Privacy Policy
How RepoSignal collects, uses, stores, and protects your information — and the choices and rights you have over it.
Effective date: June 7, 2026 · Last updated: June 7, 2026
Overview
RepoSignal is a code-governance and pull-request risk-analysis service operated by RepoSignal.io LLC ("RepoSignal," "we," "us," or "our"), based in Apple Valley, California, United States. This policy explains what information we handle when you use the RepoSignal website, application, API, and GitHub Action (together, the "Service").
This policy is written to be read, not to hide things in legalese. If anything here is unclear, contact us at privacy@reposignal.io and we will explain it plainly. For a technical description of how we secure your data, see our Trust & Security page.
Information we collect
We collect only what the Service needs to function. We group it into the categories below.
Information you provide
- Account information — your email address and a securely hashed password. We never store your password in readable form.
- Connection credentials — a GitHub access token (so we can analyze the repositories you connect) and, optionally, your own AI provider API key if you enable AI features. Both are encrypted at rest and are never logged or displayed back to you in full.
- Billing information — when you subscribe to a paid plan, payment is processed by Stripe. We store a Stripe customer and subscription identifier and your plan status. We do not store your full card number; Stripe handles that.
- Support and communications — anything you send us by email or through the app.
Information we receive from your repositories
- Repository metadata and history — commit history (author, timestamp, message, files changed) and pull-request metadata, used to build calibration models and score risk. We clone a connected repository at calibration time; we do not continuously mirror your code.
- Analysis output — risk scores, findings, calibration model artifacts (statistical models, not your raw source), and governance records derived from your repositories.
Information we collect automatically
- Usage and audit data — actions taken in the Service (logins, scans, policy changes, access events), recorded to an audit log.
- Technical data — IP address, browser/user-agent, and similar request metadata, used for security, abuse prevention, and debugging.
- Session cookies — see the Cookies section.
How we use your information
- To provide, operate, and maintain the Service — analyzing repositories, scoring pull requests, and producing governance records.
- To authenticate you, secure your account, and prevent fraud and abuse.
- To process payments and manage subscriptions.
- To respond to your support requests and send service-related messages (for example, security or billing notices).
- To improve the Service — measuring reliability and accuracy. We do not use your repository content to train or fine-tune AI models.
- To comply with legal obligations (such as tax and accounting requirements for billing).
Legal bases for processing (EEA/UK users)
If you are in the European Economic Area or the United Kingdom, we process your personal data under one or more of these legal bases:
- Performance of a contract — to deliver the Service you signed up for.
- Legitimate interests — to secure the Service, prevent abuse, and improve reliability, balanced against your rights.
- Legal obligation — to meet accounting, tax, and other legal requirements.
- Consent — where we ask for it, such as for optional communications. You can withdraw consent at any time.
Who we share your information with
We do not sell your personal information. We do not share it for cross-context behavioral advertising. We share data only with service providers who help us run the Service, and only as needed:
- GitHub — to access the repositories you connect.
- Stripe — to process payments and manage subscriptions.
- Our hosting and infrastructure provider — to operate the application and store data.
- Our transactional email provider — to send account, security, and billing emails.
- Your chosen AI provider (only if you enable AI features) — requests made with your own API key are governed by that provider's terms, not ours.
We may also disclose information if required by law, to enforce our agreements, or to protect the rights, safety, and security of our users or the public. If RepoSignal is involved in a merger, acquisition, or sale of assets, we will notify you before your information is transferred and becomes subject to a different privacy policy.
How long we keep your data
| Category | Retention |
|---|
| Account data | Kept while your account is active; deleted within 30 days of account closure on request. |
| Audit log | 365 days (configurable for enterprise accounts). The log is append-only by design and cannot be edited by users. |
| Pull-request analyses | 90 days. |
| Calibration artifacts | Retained while the repository is connected. |
| Raw source code | Not retained beyond the calibration window. |
| Billing records | Retained as required for tax and accounting obligations. |
How we protect your data
Credentials — GitHub tokens, AI provider keys, and similar secrets — are encrypted at rest using Fernet (AES-128-CBC with HMAC-SHA256 authentication), with the encryption key stored separately from the database. Sessions use cryptographically signed cookies and expire after a period of inactivity. Access to your account by our support staff is performed through an audited system and recorded to your audit log. For full detail, see our Trust & Security page.
No system is perfectly secure, and we cannot guarantee absolute security. If we become aware of a breach affecting your personal data, we will notify you and the relevant authorities as required by law.
Your privacy rights
If you are in the EEA or UK (GDPR)
You have the right to access, correct, delete, restrict, or object to processing of your personal data, and the right to data portability. You also have the right to lodge a complaint with your local data protection authority.
If you are a California resident (CCPA/CPRA)
- Right to know what personal information we collect, use, and disclose.
- Right to delete the personal information we hold about you, subject to legal exceptions.
- Right to correct inaccurate personal information.
- Right to opt out of the sale or sharing of personal information. We do not sell or share your personal information, so there is nothing to opt out of, but you may confirm this with us at any time.
- Right to non-discrimination — we will not deny you service or charge you differently for exercising your rights.
You may use an authorized agent to make a request on your behalf; we may ask for proof of authorization.
How to exercise your rights
Email privacy@reposignal.io with your request. We will verify your identity (typically by confirming control of your account email) and respond within 30 days for GDPR requests and within 45 days for CCPA requests, extending only where the law allows and telling you if we need more time.
We are also building self-service export and account-deletion controls directly into your account settings. When those are available, this section will be updated to describe them.
Cookies
RepoSignal uses a small number of cookies that are strictly necessary to operate the Service — chiefly a signed session cookie that keeps you logged in and a token used to protect against cross-site request forgery. We do not use third-party advertising or cross-site tracking cookies. Because our cookies are strictly necessary, the Service depends on them and they cannot be disabled without breaking sign-in.
International data transfers
RepoSignal is operated from the United States, and your information is processed and stored there. If you access the Service from outside the United States, you understand that your information will be transferred to and processed in the United States. Where required, we rely on appropriate safeguards (such as Standard Contractual Clauses) for transfers of personal data from the EEA or UK.
Children's privacy
The Service is intended for professional and business use and is not directed to children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us personal information, contact us and we will delete it.
Changes to this policy
We may update this policy as the Service evolves or as the law changes. When we make material changes, we will update the "Last updated" date above and, where appropriate, notify you. Your continued use of the Service after a change takes effect means you accept the updated policy.