RepoWise Privacy Policy

Effective as of March 21, 2026

RepoWise, Inc. ("Company," "we," "us," "our") is committed to maintaining robust privacy protections for its users. This Privacy Policy is designed to help you understand how we collect, use, and safeguard the information you provide to us.

  • "Site" refers to our website at https://repowise.ai and the dashboard at https://app.repowise.ai.
  • "Service" refers to the RepoWise platform — including the dashboard, CLI tool (npx repowise create), background listener, and API — through which users can analyze codebases and generate AI-optimized context files.
  • "You" refers to you, as a user of our Site or Service.

By accessing our Site or Service, you accept this Privacy Policy and our Terms of Service, and you consent to our collection, storage, use, and disclosure of your information as described herein.

I. Information We Collect

We collect Non-Personal Information (anonymous usage data, browser type, referring URLs, platform types, click patterns) and Personal Information (data that can identify you personally).

1. Information Collected via Technology

When you use the Service, your browser or our application provides us with Non-Personal Information such as the referring URL, browser type, device type, and access timestamps. We use cookies and similar technologies to collect this information. For more details, see Section IX (Cookie Policy).

We may use both persistent and session cookies. Persistent cookies remain on your device until deleted; session cookies expire when you close your browser.

2. Information You Provide by Registering

To use the Service, you create an account by providing your name, email address, and password. You may also authenticate via third-party OAuth providers including GitHub, GitLab, Bitbucket, Google, and Apple. When you use OAuth, we receive your email address and basic profile information from the provider.

3. Source Code and Repository Data — Zero Retention Policy

When you connect a repository and run a scan, RepoWise analyzes your codebase to generate context files. This process involves:

  • Cloning or diffing your repository in ephemeral compute environments
  • Scanning code structure, languages, frameworks, architecture patterns, endpoints, and dependencies
  • Generating structured context files (architecture overview, domain models, API reference, etc.)

Zero Retention: RepoWise operates a strict zero retention policy for source code. Your source code is processed in ephemeral compute environments and is deleted promptly upon completion of each processing run. No source code is ever persisted to permanent storage. Only the generated context files — which contain structured documentation and do not include raw source code — are retained and delivered back to your repository.

Your source code is processed by AWS Bedrock AI models (large language models) to produce context files. Source code is transmitted securely over encrypted connections. We do not use your source code, repository data, or generated context files to train AI models.

Privacy Shield (opt-in): If you enable our Privacy Shield feature, an additional PII detection and filtering layer scans your code for sensitive data before context generation. Privacy Shield is strictly opt-in and never activates without your explicit consent.

4. Payment Information

When you subscribe to a paid plan, payment is processed by Stripe. We do not store your full credit card number or payment credentials. Stripe collects and manages your payment information in accordance with their own privacy policy. We store only your Stripe customer ID and subscription status.

5. Children's Privacy

The Site and Service are not directed to anyone under the age of 13. We do not knowingly collect information from anyone under 13. If we learn that we have gathered personal information from a child under 13, we will delete it promptly. Contact us at support@repowise.ai if you believe we have collected such information.

II. Lawful Basis for Processing

We process your personal information under the following legal bases, as required by the General Data Protection Regulation (GDPR) and similar laws:

  • Performance of a contract — We process your account information and source code because it is necessary to provide the Service you have subscribed to (e.g., generating context files, managing your subscription).
  • Legitimate interests — We process usage analytics and Non-Personal Information to improve the Service, ensure security, and prevent fraud, where these interests are not overridden by your data protection rights.
  • Consent — Where you have given explicit consent, such as by agreeing to this Privacy Policy during registration or enabling optional features like Privacy Shield.
  • Legal obligation — We process and retain certain information (e.g., billing records, audit logs) to comply with applicable laws, including tax and financial regulations.

You may withdraw your consent at any time by contacting us or deleting your account. Withdrawal of consent does not affect the lawfulness of processing performed prior to withdrawal.

III. How We Use and Share Information

Personal Information:

We do not sell, trade, rent, or otherwise share your Personal Information with third parties for marketing purposes. We share Personal Information only with service providers performing services on our behalf, including:

  • Amazon Web Services (AWS) — Cloud infrastructure, data storage (DynamoDB), authentication (Cognito), and AI processing (Bedrock)
  • Stripe — Payment processing and subscription management
  • Third-party Git providers (GitHub, GitLab, Bitbucket) — Repository access as authorized by you

These vendors use your information only at our direction and in accordance with this Privacy Policy. We require all service providers to maintain confidentiality and security standards no less protective than those described herein.

We may disclose Personal Information if required to comply with legal obligations, enforce our Terms of Service, address fraud or security concerns, or protect the rights, property, or safety of our users or the public.

Non-Personal Information:

We use Non-Personal Information to improve the Service and customize your experience. We may aggregate and share Non-Personal Information with partners and third parties at our discretion.

Business Transfers:

In the event of a merger, acquisition, or sale of assets, your Personal Information may be transferred. Any acquirer will be required to honor this Privacy Policy.

IV. How We Protect Information

We implement industry-standard security measures to protect your information:

  • Encryption in transit — All data is transmitted over TLS/HTTPS
  • Encryption at rest — All stored data is encrypted at rest using AES-256 encryption (via AWS managed keys)
  • Zero retention of source code — Source code is processed in ephemeral environments and deleted promptly after processing
  • AWS infrastructure — Data is stored in AWS with enterprise-grade security controls, including network isolation and access controls
  • JWT-based authentication — Secure token-based access to API resources
  • Webhook signature verification — Cryptographic validation of third-party integrations
  • MFA support — TOTP-based multi-factor authentication and passkey/WebAuthn support
  • Secure credential storage — CLI credentials stored with restricted file permissions; dashboard tokens stored in memory only (not localStorage)
  • Rate limiting — Protection against brute-force attacks on authentication endpoints
  • Audit logging — Security-relevant actions are logged for monitoring and compliance purposes

No method of transmission over the Internet is 100% secure. By using our Service, you acknowledge and accept these inherent risks.

V. Your Rights Regarding Your Personal Information

All Users

You have the right to:

  • Opt out of promotional communications by following the unsubscribe instructions in any email
  • Access and update your profile information through the dashboard Settings
  • Delete your account — You may request account deletion through the dashboard, which follows a two-step confirmation process
  • Disconnect repositories — You may disconnect any repository at any time, removing it from our Service

We may continue to send administrative emails (e.g., security notifications, policy updates) regardless of your promotional preferences.

Additional Rights for EEA, UK, and Swiss Users (GDPR)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have the following additional rights under the General Data Protection Regulation (GDPR) and equivalent local laws:

  • Right of access — You have the right to request a copy of the personal data we hold about you.
  • Right to rectification — You have the right to request correction of any inaccurate or incomplete personal data.
  • Right to erasure ("right to be forgotten") — You have the right to request deletion of your personal data, subject to certain legal exceptions.
  • Right to data portability — You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit that data to another controller.
  • Right to restrict processing — You have the right to request that we restrict the processing of your personal data in certain circumstances (e.g., while we verify the accuracy of your data or assess a request to erase your data).
  • Right to object — You have the right to object to the processing of your personal data where we rely on legitimate interests as our lawful basis, including for direct marketing purposes.
  • Right to withdraw consent — Where processing is based on your consent, you have the right to withdraw that consent at any time.
  • Right to lodge a complaint — You have the right to lodge a complaint with your local data protection supervisory authority. A list of EU data protection authorities can be found at https://edpb.europa.eu.

To exercise any of these rights, please contact us at support@repowise.ai. We will respond to your request within 30 days (or within the timeframe required by applicable law).

VI. California Privacy Rights (CCPA)

If you are a California resident, the California Consumer Privacy Act ("CCPA") provides you with additional rights regarding your personal information:

  • Right to know — You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which it was collected, the business purpose for collecting it, and the categories of third parties with whom we share it.
  • Right to delete — You may request deletion of your personal information, subject to certain legal exceptions.
  • Right to opt-out of sale We do not sell your personal information. We have not sold personal information in the preceding 12 months.
  • Right to non-discrimination — We will not discriminate against you for exercising any of your CCPA rights.

To exercise these rights, contact us at support@repowise.ai. We will verify your identity before processing your request.

VII. International Data Transfers

RepoWise, Inc. is based in the United States and our Service infrastructure is hosted on Amazon Web Services (AWS) in the United States. If you access the Service from outside the United States — including from the European Economic Area (EEA), the United Kingdom, or Switzerland — your information, including personal data, will be transferred to and processed in the United States.

We take the following measures to ensure your data is protected during international transfers:

  • Contractual safeguards — We enter into appropriate data transfer agreements with our service providers, including Standard Contractual Clauses (SCCs) approved by the European Commission where required.
  • Technical safeguards — We implement robust technical measures, including encryption in transit (TLS/HTTPS) and at rest (AES-256), zero retention of source code, strict access controls, and audit logging.
  • Organizational safeguards — We maintain confidentiality obligations with all service providers and limit data access to what is strictly necessary to provide the Service.

As additional data transfer frameworks become available or applicable (such as the EU-US Data Privacy Framework), we may certify under and rely on such frameworks to support lawful data transfers.

By using the Service, you consent to the transfer of your information to the United States and to the processing of your information in the United States in accordance with this Privacy Policy.

VIII. Data Breach Notification

In the event of a data breach that compromises the security, confidentiality, or integrity of your personal information, we will:

  • Notify affected users via email without undue delay, and no later than 72 hours after becoming aware of the breach, where feasible
  • Notify the relevant supervisory authority within 72 hours, as required by GDPR and applicable law
  • Provide details including: the nature of the breach, the categories of data affected, the approximate number of users affected, the likely consequences, and the measures taken or proposed to address the breach

Where the breach is unlikely to result in a risk to the rights and freedoms of individuals, notification to users may not be required, consistent with GDPR Article 34.

IX. Cookie Policy

We use cookies and similar technologies to operate the Service.

Types of Cookies We Use

The Service uses only essential cookies — these are strictly necessary for the Service to function, including authentication and session management. Essential cookies do not require your consent under applicable privacy laws (including the GDPR and ePrivacy Directive) because the Service cannot operate without them.

We do not use analytics cookies, advertising cookies, or third-party tracking cookies.

Your Cookie Choices

Because we only use essential cookies, no cookie consent banner is required. You can control cookies through your browser settings; however, disabling essential cookies may prevent the Service from functioning properly.

If we introduce non-essential cookies in the future (e.g., analytics), we will update this policy and implement a cookie consent mechanism before deploying them.

Do Not Track

Some browsers offer a "Do Not Track" (DNT) signal. Because we do not use tracking or advertising cookies, our Service's behavior does not change in response to DNT signals.

X. Automated Decision-Making

The Service uses artificial intelligence (AWS Bedrock) to analyze source code and generate context files. This AI processing is used solely to produce documentation outputs and does not involve automated decision-making that produces legal effects concerning you or similarly significantly affects you, as described in GDPR Article 22. No decisions about your account status, access rights, pricing, or eligibility are made by automated means without human involvement.

XI. Data Retention

We retain your Personal Information for as long as your account is active or as needed to provide the Service.

Source code: Deleted promptly after processing — zero retention. No source code is ever persisted to permanent storage.

Generated context files: Retained as long as your repository is connected to the Service. Deleted when you disconnect the repository.

Account data: Retained for the duration of your account. Upon account deletion, your personal data will be deleted within 30 days, except where retention is required by law or for legitimate business purposes (e.g., fraud prevention, legal compliance, tax records).

Billing records: Retained for the period required by applicable tax and financial regulations.

Audit logs: Retained for security and compliance purposes for up to 12 months.

XII. Links to Other Websites

Our Service may contain links to third-party websites or services (e.g., GitHub, GitLab, Bitbucket, Stripe). We are not responsible for the privacy practices of those sites. We encourage you to review their privacy policies before providing them with your information.

XIII. Changes to Our Privacy Policy

We reserve the right to update this Privacy Policy at any time. Significant changes will be communicated via email or a prominent notice on the Site, with at least 30 days' notice before taking effect. Non-material changes take effect immediately. You should periodically review this page for updates.

XIV. Contact Us

If you have any questions regarding this Privacy Policy, or if you wish to exercise any of your data protection rights, please contact us at:

Email: support@repowise.ai

For GDPR-related inquiries, you may also contact our data protection team at the same email address.

Last Updated: March 21, 2026