Critiq is an open source code review toolchain. The public CLI (`@critiq/cli`) and rules catalog (`@critiq/rules`) scan your repository locally and return deterministic findings you can use in the terminal or CI.

Does Critiq send my code to the cloud?

The OSS CLI runs locally on your machine or in your CI runner. It analyzes files in your checkout and does not upload your source to Critiq by default. Hosted Critiq Cloud features are optional and separate from the open source CLI.

How is this different from AI review tools?

Critiq findings come from explicit, testable rules, not probabilistic model output. You can inspect each rule, reproduce results, and tune what runs in CI. That makes feedback consistent and auditable.

Is Critiq open source?

Yes. The core engine, public CLI, and OSS rules catalog are open source under the Critiq GitHub organization. Premium rule packs and hosted product features are separate offerings.

Privacy

Privacy Policy

Last updated June 5, 2026

This policy applies to the public Critiq website at critiq.dev and public documentation at docs.critiq.dev. Critiq Cloud (the hosted portal and API at app.critiq.dev) is in limited private preview; separate privacy terms will apply when those services are generally available.

Who We Are

Critiq is the data controller for personal information collected through the public website and documentation described in this policy. Critiq operates from South Africa.

Full legal entity name and company registration details will be published here when finalized. Until then, references to "Critiq," "we," or "us" in this policy mean the Critiq project team responsible for critiq.dev and docs.critiq.dev.

Privacy and legal requests: legal@critiq.dev.

Scope

This Privacy Policy explains how Critiq collects, uses, and discloses information when you visit critiq.dev, use docs.critiq.dev, or otherwise interact with our public website and documentation.

It does not govern third-party sites, repositories, package registries, or services that we do not control, even when we link to them.

Critiq is building hosted services (Critiq Cloud). A private preview of the portal at app.critiq.dev may process account, authentication, and repository-related data for invited participants under separate terms that will be published before general availability. This policy does not replace those future Cloud terms.

Information We Collect

We collect limited information you choose to provide when you contact us through public channels, and technical information generated when you access the site.

Information you submit through the contact form on critiq.dev/contact (name, email, subject, and message), delivered to hallo@critiq.dev for response.
Information you submit in public GitHub issue trackers linked from our contact page (for example issue titles, descriptions, and your GitHub profile information visible on those threads).
We do not operate a live mailing list on the public site today.
Device, browser, operating system, IP address, referrer, pages viewed, and timestamps collected through hosting and delivery logs.
Server and edge logs (including Amazon CloudFront) used for security, abuse prevention, and operations.
Cookie and local storage data: we store your optional analytics preference in browser local storage under the key critiq_analytics_consent, and use cookies or similar technologies when you enable optional analytics.
Error monitoring data: when you use the site, our error monitoring provider may receive technical diagnostics such as error messages, stack traces, page URLs, browser and device metadata, and performance traces needed to operate and secure the service.

Lawful Bases And How We Use Information

Where the EU General Data Protection Regulation (GDPR) or the South African Protection of Personal Information Act (POPIA) applies, we rely on the following bases for the processing described in this policy:

We use collected information to operate the website and documentation, respond to inquiries, improve content, secure the service, and understand aggregate usage. We do not use site analytics to inspect your source code, repositories, or package contents.

Consent: optional Google Analytics 4 (GA4) measurement when you enable analytics in the privacy preferences banner.
Legitimate interests: operating and securing the public site, including mandatory error monitoring through Sentry; understanding aggregate demand when you opt in to analytics; responding to contact form and public inquiries; and maintaining server and edge logs for security and reliability (balanced against your rights).
Legal obligation: retaining or disclosing information when required by applicable law.

Cookies, Local Storage, Analytics, And Error Monitoring

Critiq uses cookies and browser local storage for basic functionality, security, optional analytics, and privacy preference storage on critiq.dev and docs.critiq.dev.

When you first visit, a privacy preferences banner lets you review two categories. Error monitoring through Sentry is required and stays enabled so we can detect outages, client errors, and performance problems. Optional Google Analytics 4 (GA4) runs only if you turn on the analytics switch and save your preferences.

Your optional analytics choice is stored in local storage under critiq_analytics_consent until you change or clear it. Sentry is not controlled by that switch and may run in production whether or not you enable analytics.

When analytics is enabled, we load GA4 in production builds only to understand aggregate traffic such as pages viewed, referral sources, outbound link clicks, documentation search usage, and missing-page requests. GA4 does not run in local or non-production preview environments.

We use Google Consent Mode so analytics storage stays denied until you enable optional analytics. Google may process limited technical data according to its own terms and privacy documentation.

Sentry may receive error reports, stack traces, browser and device metadata, page URLs, and limited performance data. Our Sentry organization is hosted in the European Union (de.sentry.io). Sentry is used under our legitimate interest in operating a reliable public site; you cannot disable it from the banner because it is required for service reliability and security.

You can disable optional analytics in the banner or later by clearing site data for critiq.dev and docs.critiq.dev (including critiq_analytics_consent), or control cookies through your browser settings. Disabling analytics does not block access to the site.

Google Fonts

critiq.dev and docs.critiq.dev load web fonts from fonts.googleapis.com (Google Fonts). When your browser requests those font files, Google may receive technical data such as your IP address. We use Google Fonts for typography only; we do not send personal profiles to Google through font requests.

Processors And Subprocessors

We use service providers that process information on our behalf to host, deliver, secure, monitor errors, measure optional traffic, and deliver contact form messages to our inbox. Key providers include Amazon Web Services (AWS), primarily in the eu-west-1 (Ireland) region, for hosting, content delivery (CloudFront), and related infrastructure; Functional Software, Inc. (Sentry), hosted in the European Union (de.sentry.io), for mandatory error and performance monitoring on the public site; FormSubmit (formsubmit.co) or a successor first-party endpoint to relay contact form submissions to hallo@critiq.dev until a Critiq-operated contact API is available; and Google LLC for Google Analytics 4 when you enable optional analytics, and for Google Fonts as described above.

Critiq Cloud (app.critiq.dev), including its portal, API, and worker services in private preview, also uses Sentry for operational error monitoring. A fuller subprocessor list for Critiq Cloud will be published when the hosted product is generally available.

We require processors to handle information only for our instructions and subject to appropriate contractual and security measures.

Sharing And Disclosure

We do not sell personal information collected through the public site. We may share information with the processors listed above, and when reasonably necessary to comply with law, protect rights or safety, investigate abuse, enforce our terms, or support a corporate transaction such as a financing, acquisition, or reorganization.

Retention

We keep information only as long as reasonably necessary for the purposes in this policy. Analytics data retained by Google is subject to Google retention settings and our GA configuration. Error and performance data retained by Sentry is subject to Sentry retention settings and our project configuration. Server and edge logs are kept for a limited period aligned with security and operations needs, then deleted or aggregated. Public GitHub issues you create remain governed by GitHub retention unless you delete them there.

Security

Critiq uses reasonable administrative, technical, and organizational measures to protect information collected through the website. No internet transmission or storage system is perfectly secure, so we cannot guarantee absolute security.

International Transfers

Critiq is based in South Africa. Our primary website infrastructure is hosted in the European Union (AWS eu-west-1). Some providers, including Google, may process data in the United States or other countries.

Where GDPR or POPIA requires safeguards for cross-border transfers, we rely on appropriate mechanisms such as processor agreements and, where applicable, standard contractual clauses or equivalent protections offered by our providers.

Your Rights

Depending on where you live, you may have rights to access, correct, delete, or restrict processing of your personal information, to object to certain processing, to withdraw consent where processing is based on consent, and to data portability where applicable.

To exercise these rights, email legal@critiq.dev. We may need to verify your request before acting on it. We aim to respond within timeframes required by applicable law.

If you are in the European Economic Area or United Kingdom, you may lodge a complaint with your local supervisory authority. If you are in South Africa, you may lodge a complaint with the Information Regulator (South Africa): https://www.justice.gov.za/inforeg/

Email Updates

We do not currently operate a public mailing list or newsletter subscription on critiq.dev. If we offer email updates in the future, we will describe collection and unsubscribe options at that time and update this policy.

Children

The public Critiq website is intended for professional and general informational use and is not directed to children under 13. We do not knowingly collect personal information from children through the site.

Changes To This Policy

We may update this Privacy Policy from time to time. When we do, we will post the revised version on this page and update the last-updated date above. Material changes become effective when posted unless a later effective date is stated.

Privacy and legal inquiries: legal@critiq.dev