Privacy Policy

When you install the GitHub App and open a pull request in a connected repo:

• Pull request diff — the text changes in your PR are sent to the AI provider so it can review them.
• Review metadata — repo name, PR number, AI provider used, status (completed/failed), finding count, duration. Stored in our database for the dashboard.

When you sign in to the dashboard:

• GitHub identity — your username, email, and avatar URL, via GitHub OAuth.

• We don't store your code. Diffs are sent to the AI provider in real time and discarded immediately afterward — only the AI's short summary is saved.
• We don't track your browsing, set marketing cookies, or use third-party analytics.
• We don't sell, share, or rent any data to third parties.

Codexa uses the following sub-processors:

• Google Gemini & Groq — receive your PR diff to generate the review. Subject to their respective privacy policies.
• Supabase — stores review metadata and user accounts. Hosted in their managed Postgres.
• GitHub — webhook source and authoritative location of your PR comments.
• Vercel & Render — hosting infrastructure for the website and backend.

Review metadata is kept indefinitely so you can browse historical reviews on the dashboard. PR diffs are not retained — they exist only in transit between the webhook and the AI provider. AI providers may retain prompt data per their own policies (typically 30 days for safety monitoring; check their docs for specifics).

• Stop reviews: uninstall the GitHub App at any time from your GitHub settings — Codexa loses all access immediately.
• Delete your account: contact us via the email below and we'll remove your user record and associated review history within 7 days.
• Export your data: all your review metadata is available via the dashboard. Open an issue if you need a bulk export.

We use only essential cookies — those required for sign-in (Supabase session) and for the site to function. No advertising or tracking cookies. No consent banner is shown because no consent is required for essential cookies under GDPR.

If you self-host Codexa with your own keys, none of your data ever touches our servers. The source is fully open and the deployment guide is in our README.

When this policy changes meaningfully, we'll update the "Last updated" date at the top and announce it on the GitHub repo. Continued use of Codexa constitutes acceptance of the new terms.

Privacy questions? Open an issue on GitHub or reach out to techyMk.