Security

Security & Privacy

Git AutoReview is built with a privacy-first architecture. Your code never touches our servers. You control your data.

Need help? Contact us at loading...

No Code Storage

Your code is never stored on our servers. It's sent directly to your chosen AI provider for analysis and discarded after review.

BYOK (Bring Your Own Key)

Use your own API keys for Claude, Gemini, or GPT. You pay the AI provider directly. We never see or store your API keys on our servers.

Encrypted Storage

API keys and credentials are stored in VS Code's SecretStorage, which uses your OS keychain (macOS Keychain, Windows Credential Manager, or Linux Secret Service).

Minimal Telemetry

Anonymized usage analytics are on by default but can be disabled in settings. No code content is ever collected. Respects VS Code's global telemetry setting.

How does your data flow during AI code review?

You trigger a review

Click 'Review' on a PR in VS Code

Code is fetched

PR diff is fetched from your Git platform to your local machine

Sent to AI provider

Code is sent directly to Claude/Gemini/GPT using YOUR API key

AI analyzes

AI provider processes the code and returns suggestions

You review

Suggestions displayed locally. You approve/reject each one

Published to your Git platform

Only approved comments are posted to your PR

Privacy by Architecture

Unlike SaaS code review tools that process your code on their servers, Git AutoReview uses a privacy-first architecture:

Code never touches Git AutoReview servers
API keys stored in OS-level encrypted storage
Direct connection to AI providers (no proxy)
Works behind corporate firewalls (Server/DC)
No data retention — code discarded after review
Open architecture — you control the data flow

Built-in Security Scanning

Every code review includes automatic security scanning with 20+ built-in rules and an AI specialized security pass. Catches SQL injection, XSS, hardcoded secrets, eval() usage, weak cryptography, CORS misconfigurations, and more.

Learn more about security scanning →

What are the AI provider data policies?

When you use Git AutoReview, your code is sent to your chosen AI provider. Here are their data policies:

Anthropic (Claude)

Does not train on API data. 30-day retention for trust & safety.

Google (Gemini)

API data not used for training. SOC 2 compliant infrastructure.

OpenAI (GPT)

API data not used for training by default. SOC 2 compliant.

Frequently Asked Questions

Does Git AutoReview store my code?

No. Your code is sent directly from your machine to your chosen AI provider (Anthropic, Google, or OpenAI). We don't have servers that process or store your code. After the AI returns suggestions, the code is discarded.

Where are my API keys stored?

API keys are stored in VS Code's SecretStorage, which uses your operating system's secure credential storage: macOS Keychain, Windows Credential Manager, or Linux Secret Service. They are encrypted at rest and never exposed in logs.

Can Git AutoReview access my code without my knowledge?

No. Git AutoReview only accesses code when you explicitly trigger a review. It doesn't run in the background, doesn't auto-sync, and doesn't send any data without your action.

Is Git AutoReview compliant with enterprise security policies?

With BYOK, no code storage, and Bitbucket Server/Data Center support behind firewalls, it fits most enterprise security policies. Contact us for specific compliance questions.

What data does Git AutoReview collect?

Anonymized usage analytics (review counts, model used, response times) are collected by default to improve the product. No code content is ever collected. You can disable telemetry in Settings → gitAutoreview.telemetry.enabled. The extension also respects VS Code's global telemetry setting.

Security Questions?

security@gitautoreview.com