Privacy Policy
Effective date: May 21, 2026 Last updated: May 21, 2026
1. Who we are
This Privacy Policy describes how Repotrix Software Solutions ("Repotrix", "we", "us") collects, uses, and protects information when you use the Repotrix service available at https://repotrix.ai and its sub-domains, including https://api.repotrix.ai (collectively, the "Service").
Repotrix is operated as a sole proprietorship registered in India.
| Legal name | Repotrix Software Solutions |
| Type | Sole proprietorship registered in India |
| GSTIN | 33FTMPS8929C2Z5 |
| Contact | contact@repotrix.ai |
Our full registered name and postal address are provided in response to verified data-subject requests, regulatory inquiries, or legal notices via the contact email above. We don't publish them on a public page to limit address-harvesting and unsolicited contact.
If you are in the European Economic Area, the United Kingdom, or Switzerland, we are the data controller for the personal data we process under this policy. If you are in India, we are the data fiduciary under the Digital Personal Data Protection Act, 2023 ("DPDPA").
2. What we collect
2.1 Account information you give us
- Email address
- Display name
- Avatar image (optional)
- OAuth identity from GitHub / Google / Bitbucket (if you sign in via OAuth)
- Subscription / billing details (processed by Razorpay; we store only the subscription ID and plan tier, not card data)
2.2 Repository content you authorise us to read
When you connect a code repository, we clone it on your behalf using the access token you provide and process its contents to generate documentation, security reports, architecture diagrams, onboarding guides, and chat answers. Specifically:
- We temporarily clone the repository to a worker process. The clone is deleted as soon as the ingestion task completes (typically within 1–5 minutes).
- We store derived artifacts (generated documentation, code-graph metadata, redaction audit summaries) in our Postgres database.
- We store code chunk embeddings in our Pinecone vector index. Embeddings are numeric arrays; the original source text is also stored alongside them so that retrieval-augmented responses can quote real code.
- We never store raw clones of your repository on disk after ingestion completes.
2.3 Automatically collected technical data
- IP address (used for rate limiting, abuse detection, and audit logging — not for advertising)
- Browser user-agent string
- Pages visited and timestamps (basic server logs)
- Errors and stack traces (when something goes wrong, to help us fix it)
2.4 PII and secrets that may be in your code
We run a regex-based scrubber on every file before embedding it. The scrubber masks values that look like API keys, JWT tokens, private keys, credit-card numbers, and email addresses. The redaction is best-effort, not guaranteed — see Section 7 for what this means for your security.
3. How we use your data
| Purpose | What we use |
|---|---|
| Provide the Service (generate docs, run reviews, etc.) | Repository content, account info |
| Authenticate you | Email, OAuth identity, JWT session |
| Bill you | Subscription tier, Razorpay subscription ID |
| Send transactional email (verification, password reset, drift alerts you opted into) | Email address |
| Detect abuse and enforce rate limits | IP address, request metadata |
| Comply with legal obligations | Audit log entries |
We do not use your code or account data to train any AI model. We do not sell or rent your personal data to third parties.
4. Who we share data with
We share the minimum necessary data with the following sub-processors, all of which have their own data-protection commitments:
| Sub-processor | Purpose | Data shared | Region |
|---|---|---|---|
| Google (Gemini API) | LLM analysis of code chunks for documentation, security review, onboarding roadmap, diagrams, and chat | Scrubbed code chunks, repository metadata, chat prompts | Multi-region (Google determines) |
| Pinecone | Vector embedding storage and similarity retrieval | Scrubbed code chunks, embedding vectors, file paths | United States |
| Neon | Managed Postgres database | All account and derived data | Asia-Pacific (Singapore) |
| Render | Application + worker hosting, managed Redis (Upstash) | All runtime data, job metadata, webhook delivery IDs | Asia-Pacific (Singapore) |
| Vercel | Frontend hosting and edge delivery | Page-level metadata only | Global edge network |
| Razorpay | Payment processing for subscriptions | Email, name, subscription details (NOT card data — Razorpay holds that directly under PCI-DSS) | India |
| Resend | Transactional email delivery (verification, drift alerts, billing notices) | Email address, message content of transactional emails | United States |
| AWS S3 | Encrypted nightly database backups | All account and derived data, Fernet-encrypted at rest before upload | Asia-Pacific (Singapore, ap-southeast-1) |
Each sub-processor is bound by its own privacy / DPA terms. We use industry-standard contractual safeguards (Standard Contractual Clauses or equivalent) where data flows between jurisdictions.
5. How long we keep your data
| Data type | Retention |
|---|---|
| Account data (email, name, OAuth identities) | Until you delete your account |
| Repository content (clones) | Deleted within minutes of ingestion completing |
| Derived artifacts (docs, embeddings, audits) | Until you delete the repository or your account |
| Encrypted nightly backups (S3) | 30 days rolling, then purged automatically |
| Server logs (IPs, requests) | 30 days |
| Audit log entries naming a deleted user | 90 days, then purged |
| Razorpay payment records (legal obligation) | 7 years from transaction date |
6. Your rights
Subject to applicable law (GDPR for EU/UK users, DPDPA for Indian users, and equivalent laws elsewhere), you have the right to:
- Access the personal data we hold about you
- Correct inaccuracies
- Delete your account and associated data (via the Profile → Delete account button in the Service)
- Export your data in a portable format (via the Profile → Export data link — coming soon; until then, email us)
- Object to or restrict specific processing
- Withdraw consent for any processing based on consent (e.g. marketing email)
- Lodge a complaint with your local data protection authority
To exercise any right, email contact@repotrix.ai. We respond within 30 days. Under the DPDPA, Indian users may also nominate another individual to exercise their rights in case of death or incapacity — email us the nomination details.
6.1 Account deletion
Clicking Delete account in your profile immediately purges:
- Your user row
- All repositories owned by your organisation
- All derived artifacts (docs, embeddings, audits, code graphs, diagrams, chat history)
- The Pinecone namespace for each of your repositories
- Your organisation row (if you were the last member)
Encrypted S3 backups continue to exist until they age out of the 30-day rotation. They are encrypted at rest with Fernet (AES-128-CBC + HMAC-SHA256) and inaccessible without our master key.
6.2 Cookies and similar technologies
Repotrix does not set any HTTP cookies on your browser. We do use two pieces of persistent browser storage (localStorage), both of which the ePrivacy Directive treats the same way as cookies:
| Storage key | Type | Purpose | Lifetime |
|---|---|---|---|
session.v1 | Strictly necessary | Holds your signed JWT session token plus idle/absolute timeout markers. Without it you cannot use the Service. | 30 min idle / 12 hr absolute — cleared on logout |
theme | Functional | Remembers whether you chose Dark or Light mode. | Until you clear it |
We do not use:
- Advertising or marketing cookies
- Cross-site tracking pixels
- Third-party analytics that profile individual users (no Google Analytics, PostHog, Mixpanel, Hotjar, etc.)
- Social-media tracking ("Like" buttons, embedded widgets)
Because both items above are strictly-necessary or purely functional, we do not display a consent banner. You can clear them at any time via your browser's Clear site data control.
Third-party flows we redirect you to may set their own cookies:
- Razorpay — when you reach the payment / billing page, Razorpay loads on their own domain and sets cookies governed by Razorpay's privacy policy.
- OAuth providers (Google, GitHub, Bitbucket) — when you sign in via OAuth, you are redirected to their domains where they set their own session cookies.
Those are out of our control; consult those providers' policies if you need the detail.
If we add product analytics or marketing tooling in the future, we will update this section, present a consent banner before any non-essential storage is set, and notify existing users by email.
7. Security
We protect your data with:
- HTTPS everywhere — all traffic to and from the Service is TLS-encrypted.
- Encryption at rest — access tokens, webhook secrets, and Gemini API keys are stored Fernet-encrypted in our database. Backups to S3 are Fernet-encrypted before upload.
- Tenant isolation — every multi-tenant table enforces Postgres Row Level Security with
FORCEso a misconfigured query cannot leak data across organisations. - HMAC signing — webhooks from GitHub and Bitbucket are verified with constant-time HMAC-SHA256.
- PII / secret scrubber — a regex scanner masks common secret formats before content is sent to any LLM or vector store. This is best-effort, not guaranteed: novel secret formats or obfuscated credentials may slip through. You are responsible for not committing real production secrets to repositories.
- Replay protection — each webhook delivery ID is gated by a 24-hour SETNX in Redis.
No system is perfectly secure. If you discover a vulnerability, please email contact@repotrix.ai with subject line SECURITY — we welcome responsible disclosure.
8. Children
Repotrix is not intended for users under 16 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect data from anyone under that age. If you believe a child has registered, email us and we will delete the account.
9. International transfers
Our infrastructure spans multiple regions (see Section 4). If you access the Service from outside the region where data is processed, your data will be transferred internationally. We rely on Standard Contractual Clauses, sub-processor commitments, and equivalent safeguards.
10. Changes to this policy
We may update this policy. Material changes will be announced via email at least 30 days before they take effect. The most current version is always at https://repotrix.ai/privacy.
11. Contact
- All inquiries (privacy, data requests, security disclosures): contact@repotrix.ai
- For security reports, please use subject line
SECURITYso we route it correctly.
- For security reports, please use subject line
- GSTIN: 33FTMPS8929C2Z5
- Postal address for legal notices / verified data-subject requests: available on written request to the contact email above.
