Privacy policy

Effective date: 2026-04-20

What we collect

• Account data: email, name, plan, credits, GitHub login (if connected).
• Task data: repo URL, your prompt, the generated diff, step logs, token counts, cost.
• Encrypted secrets: BYOK API keys and GitHub access tokens, stored AES-256-GCM.
• Operational data: IP, user agent, request timestamps for rate-limiting and abuse prevention.

What we don't store

• Your full repository — only a throwaway clone during the task.
• Your BYOK or GitHub tokens in plaintext — only the encrypted payload.
• The plaintext content of prompts passed to model providers beyond what's needed for your step logs.

How we use data

• Run the tasks you request.
• Show you logs, diffs, and PR links.
• Bill you and apply plan limits.
• Detect abuse and protect the Service.

Sub-processors

We use: model providers you select (OpenAI, Together, Fireworks), Stripe (billing), email delivery provider, and infrastructure hosting. Sub-processors only receive the minimum data required.

Retention

Repo clones are deleted immediately after each task. Logs and diffs are kept for 90 days unless you delete them. Account data is kept while your account is active; after deletion we retain only what is required by law (e.g. invoicing).

Your rights

You can export or delete your account data at any time from the dashboard. EU/UK users have GDPR rights (access, erasure, portability, objection).

Security

TLS in transit, AES-256-GCM at rest for secrets, isolated Docker sandboxes, least-privilege service tokens, regular dependency patching.

Contact

For privacy questions or data requests: privacy@shiprepo.com.