Legal

Privacy Policy

Effective date: March 1, 2025

1. Overview

Devvoir ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains what information we collect, how we use it, and the choices you have when you use Devvoir, available at https://devvoir.com.

By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Service.

The short version

We only access the GitHub data needed to generate your reports. We don't sell your data. We don't store your source code. You can delete your account and all associated data at any time.

2. Data We Collect

We collect the following categories of information:

Account Information

When you sign in via GitHub OAuth, we receive your GitHub username, display name, email address, and profile avatar URL. This is provided by GitHub as part of the OAuth authentication process.

GitHub Repository Data

To generate reports, we access — but do not permanently store — your commit messages, pull request titles, descriptions, and file change diffs (patches) from repositories you explicitly select. We access only what is necessary to produce the requested report.

Generated Reports

AI-generated report summaries are stored in our database, linked to your account and the associated pull request number. This allows you to view your report history and regenerate past reports.

Usage & Quota Data

We track the number of reports generated per month per account for the purposes of enforcing usage limits and calculating billing if you purchase additional credits.

Log & Technical Data

We may collect standard server logs including IP addresses, browser type, pages visited, and timestamps for security, debugging, and analytics purposes. This data is not sold or shared with third parties for advertising.

3. How We Use Your Data

We use the data we collect to:

  • Authenticate you and maintain your session.
  • Fetch your GitHub activity and generate AI-powered reports on your behalf.
  • Store report history so you can access and regenerate previous reports.
  • Enforce usage quotas and manage purchased report credits.
  • Send transactional emails related to your account (e.g., billing confirmations).
  • Improve the quality and accuracy of the Service.
  • Detect, prevent, and respond to fraud, abuse, and security incidents.
  • Comply with applicable legal obligations.

We do not use your data for advertising, sell it to third parties, or use it to train AI models without your explicit consent.

4. GitHub Data Access

Devvoir uses GitHub OAuth to authenticate you. We request the following GitHub permission scopes:

  • read:user — to access your public profile information (username, name, avatar).
  • user:email — to access your verified email address for account identification.
  • repo (read-only) — to list your repositories and read pull request data and file diffs for report generation.
  • read:org — to list organisations you belong to, so you can generate reports for organisation repositories.

We never write to, modify, delete, or create any content in your GitHub repositories. You can revoke Devvoir's access at any time from your GitHub OAuth application settings.

5. Third-Party Services

We use the following third-party services that may process your data:

GitHub (GitHub, Inc.)

OAuth authentication and repository data access. Governed by GitHub's Privacy Statement.

Anthropic

AI model provider used to generate report summaries from your PR data. Data sent to Anthropic's API is subject to their usage policies. We do not send personally identifiable information to the AI model — only anonymised code change diffs and commit messages.

Lemon Squeezy

Payment processor for credit purchases. Your payment details are handled entirely by Lemon Squeezy and are not stored on Devvoir servers.

Vercel

Hosting and infrastructure provider. Vercel may collect standard server logs as part of hosting the Service.

Cloudinary

Used to serve static assets such as the Devvoir logo.

We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies.

6. Data Retention

We retain your account information and generated reports for as long as your account is active. If you delete your account, we will delete or anonymise your personal data within 30 days, except where we are required to retain it for legal or compliance purposes (e.g., billing records).

Server logs are retained for up to 90 days for security and debugging purposes, after which they are automatically deleted.

Raw GitHub data (diffs, patches) fetched during report generation is processed in-memory and is not permanently stored in our database.

7. Security

We take reasonable technical and organisational measures to protect your data against unauthorised access, alteration, disclosure, or destruction. These measures include:

  • Encrypted data transmission using HTTPS/TLS.
  • Secure storage of OAuth tokens with server-side encryption.
  • Access controls limiting who within our team can access user data.
  • Regular review of our security practices.

However, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security. If you discover a security vulnerability, please disclose it responsibly to hello@devvoir.com.

8. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

  • Access — request a copy of the personal data we hold about you.
  • Correction — request that we correct inaccurate or incomplete data.
  • Deletion — request that we delete your personal data ("right to be forgotten").
  • Portability — request your data in a structured, machine-readable format.
  • Objection — object to the processing of your data in certain circumstances.
  • Withdraw Consent — where processing is based on consent, withdraw it at any time without affecting prior processing.

To exercise any of these rights, please contact us at hello@devvoir.com. We will respond within 30 days.

9. Cookies

Devvoir uses cookies and similar storage mechanisms for the following purposes:

Session cookies

Used by NextAuth.js to maintain your authenticated session. These are strictly necessary for the Service to function and are deleted when you sign out.

CSRF protection cookies

Used to prevent cross-site request forgery attacks. These are strictly necessary for security.

We do not use advertising cookies or third-party tracking cookies. You can control cookies through your browser settings, but disabling essential cookies will prevent you from using the Service.

10. Children's Privacy

The Service is not directed at children under the age of 13 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us immediately at hello@devvoir.com and we will take steps to delete that information.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by updating the effective date at the top of this page and, where appropriate, by sending an email to the address associated with your account.

Your continued use of the Service after changes are posted constitutes your acceptance of the revised policy. We encourage you to review this page periodically.

12. Contact Us

If you have any questions, concerns, or requests relating to this Privacy Policy or your personal data, please reach out to us:

Devvoir — Privacy Team

Email: hello@devvoir.com

Website: https://devvoir.com

← Back to HomeTerms of Service →