KoraSafe^™ VS Code Extension privacy policy

Applies to KoraSafe^™ VS Code Extension v0.1.x and later. For the main KoraSafe^™ platform privacy policy, see korasafe.ai/privacy.

Summary

• By default the extension runs entirely on your machine. No data leaves unless you opt in to cloud checks or telemetry.
• When cloud checks are enabled, file content from your open editor is sent to the KoraSafe^™ API for governance analysis.
• When telemetry is enabled, anonymised usage events — no file content, no finding details — are sent to KoraSafe^™.
• Both features are opt-in and disabled by default. You can disable either at any time in VS Code settings.
• The extension does not collect credentials, browsing history, or any data outside the files you have open in VS Code.

Local-only mode (default)

When korasafe.enableCloudChecks is false (the default), all governance analysis runs on your machine using bundled rules. No file content, finding detail, or usage data is transmitted to any server. The extension reads your workspace files to detect governance issues and displays results in the VS Code sidebar and problems panel. Nothing leaves your machine.

Cloud checks (opt-in)

When you enable korasafe.enableCloudChecks, the extension sends file content to the KoraSafe^™ API after each save. Before cloud checks transmit any data for the first time, the extension shows a confirmation dialog that explains what is sent and links to this policy. You must click "Enable" before any transmission begins.

What is sent

Data	Why it's sent
File content (text only)	Required for governance analysis. Files above the per-file size limit are skipped and logged to the output channel.
File path (relative to workspace root)	Used to identify the file in findings returned from the API.
Extension version	Included in the User-Agent header to help diagnose compatibility issues.
API key (bearer token)	Used to authenticate your request and associate findings with your KoraSafe™ org. Stored in VS Code SecretStorage (OS keychain), never in settings files.

What is not sent

• Files that exceed the configured size limit (korasafe.cloudMaxFileSizeKb, default 512 KB).
• Files in languages not activated by the extension (JavaScript, TypeScript, Python, Go, JSX, TSX only).
• Workspace settings, environment variables, secrets, or .env files.
• Git history, commit messages, or any data outside the active editor.
• Any finding text or analysis results — those flow from the API back to you, not the other way.

Cloud checks in untrusted workspaces

Cloud checks are automatically disabled in VS Code untrusted workspaces, regardless of the enableCloudChecks setting. Local analysis continues to run in untrusted workspaces.

Telemetry (opt-in)

When korasafe.telemetryEnabled is true and VS Code's global telemetry setting allows it, the extension sends anonymised usage events to KoraSafe^™. Telemetry is disabled by default and respects VS Code's telemetry level setting.

What telemetry includes

• Event type and timestamp (e.g., scan triggered, fix applied, workspace scan started).
• Finding counts summarised by severity and rule ID — no finding text, no file paths, no evidence strings.
• Extension version and VS Code version.

What telemetry never includes

• File paths, file content, or any workspace-specific information.
• Finding messages, evidence snippets, remediation text, or regulation references.
• Your API key, org ID, or any account identifier.

API key storage

Your KoraSafe^™ API key is stored in VS Code SecretStorage, which uses your operating system's credential store (Keychain on macOS, Credential Manager on Windows, libsecret on Linux). It is never written to settings.json or any file that could be committed to source control. Use the KoraSafe^™: Set API key command to store it securely. Do not add it to korasafe.apiKey in workspace or user settings.

Data retention

File content submitted for cloud checks is processed by the KoraSafe^™ API and not stored beyond the analysis request unless your organization's data retention policy requires audit trail storage. Telemetry events are retained in aggregated form to support product improvement. You can delete your organization's data by contacting Contact-us@korasafe.ai.

Third parties

File content submitted for cloud checks is processed by the KoraSafe^™ API only. We do not share your code, findings, or usage data with advertisers, data brokers, or third parties outside the KoraSafe^™ service.

Your rights

You can disable cloud checks and telemetry at any time in VS Code settings. Uninstalling the extension removes all locally stored data. For organization-level data rights — export, deletion, or correction — email Contact-us@korasafe.ai.

Changes to this policy

We may update this policy as the extension evolves. Material changes will be disclosed in the extension's changelog and on this page.

Contact

Questions about this policy or to exercise any data rights: Contact-us@korasafe.ai.