Privacy Policy

1. Introduction

RepoWarden ("we", "us", or "our") operates the website at repowarden.dev and the associated RepoWarden GitHub App (collectively, the "Service"). This Privacy Policy explains what personal data we collect, why we collect it, how we process and store it, and your rights regarding that data.

By using the Service you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Service.

2. Data Controller

For the purposes of the EU General Data Protection Regulation (GDPR), the data controller is RepoWarden. You can reach us at privacy@repowarden.dev.

3. Data We Collect

3.1 Account Data (collected via GitHub OAuth)

• GitHub username (login)
• Display name
• Email address
• GitHub profile avatar URL
• GitHub OAuth access token (used to interact with the GitHub API on your behalf)

3.2 Repository Data

• Repository metadata (name, owner, default branch, language)
• Repository source code — read temporarily by the RepoWarden GitHub App to analyze dependencies, generate tests, and create pull requests. Source code is processed in memory and is not persisted in our database.
• CI/CD log excerpts (fetched on demand to diagnose failures)

3.3 Service Usage Data

• Scan logs (timestamps, results, and metadata for automated repository scans)
• Chat messages you send through the in-app chat feature
• Team membership and organization information
• Usage records (number of scans, PRs created, repos monitored)
• Analytics events (page views, feature usage, funnels)

3.4 Billing Data

Payment processing is handled entirely by Stripe. We store your Stripe customer ID and subscription status. We do not store credit card numbers, bank account details, or other payment instrument information on our servers.

3.5 Automatically Collected Data

• IP address, browser type, operating system, and referring URL (collected by Cloudflare and PostHog)
• Error reports including stack traces and request metadata (collected by Sentry)

4. Legal Basis for Processing (GDPR)

We process your personal data under the following legal bases:

• Contract performance — processing necessary to provide the Service you signed up for (account management, repository scanning, PR generation).
• Legitimate interest — product analytics, error monitoring, and service improvement, where our interest does not override your rights.
• Consent — where applicable, such as marketing communications (you can withdraw consent at any time).
• Legal obligation — where processing is required to comply with applicable law.

5. How We Use Your Data

• Authenticate you and manage your account
• Read your repository code (via the GitHub App) to analyze dependencies, generate test suggestions, fix CI failures, and create pull requests
• Send repository code snippets to the Anthropic Claude API to generate PR descriptions, chat responses, and code suggestions. Data sent to Anthropic is governed by Anthropic's privacy policy. Anthropic does not use API inputs to train models.
• Process payments and manage subscriptions via Stripe
• Track product usage and analytics to improve the Service (PostHog)
• Monitor errors and performance to maintain service reliability (Sentry)
• Communicate with you about your account or the Service
• Enforce our Terms of Service and prevent abuse

6. Third-Party Services

We share data with the following third-party service providers, each acting as a data processor on our behalf:

We do not sell your personal data to any third party.

7. Data Storage and Security

Your data is stored in Cloudflare's managed database service hosted in their global network. GitHub OAuth access tokens are encrypted at rest with AES-256-GCM. All data in transit is encrypted via TLS 1.2+ (TLS 1.3 preferred).

We implement appropriate technical and organizational measures to protect your data, including:

• Encryption in transit (TLS/HTTPS for all connections)
• Encryption at rest for sensitive credentials
• Minimal data access — repository source code is processed in memory and not persisted
• Access controls limiting which team members can manage repositories and billing
• Regular security reviews of our infrastructure and dependencies

8. Data Retention

• Account data — retained for as long as your account is active. Deleted upon account deletion request.
• Repository source code — processed in memory during scans and not persisted. Code snippets sent to the Anthropic API are subject to Anthropic's data retention policy.
• Scan logs and chat messages — retained for as long as your account is active to provide service history.
• Usage and analytics data — retained for up to 24 months for product improvement purposes.
• Billing records — retained as required by applicable tax and accounting regulations.

9. International Data Transfers

Our infrastructure is hosted on Cloudflare's global network, which may process data in multiple jurisdictions. Third-party processors (Anthropic, Stripe, PostHog, Sentry) may transfer data outside the European Economic Area (EEA). Where such transfers occur, they are protected by appropriate safeguards such as Standard Contractual Clauses (SCCs) or the processor's participation in recognized data transfer frameworks.

10. Your Rights (GDPR)

If you are located in the European Economic Area (EEA) or the United Kingdom, you have the following rights under the GDPR:

• Right of access — You can request a copy of the personal data we hold about you.
• Right to rectification — You can request that we correct inaccurate or incomplete personal data.
• Right to erasure — You can request that we delete your personal data. This includes deleting your account and all associated data.
• Right to data portability — You can request a machine-readable copy of the data you provided to us.
• Right to restrict processing — You can request that we limit how we use your data.
• Right to object — You can object to processing based on legitimate interest, including profiling.
• Right to withdraw consent — Where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at privacy@repowarden.dev. We will respond within 30 days. You may also revoke the RepoWarden GitHub App's access at any time through your GitHub settings.

You also have the right to lodge a complaint with your local data protection supervisory authority.

11. Cookies and Tracking

We use the following cookies and tracking technologies:

• Session cookies — Essential cookies for authentication. These are strictly necessary for the Service to function and cannot be disabled.
• PostHog analytics — Product analytics cookies to understand how the Service is used. PostHog may set cookies or use local storage for user identification.
• Ahrefs analytics — Web analytics script for understanding traffic sources.

You can control cookies through your browser settings. Disabling essential cookies may prevent the Service from functioning correctly.

12. Children's Privacy

The Service is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a revised effective date. If changes are significant, we may also notify you via email or an in-app notice. Your continued use of the Service after any changes constitutes acceptance of the updated policy.

14. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us at:

privacy@repowarden.dev