Legal

Privacy Policy.

Last updated: April 21, 2026
Effective: April 21, 2026
!
This policy and our pricing may change at any time.

We may update this Privacy Policy, our Terms of Service, and our pricing at our discretion to reflect product changes, legal requirements, or business needs. Check the "Last updated" date above; material changes will be announced by email where feasible. Continued use of the Service constitutes acceptance.

In plain English
Contents
  1. Who we are
  2. Data we collect
  3. How we use data
  4. ML & automated processing
  5. Sub-processors
  6. Retention
  7. Your rights
  8. Security
  9. International transfers
  10. Cookies
  11. Children
  12. Changes to this policy
  13. Contact

01Who we are

RepoDigest, Inc. ("RepoDigest," "we") is a Delaware-incorporated company. This Privacy Policy explains what personal data we collect about you when you use our website, app, or email products (the "Service"), and how we handle it.

02Data we collect

Account data

Your name, work email, password hash, team/workspace name, billing address (for paid plans), and OAuth tokens for connected providers (GitHub, GitLab, Jira).

Customer Data

When you connect a repository, we read commit messages, PR titles/descriptions/diffs, issue titles, and related metadata necessary to generate a digest. We do not read secrets stored in repositories, and we filter out common credential patterns before processing.

Recipient data

Email addresses of digest recipients you add to a workspace, plus basic delivery metadata (sent/bounced/opened).

Usage telemetry

Standard server logs (IP, user-agent, timestamps, endpoint), anonymized feature-usage metrics, and crash reports. We do not use third-party behavioral analytics.

03How we use data

  • To run the Service — read repos, generate digests, deliver emails.
  • To bill you — process subscription payments through Stripe.
  • To support you — respond to questions, investigate incidents.
  • To improve the Service — aggregate, de-identified usage stats to understand what's working.
  • To comply with law — where required by legal process or regulation.

We will not use Customer Data for marketing and we do not sell personal data to anyone.

04ML & automated processing

Digest summaries are produced by large language models operated by our AI sub-processor (see below). Data is sent to the model only for the duration of generation, is not retained by the model provider for training, and is covered by a zero-retention data-processing agreement.

We do not train our own foundation models on your Customer Data. We may use fully anonymized and aggregated usage patterns to tune prompt templates and evaluate quality.

05Sub-processors

ProviderPurposeRegion
AWS (Amazon Web Services)Hosting, databases, object storageUS-East
StripeSubscription billing & paymentsUS
PostmarkTransactional & digest email deliveryUS
AnthropicLanguage-model inference for digestsUS
SentryError monitoring & crash reportsUS

We update this list when we add or remove a sub-processor. Material changes are announced to account owners by email with at least 30 days' notice.

06Retention

  • Account data — kept for the life of your account, then deleted within 30 days of account closure.
  • Generated digests — kept for 12 months in Digest History, then rolling-deleted.
  • Raw commit/PR data — cached briefly during generation, deleted within 24 hours.
  • Billing records — retained for 7 years to meet tax and accounting requirements.
  • Server logs — 90 days.

07Your rights

Depending on where you live, you may have rights to access, correct, export, or delete your personal data, and to object to certain processing. You can exercise most of these directly from the Settings page. For anything else, email privacy@repodigest.com; we respond within 30 days.

Residents of California, the EU/UK, and other regions with applicable laws (CCPA, GDPR, UK GDPR) have the rights set out in those laws and may lodge a complaint with their supervisory authority.

08Security

Data is encrypted in transit (TLS 1.2+) and at rest (AES-256). OAuth tokens and secrets are encrypted with a separate key-management service. Access to production systems is limited, audit-logged, and requires hardware-key 2FA. We run regular third-party penetration tests; reports are available under NDA to enterprise customers.

09International transfers

We host data in the United States. If you access the Service from outside the US, your data will be transferred to and processed in the US. Where required, we rely on Standard Contractual Clauses and equivalent mechanisms for international transfers.

10Cookies

We use a small number of first-party cookies to keep you logged in, remember your preferences, and measure aggregate usage. We do not set third-party advertising cookies. You can block cookies in your browser, but the Service may not work correctly without session cookies.

11Children

The Service is not directed to children under 16 and we do not knowingly collect their data. If you believe a child has provided us with personal information, contact us and we will delete it.

12Changes to this policy

We may update this Privacy Policy from time to time. Non-material changes (clarifications, formatting) take effect on posting. For material changes — new sub-processors, new data categories, changed retention — we will notify account owners by email at least 30 days before they take effect. The "Last updated" date at the top of this page always reflects the most recent revision.

13Contact

Questions, requests, or complaints about privacy? Email privacy@repodigest.com or visit the contact page. Our mailing address is:

RepoDigest, Inc.
1209 Orange Street
Wilmington, DE 19801, USA