Privacy Policy
Last updated: February 2, 2026
This Privacy Policy describes how ShipItAI ("we", "us", or "our") collects, uses, and protects your information when you use our service.
1. Information We Collect
GitHub Account Information
When you install ShipItAI, we receive:
- Your GitHub organization or user account name
- Installation ID and repository access permissions
- GitHub usernames of developers who open pull requests
Code and Pull Request Data
When reviewing pull requests, we temporarily process:
- Pull request titles and descriptions
- Code diffs (changes between versions)
- File paths within your repository
We do not permanently store your source code. Code diffs are processed in memory, sent to Claude AI for review, and immediately discarded. We never write your source code to our databases.
Review Metadata
We store the following for 90 days:
- Review summaries (the text we posted to GitHub)
- Comment metadata (file paths, line numbers, comment text)
- Token usage statistics for billing purposes
Billing Information
Payment processing is handled by Stripe. We store:
- Stripe customer ID
- Subscription status
- Active developer counts for usage-based billing
We do not store credit card numbers or payment details directly.
2. How We Use Your Information
We use the information we collect to:
- Provide code review services
- Process payments and manage subscriptions
- Debug issues and improve service quality
- Send important service notifications (e.g., trial expiration)
3. Third-Party Services
We share data with the following third parties:
- Anthropic (Claude AI): Code diffs are sent to Claude for review. Anthropic's use of this data is governed by their privacy policy.
- GitHub: We post review comments to GitHub on your behalf.
- Stripe: Handles payment processing.
- AWS: Our infrastructure runs on Amazon Web Services.
4. BYOK (Bring Your Own Key)
If you provide your own Anthropic API key:
- Your key is encrypted using AWS KMS before storage
- Only the last 4 characters are stored in plaintext (for display)
- Keys are decrypted only when making API calls
- You can delete your key at any time from the settings page
5. Data Retention
- Source code: Never stored (processed in memory only)
- Review metadata: 90 days
- Active developer records: 90 days after month ends
- Usage statistics: 2 years
- Trial records: Permanent (to prevent abuse)
6. Data Security
We implement appropriate security measures including:
- Encryption in transit (TLS) and at rest
- AWS KMS for sensitive data encryption
- Webhook signature verification
- Limited access to production systems
7. Your Rights
You can:
- Uninstall the GitHub App at any time to stop data processing
- Request deletion of your data by contacting support
- Delete your BYOK API key from the settings page
8. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on our website.
9. Contact Us
If you have questions about this Privacy Policy, please contact us.