What data GitAlert reads
This page summarises how the GitAlert GitHub App handles your code. The authoritative, legal version is the Privacy & Security page.
What GitAlert reads
To triage a pull request, GitAlert reads:
- Pull-request metadata — the title, description, author, branch names, and commit identifiers.
- The pull-request diff — the actual changes, fetched from your Git host when the PR opens or updates.
When a PR adds a new dependency, GitAlert also sends the package name (never your code) to the public registry — PyPI or npm — to check the package exists.
What GitAlert stores
GitAlert stores metadata and results, not your code:
- Your installation and the repositories you selected (id, name, default branch, whether it's private).
- Pull-request metadata (number, state, title, description, author, whether the author looks like an AI agent, a bot, or a person, branch and commit identifiers, URL, timestamps).
- The verdict — the label, the confidence, and the specific findings behind it (for example the file and line of a weakened test, the name of a package that couldn't be found, or the path of a sensitive file that changed).
What GitAlert does not store
- Your source code and diffs are not stored. The diff is analysed in memory to produce the label, then discarded.
- Your access tokens are not stored. They're minted on demand, held only briefly, and never written to our database.
- Full webhook payloads are not stored — only the small set of fields above.
- We do not use your code or pull requests to train machine-learning models.
Permissions
The GitAlert GitHub App requests permission to read your pull requests and repository contents (so it can fetch the changes to analyse) and to write checks (so it can post its own neutral status). Within those permissions it never pushes commits, changes branches, merges or closes pull requests, or posts comments — the only thing it creates is its own informational check-run. You can review and change its access, or uninstall it, from GitHub at any time.
Full privacy policy
For the complete detail — including our sub-processors, international data transfers, retention, and your rights — see the Privacy & Security page.