commitplain logo

Privacy Policy

Last updated: April 18, 2026

1. What we collect

commitplain collects only the data strictly necessary to provide the service:

  • Account data: email address and name, provided via sign-up through Clerk.
  • GitHub OAuth token: obtained server-side to read commits from your repositories. The token never passes through your browser and is stored encrypted.
  • Commit metadata (all plans): commit message, author name, and timestamp.
  • Code diffs (Agency plan only): to produce more accurate reports, the Agency plan reads the actual unified diffs of the commits you select. Diffs are processed in memory during report generation and discarded when it finishes. Your source code and diffs are never stored in our database. We do not access your .env files, secrets, branches, pull request content, or issues.
  • Repository structural summary: when you link a repository, we index its README, configuration manifests (package.json, go.mod, etc.), and a file-tree listing to produce a short structural summary that helps the AI interpret future commits. This summary is stored in your account, but we do not persist raw source code.
  • Generated reports: the executive reports commitplain produces on your behalf, stored in your account.
  • Usage data: basic product analytics (page views, feature usage) to improve the service.

2. How we use it

  • To generate executive reports from your commit history.
  • To authenticate you and maintain your account.
  • To send reports to recipients you explicitly choose.
  • To improve commitplain based on aggregated usage patterns.

We do not sell your data, share it with third parties for advertising, or use it to train AI models. Gemini API input and output are not used by Google to train its models under its paid API terms.

3. Data storage and retention

All data is stored in infrastructure within the European Union (eu-west-1 region). We retain your data for as long as your account is active. If you cancel, your data is retained for 30 days to allow reactivation, then deleted. You may request immediate deletion at any time by contacting us.

4. GitHub access

commitplain requests the repo scope via GitHub OAuth to read commits from private repositories (see how it works for the full flow). On the Indie plan, only commit messages, authors, and timestamps are fetched. On the Agency plan, commitplain additionally fetches the unified diffs of the commits you explicitly include in each report, in order to produce more accurate business reports; those diffs are processed in memory during generation and discarded when it finishes — they are never persisted in our database. You can revoke OAuth access at any time from your GitHub account settings under Authorized OAuth Apps. Revoking access will disable report generation until you reconnect.

5. Third-party services (subprocessors)

  • Clerk: authentication and user management.
  • Convex: database and real-time backend (EU region).
  • Vercel: hosting and edge delivery.
  • Google (Gemini API): AI model used to generate the executive reports. Commit messages, and for the Agency plan the selected code diffs, are sent to the Gemini API during generation. Per Google's paid API terms, Gemini API input and output are not used to train Google's models. Data transmitted for generation is not retained by commitplain beyond the lifetime of the request. See the full technical documentation for the exact data flow.
  • Resend: transactional email delivery for approved reports.
  • Stripe: payment processing. commitplain never sees or stores card data.

6. Your rights

Under GDPR and applicable law, you have the right to access, correct, export, or delete your data. To exercise any of these rights, contact us at the email below. We will respond within 30 days.

7. Contact

For privacy questions or data requests, contact us at privacy@commitplain.com.