Privacy Policy

Gitsentry.dev is an AI-powered security scanner for GitHub repositories, built and operated as an open-source project. The scanning engine is MIT licensed and publicly auditable at github.com/d-beloved/gitsentry. The hosted dashboard at gitsentry.dev is proprietary.

Questions or requests: hello@gitsentry.dev

When you sign in with GitHub OAuth, we receive and store:

• ›Your GitHub user ID, login (username), email address, and avatar URL
• ›The name and visibility (public/private) of repositories you grant us access to
• ›Code diffs, the changed lines only, not your full repository, fetched temporarily for each scan
• ›Security findings: vulnerability category, severity, file path, affected line, a short code snippet, and our plain-English description and fix suggestion
• ›Scan metadata: commit SHA, branch name, author login, files changed, lines added

We do not store full repository contents, clone your repos, or retain raw diffs beyond the lifetime of a scan job.

• ›To run security scans and display findings in your dashboard
• ›To post findings as review comments on your GitHub PRs and commits
• ›To send Slack or email alerts you configure in Settings
• ›To track usage against your plan limits (scan counts per month)
• ›To improve our AI detection model, see Training data below

We do not sell your data to third parties.

When you uninstall the GitHub App, we delete all of your identifiable operational data immediately: repository records, scan history, findings linked to your repos, and your installation record.

Before deletion, we archive a stripped, anonymized copy of your findings into a private training corpus used to improve our AI detection model. This copy contains only the structured signal — vulnerability category, severity, plain-English description, and fix suggestion. We explicitly exclude:

• ›Your repository name, organisation, or any GitHub identity
• ›File paths and commit SHAs
• ›Code snippets from your codebase
• ›Author names and scan metadata

The retained language hint (e.g. ts, py) is derived from the file extension only, no path information is kept. If you object to this anonymized retention, contact us and we will remove it.

We use the following sub-processors:

• ›Supabase, PostgreSQL database hosting (EU/US region)
• ›Vercel, dashboard hosting
• ›Railway, backend webhook server hosting
• ›Paddle, payment processing for Starter and Pro plans
• ›Google (Gemini), AI analysis. Code diffs are sent to Gemini for security analysis. We do not use a data-sharing agreement for model training with Google at this time.

To delete your account: uninstall the Gitsentry.dev GitHub App from your account or organisation settings. This triggers immediate deletion of your repos, scans, findings, and installation record from our database. The anonymized training corpus entries (see above) are retained.

If you want your anonymized training data removed too, email hello@gitsentry.dev and we will purge it within 30 days.

Depending on your jurisdiction (including GDPR for EU residents), you may have the right to access, correct, export, or erase your personal data. Contact us at hello@gitsentry.dev to exercise any of these rights. We will respond within 30 days.

The Gitsentry.dev scanning engine is open source, anyone can audit exactly what runs on your code. We use HMAC-signed webhooks, Supabase Row Level Security, and short-lived GitHub installation tokens. If you discover a security issue in the service, email security@gitsentry.dev.

We may update this policy as the product evolves. Material changes will be announced via the dashboard or email. Continued use after the effective date constitutes acceptance of the updated policy.