Back to Docs
Security

Security & Privacy

Git AutoReview is built with a privacy-first architecture. Your code never touches our servers. You control your data.

No Code Storage

Your code is never stored on our servers. It's sent directly to your chosen AI provider for analysis and discarded after review.

BYOK (Bring Your Own Key)

Use your own API keys for Claude, Gemini, or GPT. You pay the AI provider directly. We never see or store your API keys on our servers.

Encrypted Storage

API keys and credentials are stored in VS Code's SecretStorage, which uses your OS keychain (macOS Keychain, Windows Credential Manager, or Linux Secret Service).

No Telemetry

We don't collect telemetry, analytics, or usage data without explicit consent. Your coding activity stays private.

How Your Data Flows

1

You trigger a review

Click 'Review' on a PR in VS Code

2

Code is fetched

PR diff is fetched from Bitbucket to your local machine

3

Sent to AI provider

Code is sent directly to Claude/Gemini/GPT using YOUR API key

4

AI analyzes

AI provider processes the code and returns suggestions

5

You review

Suggestions displayed locally. You approve/reject each one

6

Published to Bitbucket

Only approved comments are posted to your PR

Privacy by Architecture

Unlike SaaS code review tools that process your code on their servers, Git AutoReview uses a privacy-first architecture:

  • Code never touches Git AutoReview servers
  • API keys stored in OS-level encrypted storage
  • Direct connection to AI providers (no proxy)
  • Works behind corporate firewalls (Server/DC)
  • No data retention — code discarded after review
  • Open architecture — you control the data flow

AI Provider Data Policies

When you use Git AutoReview, your code is sent to your chosen AI provider. Here are their data policies:

Anthropic (Claude)

Does not train on API data. 30-day retention for trust & safety.

Privacy Policy →

Google (Gemini)

API data not used for training. Enterprise-grade security.

Terms of Service →

OpenAI (GPT)

API data not used for training by default. SOC 2 compliant.

Privacy Policy →

Frequently Asked Questions

Does Git AutoReview store my code?

No. Your code is sent directly from your machine to your chosen AI provider (Anthropic, Google, or OpenAI). We don't have servers that process or store your code. After the AI returns suggestions, the code is discarded.

Where are my API keys stored?

API keys are stored in VS Code's SecretStorage, which uses your operating system's secure credential storage: macOS Keychain, Windows Credential Manager, or Linux Secret Service. They are encrypted at rest and never exposed in logs.

Can Git AutoReview access my code without my knowledge?

No. Git AutoReview only accesses code when you explicitly trigger a review. It doesn't run in the background, doesn't auto-sync, and doesn't send any data without your action.

Is Git AutoReview compliant with enterprise security policies?

Git AutoReview is designed for enterprise use. With BYOK, no code storage, and support for Bitbucket Server/Data Center behind firewalls, it meets most enterprise security requirements. Contact us for specific compliance questions.

What data does Git AutoReview collect?

By default, none. We don't collect telemetry, usage analytics, or any data about your coding activity. If you opt-in to crash reporting, only anonymized error data is sent.

Security Questions?

Contact us for enterprise security assessments or compliance documentation.

security@gitautoreview.com