Privacy Policy

Last updated: 2026-05-30

This policy explains what personal data RepoJury collects when you use it, why we collect it, who we share it with, and the rights you have over it. We’ve written it to match what the service actually does — no vague boilerplate.

Pre-launch notice. RepoJury is an early proof of concept, not yet a registered business. This page describes honestly how the service handles data today — but there’s no named operator, registered address, or chosen jurisdiction yet, and it hasn’t been reviewed by a lawyer. Once RepoJury launches commercially, a registered entity and a proper policy will replace this. Questions: [email protected].

1.Who we are

RepoJury (“we”, “us”) is an early proof of concept, not yet run by a registered company. For the personal data described below, the operator of RepoJury acts as the data controller under the EU General Data Protection Regulation (GDPR). We’ll name that operator, and where it’s registered, once RepoJury launches commercially. Until then, reach us at [email protected].

2.What we collect

We collect only what we need to run the service. Concretely:

Account data

Your name and email address — provided when you sign up, or supplied by GitHub if you sign in with GitHub.
Profile image URL — if you sign in with GitHub, the avatar URL from your GitHub profile.
Password — if you sign up with email, stored only as a salted hash. We never see or store your plaintext password.
Email-verification and password-reset tokens — short-lived, single-use.

Session and security data

IP address and browser user-agent — recorded with each login session, and used transiently to enforce per-IP rate limits that protect the service from abuse.
Session cookies — see our Cookie Policy.

GitHub authorization

A GitHub access token — if you connect GitHub, we store the OAuth token so we can fetch the repositories you ask us to analyze on your behalf. You can revoke it any time from your GitHub settings.

Analysis data

Repository analysis results— the snapshots you create (metadata, file structure, git history summaries, dependency data). These describe code, not you, but a private repo’s contents may be personal or confidential, so we treat them with the same care.

We do not collect special-category data (health, political opinions, etc.), and we don’t use advertising networks, fingerprinting, or session-replay tools.

3.Why we use it, and our legal basis

To provide the service (accounts, analysis, saved sessions) — legal basis: performance of a contract.
To send transactional email (verification, password reset, billing notices) — legal basis: contract.
To keep the service secure and available (rate limiting, abuse prevention via IP) — legal basis: legitimate interests.
To take payment for paid plans — legal basis: contract and legal obligation (tax/accounting).

We don’t sell your personal data, and we don’t use it for automated decision-making that produces legal effects about you.

4.Who we share it with

We share data only with the service providers we need to operate. Each processes data on our behalf under their own terms:

Provider	What it processes	Why
GitHub	OAuth identity, repositories you analyze	Sign-in + repo access
Anthropic	Repository snapshot (package names, paths, contributor logins)	AI briefing + verdict narrative
Polar	Email, billing details	Subscriptions + payment
Resend	Email address, message content	Transactional email delivery
Railway	All of the above (hosting)	Runs the app + database

Card details for paid plans are handled by Polar and its payment processors — we never see or store full card numbers.

5.International transfers

Some of our providers (including Anthropic, Polar, Resend, and potentially Railway) are based in the United States. Where personal data is transferred outside the EU/EEA, it is protected by appropriate safeguards such as the EU Standard Contractual Clauses or the EU–U.S. Data Privacy Framework, as offered by each provider.

6.How long we keep it

Account data — for as long as your account exists. Delete your account and we delete it.
Sessions / analysis — until you delete them, or until your account is removed.
Security logs (IP, user-agent) — retained only as long as needed for the session and for abuse prevention, then expired.
Billing records — retained as required by applicable tax and accounting law.

7.Your rights

Under GDPR you have the right to:

access the personal data we hold about you;
have inaccurate data corrected;
have your data deleted (“right to be forgotten”);
restrict or object to certain processing;
receive your data in a portable format;
withdraw consent at any time, where we rely on consent;
lodge a complaint with your local data protection authority — in the EU/EEA, every country has one.

To exercise any of these, email [email protected]. We’ll respond within the timeframe the law requires.

8.Security

Passwords are hashed, transport is encrypted (HTTPS), GitHub tokens are stored server-side and never exposed to the browser, and access to production data is limited. No system is perfectly secure, but we take reasonable measures appropriate to the data we hold. If a breach affects your data, we’ll notify you and the relevant authority as required by law.

9.Children

RepoJury is not directed at children under 16, and we don’t knowingly collect their data. If you believe a child has given us personal data, contact us and we’ll delete it.

10.Changes to this policy

If we change how we handle personal data, we’ll update this page and the “last updated” date above. For material changes affecting your rights, we’ll give notice by email or in-app before they take effect.

11.Contact

Questions about this policy or your data? Email [email protected] and we’ll get back to you.