Privacy
Privacy Policy. In plain language.
This page summarizes how Sigilix handles your code and account data. It is the controlling reference for our privacy commitments. The full architectural detail — including data-flow diagrams and retention rules — lives at /security.
Effective date: May 5, 2026.
Sigilix is operated by Arc and Anchor LLC ("Sigilix", "we", "our"). We provide an AI code-review service that runs on your pull requests. This policy explains what data we collect, how we use it, who we share it with, and the rights you have.
Three categories of data.
Account data
Email address, GitHub user ID, organization membership, billing contact, and the metadata GitHub returns when you authorize the Sigilix App. We do not collect passwords; auth is delegated to GitHub.
Review data (ephemeral)
For each review: the diff hunks, surrounding files, lockfiles, and PR metadata of the pull request under review. This content is held in memory only for the duration of inference (typically < 60 seconds) and is discarded immediately after the review is posted. We do not persist file contents.
Telemetry
Aggregate counters: review count, latency, model error rates, rate-limit usage, client-side analytics on marketing pages (page views, referrers). No file contents or personally identifying data beyond what GitHub already exposes for the user.
The hard nos.
- ·We do not train models on your code. Not our own models. Not third-party models.
- ·We do not vectorize or index your repositories into any shared embedding store.
- ·We do not retain logs that contain your file contents.
- ·We do not sell or rent your data.
- ·We do not use your code to improve Sigilix's product without your explicit, written opt-in.
Third parties we send data to.
To run a review, we route diff context through commercial inference providers. We choose them deliberately and require zero-retention terms in our commercial agreements.
| Provider | What they receive | Retention |
|---|---|---|
| DeepSeek | Diff hunks + retrieval context for Glyph and Warden | Zero retention; never used for training |
| Moonshot AI (Kimi) | Diff hunks + retrieval context for Spark, Weave, Core | Zero retention; never used for training |
| GitHub | Authentication, repository read access, review posting | Per GitHub Terms of Service |
| Cloudflare | Edge compute and request termination for the Sigilix worker | Logs purged ≤ 24h; no file contents retained |
| Vercel | Marketing site hosting (sigilix.ai). No customer code passes through. | Per Vercel DPA |
What you can ask us to do.
You can request access, correction, or deletion of any account data we hold for you. We honor GDPR, CCPA, and equivalent regimes for all customers regardless of region. Send requests to privacy@arcanchor.com and we will respond within 30 days.
How updates work.
We will revise this policy as we add features and sub-processors. Material changes will be announced by email to the billing contact and posted at sigilix.ai/privacy with the new effective date. Continued use of the service after a change constitutes acceptance.
Reach a human.
Privacy questions: privacy@arcanchor.com. Security disclosures: security@arcanchor.com. Anything else: support@arcanchor.com.