Privacy Policy. In plain language.
This page summarizes how Sigilix handles your code and account data. It is the controlling reference for our privacy commitments. The full architectural detail — including data-flow diagrams and retention rules — lives at /security.
Effective date: May 5, 2026.
Sigilix is operated by Sigilix, Inc. ("Sigilix", "we", "our"). We provide an AI code-review service that runs on your pull requests. This policy explains what data we collect, how we use it, who we share it with, and the rights you have.
Three categories of data.
Account data
Email address, GitHub user ID, organization membership, billing contact, and the metadata GitHub returns when you authorize the Sigilix App. We do not collect passwords; auth is delegated to GitHub.
Review data (ephemeral)
For each review: the diff hunks, surrounding files, lockfiles, and PR metadata of the pull request under review. This content is held in memory only for the duration of inference (typically < 60 seconds) and is discarded immediately after the review is posted. We do not persist file contents.
Telemetry
Aggregate counters: review count, latency, model error rates, rate-limit usage, client-side analytics on marketing pages (page views, referrers). No file contents or personally identifying data beyond what GitHub already exposes for the user.
The hard nos.
- ·We do not train models on your code. Not our own models. Not third-party models.
- ·We do not vectorize or index your repositories into any shared embedding store.
- ·We do not retain logs that contain your file contents.
- ·We do not sell or rent your data.
- ·We do not use your code to improve Sigilix's product without your explicit, written opt-in.
Where your code lives and runs.
Sigilix keeps a deliberately small footprint. Your code already lives in GitHub, and the review runs on our own infrastructure on Cloudflare — those are the only two providers in the path. Neither retains your file contents, we require zero-retention terms across our stack, and your code is never used to train a model. A current subprocessor list is available on request.
Where your code already lives. We read the pull request through a scoped, short-lived token and post the review back — we don't move your code anywhere new.
Our infrastructure — the API and the ephemeral workers that process the diff in memory and discard it. TLS in transit, encryption at rest, isolated per review.
What you can ask us to do.
You can request access, correction, or deletion of any account data we hold for you. We honor GDPR, CCPA, and equivalent regimes for all customers regardless of region. Send requests to privacy@sigilix.ai and we will respond within 30 days.
How updates work.
We will revise this policy as we add features and sub-processors. Material changes will be announced by email to the billing contact and posted at sigilix.ai/privacy with the new effective date. Continued use of the service after a change constitutes acceptance.
Reach a human.
Privacy questions: privacy@sigilix.ai. Security disclosures: security@sigilix.ai. Anything else: support@sigilix.ai.