Last updated: March 1, 2026
CodeMouse ("we", "our", "us") is committed to protecting your privacy. This Privacy Policy explains what information we collect, how we use it, and your rights regarding that information when you use codemouse.io (the "Service").
When you sign in with GitHub, we receive your GitHub user ID, username, display name, email address, and avatar URL. We use this to create and manage your CodeMouse account.
When you install the CodeMouse GitHub App, we receive the installation ID and a list of repositories you have granted access to. This is required to route incoming webhook events to the correct account.
You may provide API keys from third-party AI providers (OpenAI, Anthropic, Google, Groq). These keys are encrypted at rest using AES-256-GCM with a server-managed key and are never stored in plaintext. They are only decrypted in memory at the time a review is processed.
When a pull request event is received from GitHub, we temporarily process the diff to generate a review. We do NOT store pull request diffs or source code. The diff is passed to your configured AI provider using your own API key and is discarded immediately after the review is posted.
We collect metadata about reviews performed — such as repository name, timestamp, model used, and whether the review succeeded — to power your analytics dashboard and improve the Service. This metadata does not include source code.
Like most web services, our servers automatically record standard log information including IP address, browser type, pages visited, and timestamps. Logs are retained for up to 30 days.
We use the information we collect to: provide, operate, and improve the Service; authenticate you and manage your account; process pull request reviews using your AI provider key; send transactional emails (e.g., account notifications); respond to your support requests; and monitor for abuse and enforce our Terms of Service.
We do not sell, rent, or trade your personal information to third parties. We do not use your source code or PR diffs to train AI models.
Pull request diffs are transmitted to the AI provider you have configured (OpenAI, Anthropic, Google, or Groq) using your own API key. This transmission is governed by that provider's privacy policy. We do not share your data with any other AI providers.
We interact with GitHub's API to read PR diffs and post review comments. This is governed by GitHub's Privacy Policy.
We use Vercel for hosting and MongoDB Atlas for database storage. Both are under data processing agreements and adhere to industry-standard security practices.
We may disclose your information if required to do so by law or in good faith belief that such action is necessary to comply with a legal obligation, protect the rights or safety of CodeMouse or others, or investigate potential violations of our Terms.
Account data is retained for as long as your account is active. Review metadata (timestamps, model used, success/failure) is retained for up to 12 months to power your analytics dashboard. API keys are retained until you delete them from Settings. You may delete your account at any time by contacting support@codemouse.io, at which point all personally identifiable information will be deleted within 30 days.
We take security seriously. API keys are encrypted with AES-256-GCM. All data in transit is encrypted using TLS 1.2+. Database access is restricted to application services. We undergo periodic security reviews. However, no method of transmission or storage is 100% secure, and we cannot guarantee absolute security.
Depending on your jurisdiction, you may have rights to access the personal data we hold about you; correct inaccurate data; delete your account and personal data; object to certain processing; and data portability. To exercise any of these rights, email us at privacy@codemouse.io. We will respond within 30 days.
We use a session cookie to keep you logged in (set by NextAuth). We do not use advertising cookies or third-party tracking cookies. We may use a minimal analytics solution in the future, which will be disclosed in an update to this policy.
The Service is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected such information, please contact us and we will delete it promptly.
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page and updating the "Last updated" date. Your continued use of the Service after changes become effective constitutes your acceptance of the revised policy.
Questions about this Privacy Policy? Contact us at privacy@codemouse.io or by mail at CodeMouse, Inc., [Address].