Privacy Policy
This policy explains what Orvex Review ("Orvex", "we") processes when you use the service, and the choices you have. Contact: [email protected].
1. What we process
- Repository content. When a pull request is reviewed we fetch the diff, the changed files, and a limited set of related repository files needed for context, under the permissions you granted the GitHub App. Content is processed to produce the review.
- Model providers. Excerpts of that content are sent to the third-party AI model providers that power reviews (currently OpenAI and MiniMax) for transient inference. We apply automated secret redaction to content before it is sent. We do not permit providers to use your content for model training under their API terms.
- Review artifacts. We store the findings, summaries, review metadata (repository name, PR number, commit SHAs, token counts, costs), and workspace settings needed to run the service and show your dashboard. We do not keep a copy of your repository.
- Account data. GitHub account identifiers, workspace membership, email address for sign-in and billing, and session cookies (strictly necessary; we use no advertising or cross-site trackers).
- Billing. Payments are handled by Stripe. We store Stripe customer/subscription identifiers, never card numbers. Stripe's own privacy policy applies to payment data.
2. What we do NOT do
- We do not sell or rent your data.
- We do not use your code to train models.
- We do not read repositories beyond what a requested review needs.
3. Retention
- Repository content fetched for a review is held transiently for the duration of that review run and then discarded.
- Review findings and metadata are retained while your workspace is active so re-reviews, dashboards, and dedup work.
- Uninstalling the GitHub App stops all processing. You can request deletion of stored workspace data at any time via [email protected]; we delete within 30 days, except records we must keep for legal or billing compliance.
4. Security
Access tokens and signing keys are stored on hardened infrastructure with restricted access; webhook payloads are signature-verified; secrets detected in code are redacted before model calls. No system is perfectly secure — if we become aware of a breach affecting your data we will notify you without undue delay.
5. Your rights
Depending on your jurisdiction (e.g. GDPR/UK GDPR), you may have rights to access, correct, export, restrict, or delete personal data we hold about you. Email [email protected] and we will respond within 30 days.
6. Changes
We will announce material changes to this policy on the dashboard or by email before they take effect.