Privacy

RepoPilot is a hobby project that analyzes public GitHub repositories. This page explains what we collect, how we use it, and what control you have. Plain language; no dark patterns.

What we collect

• The repository URLs you submit and the analysis output we generate from them.
• Your IP address, used for rate limiting and to count free analyses against an anonymous quota. Stored masked (last octet hidden) anywhere it appears in the admin dashboard.
• Your GitHub username and avatar, only if you choose to sign in with GitHub. We never read your private repos and we never write anything to your account. The OAuth scope requested is read-only profile data.
• Aggregated, cookieless web analytics (page views, referrer, country) via Vercel Web Analytics. No fingerprinting, no third-party trackers, no consent banner needed.

What we don't collect

• Cookies, beyond the auth-session cookie when you sign in.
• Browser fingerprints, device IDs, or behavioral profiles across sites.
• Your private repository contents.
• Your email address (we don't ask for it).

Who sees your data

• Your analysis prompts and the public file lists we send are processed by our LLM provider (currently Anthropic) to generate the result. Their privacy terms apply to that processing.
• Hosting infrastructure (Vercel) sees request metadata necessary to serve the site. Cache and rate-limit data is stored with a Redis provider (Upstash).
• We don't sell or share your data with anyone else.

How long we keep it

• Analysis results are cached for up to 24 hours and may be reused to serve other people who request the same public repo (the result is the same regardless of who asked).
• Recent activity logs (which repos were analyzed and when) are kept on a rolling basis for site operations and abuse monitoring.
• Aggregated counters (daily counts, distinct visitor sets) are retained for roughly a month and then expire.

Your choices

• You can use the site without signing in. A signed-in account just raises the free analysis quota.
• You can revoke RepoPilot's GitHub access any time from github.com/settings/applications.
• To request deletion of any data tied to your GitHub account or IP, email hello@repopilot.app.

API users

The public API (/api/v1/onboard) subjects callers to the same rate limiting and aggregated logging as the website. Don't send personal data through the URL — it's a public GitHub URL parameter, nothing more.

Changes to this policy

If this page changes materially, we'll update the "last updated" date at the top. There's no mailing list to notify; the page is authoritative.

Contact

Questions or requests: hello@repopilot.app.