Privacy Policy

1. What we collect

Account identity: when you sign in with GitHub we receive your GitHub login, display name, and avatar URL. We use this to show your dashboard and to match your billing entitlement.

Repository content for scoring: when SlopGuard is installed on a repo, it reads the pull requests and issues sent by GitHub webhooks, including titles, descriptions, and diff metadata, so it can score them. We read this live and do not keep a separate database of your slop history; the dashboard reads it back from GitHub on demand.

Console settings you create: alert channels and routing rules, SSO configuration, and an audit log of the actions you take. These are stored so the consoles work across sessions.

Billing data: payments are processed by Polar, our Merchant of Record. Polar collects your email and payment details. SlopGuard never sees or stores your card number.

2. How we use it

To score incoming PRs and issues, apply the slop-quarantine label, and post a review comment with the reasons. We never auto-close, merge, or push anything; destructive actions only happen when a maintainer runs an explicit /slop command.

To deliver the alerts you configure (Slack, Discord, or webhook) and to provide the org dashboard, pattern tracking, and audit log.

To manage your plan entitlement and, for Enterprise, your SAML SSO sign-in if you configure it.

3. Third-party processing (sub-processors)

LLM providers: to score a contribution, the text of the PR or issue may be sent to a large language model provider (for example Anthropic, OpenAI, or xAI, per your configured order) for analysis. Only the content needed to score is sent.

Network intelligence: on a quarantine we add a one-way SHA-256 hash of the prompt fingerprint and a hashed owner identifier to a shared store, so the hosted service can warn when the same slop pattern spreads across installations. No repository name, PR/issue content, or PR number is stored. Opt out with `share_intel: false` in your policy file.

GitHub: the platform the app runs on; we act on the permissions you grant at install (read PRs/issues, write labels and comments).

Polar: payments, invoicing, and tax as Merchant of Record.

Upstash: stores console and entitlement state. Cloudtype: hosts the application.

These providers process data on our behalf to deliver the service. We do not sell personal data to anyone.

4. Data retention

We do not store your slop scores or PR/issue content in our own database; scoring is computed on the webhook event and the dashboard reads history live from GitHub. Transient analysis results may be cached briefly to avoid recomputation.

Console settings, SSO config, and the audit log persist until you remove them or uninstall the app. Uninstalling the GitHub App stops all processing for that account.

5. Your rights

You can stop all processing at any time by uninstalling the GitHub App from your repositories or organization.

You can request access to, correction of, or deletion of the data we hold about you. Depending on where you live you may have rights under the GDPR or CCPA; we honor those requests.

To make a request, open an issue or contact us through the channel in section 7.

6. Security

We request the least GitHub permission needed to label and comment. Access tokens are used in memory and are not written to logs. Billing is isolated to Polar. No system is perfectly secure, but we aim to minimize what we hold so there is little to expose.

7. Contact

Questions or data requests: open an issue at https://github.com/Blue-B/slopguard/issues. We will add a dedicated privacy contact address as the service grows.