// Privacy policy

Privacy

Last updated: 2026-04-22

What we collect

• GitHub identity — your user id, login, and display name, obtained via GitHub OAuth or GitHub App install
• Workspace metadata — org name, workspace name, membership roles, chosen configuration
• Source code — contents of repositories you connect via the GitHub App, for the purpose of building the knowledge graph (see the scan pipeline at /security)
• Scan artifacts — the derived knowledge graph (graph.json), analyses, and reports
• Chat transcripts — messages between you and the CTO agent, and any charter drafts negotiated
• Cost + observability data — per-session token usage, tool-call traces, timing

Processors we share data with

We use the following third-party processors strictly to deliver the service. Each has its own privacy practices; links below.

• Anthropic — LLM calls for the agent + multimodal extraction. See /llm-fallback for specifics.
• Render — web, API, worker, cron, and grapher hosting
• Supabase — managed Postgres + Storage + Auth
• Langfuse — observability + cost attribution (PII-scrubbed traces)
• Resend — transactional email (review-ready, account notices)
• GitHub — source identity provider + App

Retention

• Scan artifacts — 90 days after last use, then purged from Storage. Re-scans produce new artifacts.
• Chat transcripts — retained within your workspace indefinitely; you can delete them per-session from settings
• Cost + observability — 24 months, for billing reconciliation and trend analysis
• Auth records — purged within 30 days of account deletion

Your rights

You can, at any time:

• Export your workspace data (charter, scans, transcripts)
• Delete your account and all associated workspace data
• Revoke the GitHub App install (removes our source access)
• Toggle the LLM-fallback extractor per-workspace (see /llm-fallback)

Contact

Privacy questions: privacy@ctoai.live. Security reports: /security.