KoraSafe^™ JetBrains Extension privacy policy

Applies to KoraSafe^™ JetBrains Extension v0.1.x and later for IntelliJ IDEA, PyCharm, WebStorm, GoLand, RubyMine, and AppCode. For the main KoraSafe^™ platform privacy policy, see korasafe.ai/privacy.

Summary

• By default the extension runs entirely on your machine. No data leaves unless you opt in to cloud checks or telemetry.
• When cloud checks are enabled, file content from your open editor is sent to the KoraSafe^™ API for governance analysis.
• When telemetry is enabled, anonymised usage events (no file content, no finding details) are sent to KoraSafe^™.
• Both features are opt-in and disabled by default. You can disable either at any time in IDE settings.
• The extension does not collect credentials, browsing history, or any data outside the files you have open in the IDE.

Local-only mode (default)

When korasafe.enableCloudChecks is false (the default), all governance analysis runs on your machine using bundled rules. No file content, finding detail, or usage data is transmitted to any server. The extension reads your project files to detect governance issues and displays results in the KoraSafe^™ tool window, inline inspections, and intention actions. Nothing leaves your machine.

Cloud checks (opt-in)

When you enable korasafe.enableCloudChecks, the extension sends file content to the KoraSafe^™ API after each scan. Before cloud checks transmit any data for the first time, the extension shows a confirmation dialog that explains what is sent and links to this policy. You must click "Enable" before any transmission begins.

What is sent

Data	Why it's sent
File content (text only)	Required for governance analysis. Files above the per-file size limit are skipped and logged to the IDE event log.
File path (relative to project root)	Used to identify the file in findings returned from the API.
Extension version	Included in the User-Agent header to help diagnose compatibility issues.
API key (bearer token)	Used to authenticate your request and associate findings with your KoraSafe™ org. Stored in IntelliJ PasswordSafe (OS credential store), never in IDE settings files.

What is not sent

• Files that exceed the configured size limit (korasafe.cloudMaxFileSizeKb, default 512 KB).
• Files in languages not activated by the extension (JavaScript, TypeScript, Python, Go, JSX, TSX only).
• IDE settings, environment variables, secrets, or .env files.
• Git history, commit messages, or any data outside the active editor.
• Any finding text or analysis results. Those flow from the API back to you, not the other way.

Cloud checks in untrusted projects

Cloud checks are automatically disabled in IntelliJ untrusted projects, regardless of the enableCloudChecks setting. Local analysis continues to run in untrusted projects.

Telemetry (opt-in)

When korasafe.telemetryEnabled is true and the IDE's global usage statistics setting allows it, the extension sends anonymised usage events to KoraSafe^™. Telemetry is disabled by default and respects the IDE's data sharing level setting.

What telemetry includes

• Event type and timestamp (e.g., scan triggered, intention action invoked, project scan started).
• Finding counts summarised by severity and rule ID. No finding text, no file paths, no evidence strings.
• Extension version and IDE product code plus build (e.g., IC-242 for IntelliJ IDEA Community 2024.2).

What telemetry never includes

• File paths, file content, or any project-specific information.
• Finding messages, evidence snippets, remediation text, or regulation references.
• Your API key, org ID, or any account identifier.

API key storage

Your KoraSafe^™ API key is stored in IntelliJ PasswordSafe, which uses your operating system's credential store (Keychain on macOS, Credential Manager on Windows, libsecret on Linux). It is never written to an IDE configuration file that could be committed to source control. Use the KoraSafe^™: Set API key action to store it securely. Do not add it to a workspace settings file.

MCP server

The extension can start a local MCP server bound to 127.0.0.1 when korasafe.mcpEnabled is true. The server is reachable only from your machine; it does not accept connections from other hosts. Use the KoraSafe^™: Copy MCP auth token action to retrieve a bearer token for MCP clients. The MCP server exposes the same scan and finding endpoints the IDE actions use; nothing leaves your machine through MCP unless cloud checks are also enabled.

Data retention

File content submitted for cloud checks is processed by the KoraSafe^™ API and not stored beyond the analysis request unless your organization's data retention policy requires audit trail storage. Telemetry events are retained in aggregated form to support product improvement. You can delete your organization's data by contacting Contact-us@korasafe.ai.

Third parties

File content submitted for cloud checks is processed by the KoraSafe^™ API only. We do not share your code, findings, or usage data with advertisers, data brokers, or third parties outside the KoraSafe^™ service.

Your rights

You can disable cloud checks and telemetry at any time in IDE settings under Tools, KoraSafe^™. Uninstalling the extension removes all locally stored data. For organization-level data rights, export, deletion, or correction, email Contact-us@korasafe.ai.

Changes to this policy

We may update this policy as the extension evolves. Material changes will be disclosed in the extension's change notes on the JetBrains Marketplace and on this page.

Contact

Questions about this policy or to exercise any data rights: Contact-us@korasafe.ai.