Privacy Policy

1. Introduction

SafeCommit helps engineering teams identify potential privacy and AI data-leakage risks in GitHub pull requests before code is merged. This Privacy Policy explains what information we process, why we process it, and how we protect it.

2. Information we process

SafeCommit is designed to process only the information needed to analyze pull requests and provide findings. Depending on how SafeCommit is installed or used, this may include:

• pull request diffs, changed file paths, commit metadata, branch names, and related GitHub event metadata;
• repository name, organization name, installation identifiers, and PR status information needed to run checks;
• code snippets or patch content required to detect risky data flows, logging patterns, AI provider calls, or third-party API usage;
• analysis results such as findings, severity, recommendations, status checks, and audit notes;
• basic technical logs needed to operate, secure, and debug the service.

SafeCommit does not currently provide user accounts, login-based registration, or a customer dashboard requiring personal profile data. We do not ask users to create an account with SafeCommit.

3. Information we do not intentionally collect

SafeCommit does not intentionally collect personal information beyond what is necessary to analyze GitHub pull requests and operate the service. In particular, SafeCommit does not currently collect email addresses, login credentials, or API endpoint addresses as standalone customer profile fields. If such information appears inside a PR diff, code snippet, log sample, prompt, or repository metadata, it may be processed only because it is part of the submitted GitHub content being analyzed.

4. How we use information

• to analyze pull request changes for privacy, GDPR, AI governance, and data-handling risks;
• to generate PR comments, status checks, findings, warnings, and suggested fixes;
• to operate, secure, troubleshoot, and improve SafeCommit;
• to maintain a limited audit trail of findings and decisions when enabled;
• to comply with legal obligations and protect the service from abuse.

5. AI model usage

SafeCommit may use automated rules and, where necessary, AI model providers to analyze suspicious code snippets or explain findings. We do not intentionally use Customer Content to train SafeCommit foundation models. Where third-party AI providers are used, SafeCommit aims to send only the minimum relevant snippet or context needed for analysis.

6. Customer content and code handling

SafeCommit is designed to minimize source-code processing. For PR analysis, SafeCommit should process the diff, patch, or selected snippets required to produce findings rather than a full repository by default. Customers should avoid submitting unnecessary secrets, credentials, or sensitive data that is not needed for analysis.

7. Retention

We retain processed information only as long as reasonably necessary to provide the service, maintain security, debug issues, support customers, preserve requested audit evidence, comply with legal obligations, and resolve disputes. Customer Content may be retained for a limited period unless a different retention period is agreed with the customer.

8. Data location and transfers

SafeCommit may store and process data in the European Union, the United States, or other jurisdictions depending on the infrastructure and subprocessors used to provide the service. Where required, SafeCommit uses appropriate transfer mechanisms such as Standard Contractual Clauses.

9. Subprocessors

SafeCommit may use subprocessors for hosting, storage, GitHub integration, security monitoring, and AI-assisted analysis. A current subprocessor list may be provided upon request or published on the website.

10. Security

We use reasonable technical and organizational safeguards, including access controls, limited access to Customer Content, encryption where appropriate, secure development practices, and monitoring. No method of transmission or storage is completely secure.

11. Your rights

Depending on your location, you may have rights to access, correct, delete, restrict, or object to processing of personal data. Requests can be sent through the private PR audit form or by contacting SafeCommit directly.

12. Business customers

When SafeCommit processes personal data contained in Customer Content on behalf of a business customer, SafeCommit acts as processor and the customer acts as controller. The Data Processing Agreement governs that processing.