Privacy Policy

What We Collect

When you install MatrixReview on a GitHub repository, we access:

• Repository documentation files (.md, .rst, .txt) scanned during setup to build your review knowledge base.
• Pull request diffs and metadata read when a PR is opened or updated, used solely to perform the code review.
• GitHub installation identifiers used to associate your repository with your review configuration.

What We Store

• Documentation content ingested and stored in an encrypted database to power reviews. You can view, edit, and delete documents at any time from the dashboard.
• Review results including findings, gate statuses, and traffic light outcomes stored for dashboard history and quality tracking.
• Dependency graph metadata showing file relationships, import chains, and security tags. This is structural data (file paths, line counts), not code content.
• Audit log entries recording data access and mutations for security monitoring.

What We Do Not Store

• We do not permanently store your source code. Repository clones are created in temporary directories and deleted immediately after processing.
• We do not permanently store PR diffs. Diffs are retained for up to 30 days for fix generation, then automatically purged from both disk and database.
• We do not store GitHub tokens beyond their session lifetime. Installation tokens are short-lived (1 hour) and generated via JWT.

What We Do Not Do

• We do not sell your data to third parties.
• We do not use your code to train AI models.
• We do not access files beyond documentation and PR diffs.

Third-Party Services (Subprocessors)

MatrixReview uses the following third-party services to operate. A complete subprocessor list is maintained on our Security page.

• GitHub API to read repository contents and post review comments.
• DeepSeek for AI-powered PR review analysis. PR diff excerpts are sent via HTTPS and not stored by the provider.
• Anthropic Claude API for document classification and analysis during setup.
• Railway for cloud hosting of the application backend (United States).

Data Retention

Documentation and review metadata are retained as long as the GitHub App is installed on your repository. PR diff data is automatically purged after 30 days. You may request full data deletion at any time by contacting us or using the data deletion endpoint. Uninstalling the app triggers deletion of all stored data associated with your repository.

Your Rights

Under GDPR and applicable privacy regulations, you have the right to:

• Access and export all data we hold about your repository via the data export endpoint.
• Delete all your data via the data deletion endpoint or by contacting us.
• Portability of your data in a standard JSON format.
• Object to processing or request restriction of processing by contacting us.

A Data Processing Agreement (DPA) is available on request for customers requiring formal documentation of our processing relationship.

Security

All data is encrypted at rest (AES-256 via SQLCipher) and in transit (HTTPS/TLS). All data access is logged in an append-only audit trail. Infrastructure access is restricted to the founder. For full details, see our Security page.

Contact

For privacy questions, data deletion requests, or DPA inquiries: admin@matrixreview.io