Snapshot vs. RepotrixThe same job, side by sideThe TourSelf-driving walkthrough of all 9 surfacesThe SuiteEvery surface, always in syncMCP ServerRepotrix inside Claude, Cursor, ChatGPT & GeminiWorkflowFrom clone to chat in under 5 minutesTestimonialsWhat teams say once the docs stop rotting
How it worksBlogFAQ
Sign InAccess your dashboardSign Up for FreeConnect a repo in minutes

Privacy Policy

Effective date: May 21, 2026 Last updated: May 21, 2026


1. Who we are

This Privacy Policy describes how Repotrix Software Solutions ("Repotrix", "we", "us") collects, uses, and protects information when you use the Repotrix service available at https://repotrix.ai and its sub-domains, including https://api.repotrix.ai (collectively, the "Service").

Repotrix is operated as a sole proprietorship registered in India.

Legal nameRepotrix Software Solutions
TypeSole proprietorship registered in India
GSTIN33FTMPS8929C2Z5
Contactcontact@repotrix.ai

Our full registered name and postal address are provided in response to verified data-subject requests, regulatory inquiries, or legal notices via the contact email above. We don't publish them on a public page to limit address-harvesting and unsolicited contact.

If you are in the European Economic Area, the United Kingdom, or Switzerland, we are the data controller for the personal data we process under this policy. If you are in India, we are the data fiduciary under the Digital Personal Data Protection Act, 2023 ("DPDPA").

2. What we collect

2.1 Account information you give us

  • Email address
  • Display name
  • Avatar image (optional)
  • OAuth identity from GitHub / Google / Bitbucket (if you sign in via OAuth)
  • Subscription / billing details (processed by Razorpay; we store only the subscription ID and plan tier, not card data)

2.2 Repository content you authorise us to read

When you connect a code repository, we clone it on your behalf using the access token you provide and process its contents to generate documentation, security reports, architecture diagrams, onboarding guides, and chat answers. Specifically:

  • We temporarily clone the repository to a worker process. The clone is deleted as soon as the ingestion task completes (typically within 1–5 minutes).
  • We store derived artifacts (generated documentation, code-graph metadata, redaction audit summaries) in our Postgres database.
  • We store code chunk embeddings in our Pinecone vector index. Embeddings are numeric arrays; the original source text is also stored alongside them so that retrieval-augmented responses can quote real code.
  • We never store raw clones of your repository on disk after ingestion completes.

2.3 Automatically collected technical data

  • IP address (used for rate limiting, abuse detection, and audit logging — not for advertising)
  • Browser user-agent string
  • Pages visited and timestamps (basic server logs)
  • Errors and stack traces (when something goes wrong, to help us fix it)

2.4 PII and secrets that may be in your code

We run a regex-based scrubber on every file before embedding it. The scrubber masks values that look like API keys, JWT tokens, private keys, credit-card numbers, and email addresses. The redaction is best-effort, not guaranteed — see Section 7 for what this means for your security.

3. How we use your data

PurposeWhat we use
Provide the Service (generate docs, run reviews, etc.)Repository content, account info
Authenticate youEmail, OAuth identity, JWT session
Bill youSubscription tier, Razorpay subscription ID
Send transactional email (verification, password reset, drift alerts you opted into)Email address
Detect abuse and enforce rate limitsIP address, request metadata
Comply with legal obligationsAudit log entries

We do not use your code or account data to train any AI model. We do not sell or rent your personal data to third parties.

4. Who we share data with

We share the minimum necessary data with the following sub-processors, all of which have their own data-protection commitments:

Sub-processorPurposeData sharedRegion
Google (Gemini API)LLM analysis of code chunks for documentation, security review, onboarding roadmap, diagrams, and chatScrubbed code chunks, repository metadata, chat promptsMulti-region (Google determines)
PineconeVector embedding storage and similarity retrievalScrubbed code chunks, embedding vectors, file pathsUnited States
NeonManaged Postgres databaseAll account and derived dataAsia-Pacific (Singapore)
RenderApplication + worker hosting, managed Redis (Upstash)All runtime data, job metadata, webhook delivery IDsAsia-Pacific (Singapore)
VercelFrontend hosting and edge deliveryPage-level metadata onlyGlobal edge network
RazorpayPayment processing for subscriptionsEmail, name, subscription details (NOT card data — Razorpay holds that directly under PCI-DSS)India
ResendTransactional email delivery (verification, drift alerts, billing notices)Email address, message content of transactional emailsUnited States
AWS S3Encrypted nightly database backupsAll account and derived data, Fernet-encrypted at rest before uploadAsia-Pacific (Singapore, ap-southeast-1)

Each sub-processor is bound by its own privacy / DPA terms. We use industry-standard contractual safeguards (Standard Contractual Clauses or equivalent) where data flows between jurisdictions.

5. How long we keep your data

Data typeRetention
Account data (email, name, OAuth identities)Until you delete your account
Repository content (clones)Deleted within minutes of ingestion completing
Derived artifacts (docs, embeddings, audits)Until you delete the repository or your account
Encrypted nightly backups (S3)30 days rolling, then purged automatically
Server logs (IPs, requests)30 days
Audit log entries naming a deleted user90 days, then purged
Razorpay payment records (legal obligation)7 years from transaction date

6. Your rights

Subject to applicable law (GDPR for EU/UK users, DPDPA for Indian users, and equivalent laws elsewhere), you have the right to:

  • Access the personal data we hold about you
  • Correct inaccuracies
  • Delete your account and associated data (via the Profile → Delete account button in the Service)
  • Export your data in a portable format (via the Profile → Export data link — coming soon; until then, email us)
  • Object to or restrict specific processing
  • Withdraw consent for any processing based on consent (e.g. marketing email)
  • Lodge a complaint with your local data protection authority

To exercise any right, email contact@repotrix.ai. We respond within 30 days. Under the DPDPA, Indian users may also nominate another individual to exercise their rights in case of death or incapacity — email us the nomination details.

6.1 Account deletion

Clicking Delete account in your profile immediately purges:

  • Your user row
  • All repositories owned by your organisation
  • All derived artifacts (docs, embeddings, audits, code graphs, diagrams, chat history)
  • The Pinecone namespace for each of your repositories
  • Your organisation row (if you were the last member)

Encrypted S3 backups continue to exist until they age out of the 30-day rotation. They are encrypted at rest with Fernet (AES-128-CBC + HMAC-SHA256) and inaccessible without our master key.

6.2 Cookies and similar technologies

Repotrix does not set any HTTP cookies on your browser. We do use two pieces of persistent browser storage (localStorage), both of which the ePrivacy Directive treats the same way as cookies:

Storage keyTypePurposeLifetime
session.v1Strictly necessaryHolds your signed JWT session token plus idle/absolute timeout markers. Without it you cannot use the Service.30 min idle / 12 hr absolute — cleared on logout
themeFunctionalRemembers whether you chose Dark or Light mode.Until you clear it

We do not use:

  • Advertising or marketing cookies
  • Cross-site tracking pixels
  • Third-party analytics that profile individual users (no Google Analytics, PostHog, Mixpanel, Hotjar, etc.)
  • Social-media tracking ("Like" buttons, embedded widgets)

Because both items above are strictly-necessary or purely functional, we do not display a consent banner. You can clear them at any time via your browser's Clear site data control.

Third-party flows we redirect you to may set their own cookies:

  • Razorpay — when you reach the payment / billing page, Razorpay loads on their own domain and sets cookies governed by Razorpay's privacy policy.
  • OAuth providers (Google, GitHub, Bitbucket) — when you sign in via OAuth, you are redirected to their domains where they set their own session cookies.

Those are out of our control; consult those providers' policies if you need the detail.

If we add product analytics or marketing tooling in the future, we will update this section, present a consent banner before any non-essential storage is set, and notify existing users by email.

7. Security

We protect your data with:

  • HTTPS everywhere — all traffic to and from the Service is TLS-encrypted.
  • Encryption at rest — access tokens, webhook secrets, and Gemini API keys are stored Fernet-encrypted in our database. Backups to S3 are Fernet-encrypted before upload.
  • Tenant isolation — every multi-tenant table enforces Postgres Row Level Security with FORCE so a misconfigured query cannot leak data across organisations.
  • HMAC signing — webhooks from GitHub and Bitbucket are verified with constant-time HMAC-SHA256.
  • PII / secret scrubber — a regex scanner masks common secret formats before content is sent to any LLM or vector store. This is best-effort, not guaranteed: novel secret formats or obfuscated credentials may slip through. You are responsible for not committing real production secrets to repositories.
  • Replay protection — each webhook delivery ID is gated by a 24-hour SETNX in Redis.

No system is perfectly secure. If you discover a vulnerability, please email contact@repotrix.ai with subject line SECURITY — we welcome responsible disclosure.

8. Children

Repotrix is not intended for users under 16 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect data from anyone under that age. If you believe a child has registered, email us and we will delete the account.

9. International transfers

Our infrastructure spans multiple regions (see Section 4). If you access the Service from outside the region where data is processed, your data will be transferred internationally. We rely on Standard Contractual Clauses, sub-processor commitments, and equivalent safeguards.

10. Changes to this policy

We may update this policy. Material changes will be announced via email at least 30 days before they take effect. The most current version is always at https://repotrix.ai/privacy.

11. Contact

  • All inquiries (privacy, data requests, security disclosures): contact@repotrix.ai
    • For security reports, please use subject line SECURITY so we route it correctly.
  • GSTIN: 33FTMPS8929C2Z5
  • Postal address for legal notices / verified data-subject requests: available on written request to the contact email above.

The intelligence layer for your codebase.

ExploreSnapshot vs. RepotrixTourThe SuiteMCP ServerWorkflowTestimonials
MoreHow it worksBlogFAQ
AccountSign InSign Up
LegalPrivacy PolicyTerms of ServiceRefund & Cancellation
Follow us

Subscribe to the newsletter

A new post every 1–2 weeks on RAG, embeddings, prompt engineering, and the practice of shipping AI products.

Ask any questions

Stuck on setup? Want a demo? Have a feature request? Drop us a line and a human will reply within a working day.

Copyright © 2026. All rights reserved · Repotrix Software Solutions · Chennai, India