Last updated: July 2026
We're a small team, so we won't claim certifications we don't have. Here's a straightforward account of what we actually do.
Official iCoderAgent releases are code-signed with an Apple Developer ID certificate and submitted to Apple's notarization service before being published for download — the same trust chain macOS's Gatekeeper expects from any legitimate direct-download app, even outside the Mac App Store.
The website and license-verification service are only served over HTTPS/TLS (via Amazon CloudFront and API Gateway). There's no unencrypted path to either.
We never see or store your card details. Payments are handled entirely by Paddle.com, our merchant of record, which is itself PCI-DSS compliant.
License and billing data live in a database with access scoped to only the specific operations our backend needs — nothing broader. Webhook events from our payment processor are cryptographically signature-verified before we act on them, so a request can't forge a license without a valid signature from Paddle.
As covered in more detail on our Data Use page: your source code, prompts, and AI provider API keys are never transmitted to or stored on our servers. That's not a policy promise requiring you to trust us — it's a consequence of how the app is built (requests go directly from your Mac to your chosen AI provider).
We don't yet have a self-serve "delete my account" button — email support@icoderagent.com and we'll delete your license/billing records on request, subject to what we're legally required to retain (e.g. tax records).
Found a security issue in the app, the website, or our backend? Email support@icoderagent.com with details — we'll acknowledge reports promptly and let you know once it's addressed. Please don't publicly disclose an issue before we've had a reasonable chance to fix it.