Back to home

Privacy Policy

Read how RepoKit collects, uses, and protects personal data.

Version: 2026-03-30.1 Effective date: Mar 30, 2026

Privacy Policy

Effective date: 2026-03-30

This Privacy Policy explains how RepoKit collects, uses, shares, stores, and protects personal data and other data related to use of the platform.

1. Scope

This Policy applies to data processing carried out by RepoKit in the context of:

  • account creation and administration;
  • authentication and access management;
  • subscription and billing;
  • repository connection and analysis;
  • baseline generation, PR analysis, re-analysis, snapshots, exports, and shareable links;
  • support, security, fraud prevention, and product improvement.

2. Roles of the parties

  • When RepoKit processes data to operate accounts, billing, security, product telemetry, and the contractual relationship, it acts as controller of that data.
  • When RepoKit processes content, metadata, and artifacts submitted or connected by the customer in order to provide the contracted service, such processing may occur within the scope of the applicable contractual relationship between RepoKit and the customer, including through operators and technical subprocessors.
  • The customer is responsible for having the legal grounds, permissions, and authorizations necessary to connect repositories, enable content analysis, and share outputs generated by the product.

3. Data we may collect

We may collect and process, as applicable:

3.1 Account and identity data

  • name;
  • email address;
  • authentication identifiers;
  • organization, role, or administrative status;
  • language, interface, and notification preferences.

3.2 Product usage data

  • navigation and usage events;
  • clicks, viewed screens, settings, and preferences;
  • records of creation, update, and deletion of resources;
  • consumption of features, quotas, credits, and limits.

3.3 Repository and integration data

  • Git provider identifiers;
  • repository, branch, commit, pull request, and issue names and metadata when connected to the service;
  • PR descriptions, comments, status checks, diffs, pipeline metadata, and related artifacts;
  • integration settings, granted permissions, and technical connection history.

3.4 Processed content

  • code snippets, documentation, configuration files, commands, infrastructure metadata, and other artifacts necessary for requested analyses;
  • outputs generated by the product, including summaries, suggestions, translations, scores, documentation proposals, snapshots, and execution records.

3.5 Technical and security data

  • IP address;
  • access date and time;
  • session identifiers;
  • device, operating system, browser, and technical telemetry;
  • logs, audit trails, security alerts, and fraud or abuse prevention signals.

3.6 Billing data

  • subscribed plan;
  • subscription history;
  • payment status;
  • customer, subscription, invoice, and transaction identifiers generated by the payment processor;
  • country, currency, and tax-related information where applicable.

3.7 Support and communication data

  • support messages;
  • service requests;
  • survey responses;
  • administrative and contractual records.

4. Purposes of processing

We may process data to:

  • create and manage accounts and organizations;
  • authenticate users and control access;
  • process subscriptions, billing, renewals, upgrades, downgrades, and any applicable usage adjustments;
  • connect repositories and enabled integrations;
  • run repository baseline, PR analyses, re-analyses, translations, exports, snapshots, comments, and other contracted features;
  • operate sharing features, links, and authorized external surfaces;
  • prevent fraud, abuse, misuse, and security incidents;
  • maintain logs, auditability, traceability, and operational integrity;
  • improve product quality, performance, security, reliability, and user experience;
  • comply with legal, regulatory, contractual, and tax obligations;
  • exercise rights in administrative, arbitral, or judicial proceedings.

5. Use of AI and automated processing

  • RepoKit uses automated processing and AI providers to enable a substantial portion of its features, including repository analysis, pull request analysis, fact extraction, classification, summarization, risk scoring, test suggestions, documentation update proposals, translation, re-analysis, and related outputs.
  • To provide these features, RepoKit may process and send to authorized technical providers the snippets, metadata, context, and artifacts necessary to execute the requested analyses.
  • RepoKit may use different models, providers, versions, pipelines, and technical strategies over time.
  • Automated processing within the product does not eliminate the need for human review of outputs in critical workflows.

6. Legal bases

Where applicable under Brazilian data protection law, processing may rely on:

  • performance of a contract and preliminary procedures related to a contract;
  • legitimate interest, including for security, fraud prevention, product improvement, telemetry, auditing, and protection of the environment;
  • compliance with legal or regulatory obligations;
  • regular exercise of rights in judicial, administrative, or arbitral proceedings;
  • consent, where required by law, especially for certain non-essential technologies or optional purposes.

7. Data sharing

We may share data with:

  • payment processors;
  • infrastructure, hosting, storage, monitoring, and observability providers;
  • authentication and access control providers;
  • analytics providers;
  • AI and automation providers;
  • transactional communication and support channels;
  • public authorities, regulators, courts, or third parties where there is a legal obligation, valid order, or need to defend rights;
  • potential buyers, investors, or successors in corporate transactions, with appropriate safeguards.

8. International transfers

RepoKit may carry out international data transfers where necessary to operate the platform, integrate services, store data, execute analyses, process payments, authenticate users, monitor security, or use technical providers located outside Brazil. In such cases, reasonable contractual, technical, and organizational measures will be adopted to protect data and comply with applicable law.

9. Retention and disposal

Data may be retained:

  • while the account remains active or as long as necessary to provide the service;
  • for the period required to comply with legal, tax, regulatory, and contractual obligations;
  • for the period necessary for fraud prevention, security, auditability, traceability, and defense of rights;
  • until it is no longer necessary for the legitimate purposes described in this Policy.

After that, data may be deleted, anonymized, or de-identified, subject to legal retention requirements.

10. Security

RepoKit adopts reasonable measures to protect data and environments, including, where applicable:

  • access control;
  • logical segregation by account, organization, or repository;
  • credential protection;
  • logging and auditing;
  • abuse monitoring;
  • data minimization;
  • masking or sanitization in specific workflows.

However, no environment is completely immune to failures, outages, or unauthorized access.

11. Shareable links, exports, and external surfaces

If the customer uses sharing features, exports, external comments, shareable links, or output distribution surfaces, certain data, analyses, and artifacts may become accessible to third parties according to the scope of the action chosen by the customer. The customer is responsible for reviewing what is shared and with whom it is shared.

12. Data subject rights

Under applicable law, the data subject may request, where applicable:

  • confirmation of processing;
  • access to data;
  • correction of incomplete, inaccurate, or outdated data;
  • anonymization, blocking, or deletion of unnecessary, excessive, or unlawfully processed data;
  • portability;
  • information about sharing;
  • information about consent and consequences of refusal;
  • withdrawal of consent where consent is the applicable legal basis;
  • review of decisions made solely on the basis of automated processing, where applicable.

13. Identity verification

To protect the data subject and third parties against unauthorized access, RepoKit may request additional information to confirm identity, legitimacy of the request, and relationship with the relevant account or organization before fulfilling certain requests.

14. Children and teenagers

RepoKit is intended for professional and business use. The service is not intentionally directed to children. If we identify improper processing in violation of applicable law, we may take steps to restrict, review, or delete such data.

15. Changes to this Policy

This Policy may be updated to reflect legal, regulatory, technical, operational, or product changes. The current version will be made available through RepoKit's official channels. In the event of a material change, we may adopt reasonable notice mechanisms.

16. Contact

Privacy requests, exercise of rights, or questions about this Policy: contato@repokit.io