Cloud Terms and the Customer's settings.
7.3. On-prem. Storage is managed by the Customer.
7.4. Diagnostic telemetry. Retained for the minimum time needed for diagnostics and improvements, after which the data is deleted or aggregated and anonymized.

8. Security

8.1. Data transmission uses TLS 1.2 or higher with host verification.
8.2. Access tokens and keys are stored in secure operating system vaults where possible.
8.3. The local cache is encrypted using OS mechanisms and extension safeguards. The protection level depends on device capabilities and configuration.
8.4. The Customer is responsible for device security policies, access management, and updates in its environment.

9.1. Subcontractors and subprocessors (SaaS). PanDev may engage vetted subcontractors for hosting and processing when operating the cloud. A list will be published or provided on request.
9.2. On-prem. PanDev does not receive data except for support under a separate written data access agreement.
9.3. Legal requirements. We disclose information when required by law and supported by proper legal grounds.
9.4. Cross-border transfers. In SaaS mode data may move across jurisdictions. PanDev applies organizational and technical measures to protect transferred data. For on-prem, data remains within the Customer's infrastructure.

10. Data Subject Rights

10.1. SaaS. Data subject requests (access, rectification, deletion, restriction, objection) should be addressed to the Customer as the controller. PanDev supports the Customer to the extent required under the Cloud Terms.
10.2. On-prem. Requests are handled by the Customer.
10.3. Extension telemetry. Requests may be sent directly to PanDev. We review and respond within a reasonable time.

11. Children and Consumers

PanDev extension products are intended solely for business use. We do not target children and do not knowingly collect data about minors.

12. Changes to This Policy

We may update this Policy. A new version takes effect after publication and notification through the services or by email. Continued use signifies acceptance of the changes.

13. Contact Information

Rights Holder (Provider): PanDev Ltd
Office: 050057, Republic of Kazakhstan, Almaty, Bostandyk District, Gagarin Ave. 124, 4th floor
Support: privacy@pandev.io and support@pandev.io

Appendix A. Alignment with the EULA and ToS

A.1. This Policy does not amend or replace the Extensions EULA or the Extensions ToS.
A.2. For SaaS the Cloud Terms and, if needed, a DPA apply.
A.3. In on-prem mode PanDev is not a processor and does not access data without separate consent.
A.4. In on-prem mode extension diagnostic telemetry is not used.
A.5. The composition of Activity Data and collection exclusions match the appendices to the EULA and ToS.

1. Scope and Purpose​

2. Roles and Allocation of Responsibilities​

3. Data Transmitted by the Extensions​

4. Data Sources​

5. Processing Purposes​

6. Legal Bases​

7. Storage​

8. Security​

9. Disclosure and Sharing​

10. Data Subject Rights​

11. Children and Consumers​

12. Changes to This Policy​

13. Contact Information​

Appendix A. Alignment with the EULA and ToS​