Privacy Policy

The controller of personal data processed in connection with the Mr. RIGANTI service is:

RIGANTI s.r.o.
Sokolovská 352/215, 190 00 Praha 9, Czech Republic
Reg. No.: 29264600
EU VAT ID: CZ29264600

E‑mail: info@mr-riganti.com

Website: https://www.riganti.cz/en

If we appoint a Data Protection Officer (DPO), we will publish their contact details here and in our internal records.

This Privacy Policy explains how we process personal data when you use the Mr. RIGANTI AI coding agent integrated into Azure DevOps (the "Service"), when you contact us, or when we receive your data in the context of providing the Service to our customers.

This Policy applies in particular to:

• Administrators and users of Azure DevOps organizations that integrate the Service.
• Individuals whose data may be included in work items, pull requests, comments, attachments or other content processed by the Service.

Where we process personal data on behalf of our customers as a processor under GDPR, the applicable data processing terms form part of our commercial agreement or Data Processing Agreement (DPA) with the customer.

We process personal data only where we have a valid legal basis under the GDPR.

In general, our customer (the Azure DevOps organization owner or equivalent) is the controller of personal data contained in projects, work items, pull requests, source code and other content processed via the Service. RIGANTI acts as a processor in relation to such data, processing on documented instructions from the customer as set out in the subscription agreement and any applicable Data Processing Agreement (DPA).

For account management, billing via Microsoft Marketplace, and our own website analytics, we may act as an independent controller.

We obtain personal data primarily from:

• Customers and users who configure and use the Service.
• Azure DevOps and Azure Pipelines, based on the permissions granted by the customer's organization and the AI agent user account.
• Microsoft Marketplace, which provides us with customer contact and transaction information related to your subscription.

We may also receive personal data from our processors (e.g. Microsoft, hosting providers) where this is necessary for service delivery or support.

All AI operations in the Service are performed using the OpenCode open‑source project and Claude Sonnet 4.5 large language models hosted in Microsoft Foundry. Use of these models is additionally subject to:

• Microsoft Foundry terms and privacy documentation.
• Any applicable Anthropic terms, as set out in the Microsoft Foundry offering.

Where we send data to Microsoft Foundry for processing by Claude models, Microsoft and Anthropic process that data under their own terms and data protection arrangements. We configure these services so that data sent for inference is not used by Microsoft or Anthropic to train or improve their base models, to the extent this configuration is supported by their documentation at the time.

We do not allow the AI agent to access data beyond what is available to the build agent and Azure DevOps permissions configured by the customer, and the customer is responsible for ensuring those permissions are appropriate.

We may share personal data with:

• Microsoft (including Azure, Azure DevOps, Microsoft Foundry and related services) as necessary for authentication, hosting, execution of pipelines, AI model inference and billing, under Microsoft's terms and DPAs.
• Other service providers acting as processors (e.g. hosting, logging, support tools), bound by data processing agreements and confidentiality obligations.
• Professional advisers (lawyers, auditors) where needed to protect our rights or comply with legal obligations.

The Service is hosted in Microsoft Azure with data residency in Sweden, within the European Union. Where transfers of personal data outside the European Economic Area are unavoidable (for example, because a sub‑processor is located in a third country), such transfers are based on appropriate safeguards such as EU Standard Contractual Clauses or an adequacy decision, as required by GDPR.

We retain personal data only for as long as necessary for the purposes described in this Policy or as required by applicable law. In particular:

• Telemetry data about pipeline runtime, token usage and AI agent failures is retained for up to 30 days and then deleted or irreversibly anonymized.
• Configuration and project metadata are retained for the duration of the subscription and deleted within 30 days after subscription termination, unless we are legally required to retain certain records for a longer period (e.g. invoicing data).
• Logs of AI agent activity are retained for the duration needed to ensure security, traceability and support, and are normally deleted within 30 days after subscription termination, subject to any legal retention obligations.

When a subscription is cancelled, all data stored in the Service are permanently deleted from our systems within 30 days, except where longer retention is required by law or necessary to establish, exercise or defend legal claims.

We implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access. These measures include, in particular:

• Hosting in Microsoft Azure with industry‑standard security controls and certifications.
• Access control based on least privilege, authentication and authorization mechanisms for our staff.
• Encryption in transit and at rest where appropriate.
• Logging and monitoring of access to production systems.
• Regular updates and patching of our infrastructure and dependencies.

We encourage customers to implement appropriate security controls in their own Azure DevOps organizations and infrastructure.

Where we act as controller, you have the following rights under GDPR, subject to conditions and limitations:

• Right of access: to obtain confirmation whether we process your personal data and receive a copy.
• Right to rectification: to correct inaccurate or incomplete data.
• Right to erasure: to request deletion of your personal data in specified circumstances.
• Right to restriction: to request restriction of processing in certain situations.
• Right to data portability: to receive your data in a structured, commonly used and machine‑readable format where processing is based on consent or contract and carried out by automated means.
• Right to object: to object to processing based on our legitimate interests, including profiling.
• Right to withdraw consent at any time where processing is based on consent, without affecting prior processing.

If you believe we are processing your personal data unlawfully, you also have the right to lodge a complaint with your local supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement. Our lead supervisory authority is likely to be the Office for Personal Data Protection (Úřad pro ochranu osobních údajů) in the Czech Republic.

Where we process data strictly as a processor on behalf of a customer, you should address your requests primarily to that customer (the controller). We will assist the controller in fulfilling valid requests as required by GDPR and our DPA.

Our customers are responsible for:

• Ensuring they have a valid legal basis to process any personal data within their Azure DevOps projects and to use the Service for those purposes.
• Providing their users and data subjects with appropriate privacy notices describing the use of the Service.
• Configuring permissions and access in Azure DevOps and Azure Pipelines in a manner consistent with data protection and security requirements.
• Ensuring that any personal data transferred to us is lawful, accurate and up‑to‑date.

By using the Service, the customer represents and warrants that they use it only in ways compliant with applicable law and that they will not use it for malicious, unlawful or discriminatory purposes. Any malicious use or attempt to compromise the Service or underlying infrastructure may result in immediate termination of the subscription and deletion of all data, without prejudice to our rights to seek damages where permitted by law.

The Service is designed for use by business customers and is not intended for children under 16 years of age. We do not knowingly collect personal data from children in this context. If we become aware that we have inadvertently received such data, we will take steps to delete it without undue delay.

The Service uses AI models to generate recommendations, code changes and other outputs based on the inputs and context provided by the customer. These outputs may influence how work items, pull requests and code are handled, but final decisions (including whether to apply or deploy code changes) remain under the control of the customer and their users.

We do not perform automated decision‑making that produces legal or similarly significant effects on individuals in the sense of Article 22 GDPR without human review by the customer. The customer is responsible for assessing and documenting any such potential effects in their own environment, especially in light of the forthcoming EU AI Act obligations.

We do not use data processed via the Service (such as content from work items, source code or logs) for marketing. We may use customer contact information obtained via Microsoft Marketplace or direct registration to send service‑related communications and, where permitted by applicable law, to provide information about related services.

You can opt out of marketing communications at any time by using the unsubscribe link provided in the message or contacting us directly, while still receiving essential service and security notices.

If we become aware of a personal data breach affecting data we process as controller, we will assess the risk to individuals and, where required by law, notify the competent supervisory authority and affected data subjects without undue delay. Where we act as processor, we will notify the relevant customer (controller) in accordance with our DPA so that they can fulfil their own notification obligations.

We may update this Privacy Policy from time to time, for example to reflect changes to the Service, applicable law, or guidance from supervisory authorities. We will publish the updated version with a new "Last updated" date and, where changes are material, notify customers through appropriate channels (e.g. e‑mail, in‑product notifications, or Azure DevOps organization privacy policy link).

Continued use of the Service after the effective date of the updated Policy constitutes acceptance of the changes, to the extent permitted by applicable law.

For any questions or requests regarding this Privacy Policy or our data processing activities, please contact us at:

RIGANTI s.r.o.
Sokolovská 352/215, 190 00 Praha 9, Czech Republic
E‑mail: info@mr-riganti.com