Privacy policy

1. Who we are

PR Clarity is a product operated by [LEGAL_ENTITY_NAME] (we, us, our).

Controller: [LEGAL_ENTITY_NAME]
Registered address: [REGISTERED_ADDRESS]

Privacy contact: [PRIVACY_EMAIL]

If you are in the EEA, UK, or Switzerland and we are required to appoint a representative, that contact is: [EU_UK_REPRESENTATIVE_OPTIONAL](or state “not applicable” if you do not appoint one).

2. Summary

PR Clarity is a GitHub App that reads pull request material you expose to the app, generates plain-language summaries, and may store certain outputs and operational records in our systems. We also operate this website (for example, marketing pages, a contact form, and optional sign-in to customer areas where enabled).

We do not use your private repository content to train general-purpose or public machine learning models. Third-party providers (for example, hosting, database, model inference, email delivery, and error monitoring) may process data on our instructions as sub-processors, including outside the EEA/UK, as described below.

3. Scope and who this applies to

This policy applies to:

• Individuals associated with a GitHub account or organization that installs or uses the PR Clarity GitHub App (for example, repository metadata, pull request fields, and developer identifiers visible via GitHub).
• Visitors to our website and people who use the contact form or optional dashboard login where offered.

It does not cover GitHub’s own privacy practices, which are governed by GitHub’s terms and policies.

4. Categories of personal data

Depending on how you use PR Clarity, we may process:

• GitHub and repository context: installation and repository identifiers, organization or account logins, repository names, pull request numbers, titles, author logins, PR body text, commit SHAs, and the code, patches, and file paths needed to produce a summary (including repository config such as a .prclarityrc file when present). Some of this is retrieved via GitHub’s APIs when processing a supported pull request event.
• Generated content and product records: summary text and related structured fields we compute (for example, goal, change bullets, and impact notes) and related operational records such as analytics or audit events we store to run, secure, and improve the service, where applicable.
• Website and support: if you use the contact form, your name, email address, company (optional), message, and associated technical data such as IP address and browser user agent that we may store for anti-abuse, support, and record-keeping.
• Account login (if enabled on your deployment): GitHub profile identifiers and email for customer or admin access features we provide.
• Logs and reliability: server and application log events (which may include technical identifiers and repository or PR context in log lines), and error and performance data sent to an error or logging provider when configured.

We do not ask you to provide special categories of data (for example, health). If such information appears inside a pull request, it may be processed like other PR content; avoid submitting sensitive data there.

5. Purposes and legal bases (GDPR)

We process personal data for the following purposes, on the following bases:

• Providing the PR Clarity service (generating and posting comments, persisting product data needed for features such as history or analytics, enforcing limits, and communicating with GitHub) — Art. 6(1)(b) GDPR (performance of a contract with the customer or pre-contractual steps) and, where that does not apply to specific processing, Art. 6(1)(f) GDPR (our legitimate interests in delivering a reliable developer tool).
• Security, abuse prevention, and compliance (for example, idempotency keys for webhooks, rate limiting, administrative restrictions where applicable, and compliance with law) — Art. 6(1)(f) GDPR and, where required, Art. 6(1)(c) GDPR (legal obligation).
• Contact and support requests you send us — Art. 6(1)(b) GDPR and/or Art. 6(1)(f) GDPR (depending on the request).

Where we rely on legitimate interests, you may object as described in Section 9. We will then assess whether we must stop or narrow that processing, subject to our other legal rights and obligations.

6. Recipients and sub-processors

We use service providers who process data on our instructions. Depending on your deployment, these may include:

• GitHub, Inc. (pull requests, app installation, API access) — GitHub privacy statement
• Hosting and serverless (for example, Vercel) for the web app and related infrastructure.
• Database (for example, managed PostgreSQL) for product data.
• Model inference (for example, OpenAI or another provider you configure) for generating summaries. Prompts and related context you send to the model provider are subject to their terms and, where applicable, a data processing agreement.
• Email delivery (for example, Resend) for contact or transactional messages when configured.
• Error monitoring and logging (for example, Sentry, Better Stack / Logtail) when enabled.

We will update a sub-processor list as our providers change. For enterprise customers, we can provide additional detail or contractual commitments on request, subject to signature of appropriate agreements.

7. International transfers

Our operations and our providers may be located in the United States or other countries outside the EEA/UK/CH. Where we transfer personal data from the EEA, UK, or Switzerland to countries not covered by an adequacy decision, we will rely on appropriate safeguards (for example, the EU Commission’s standard contractual clauses, UK Addendum, and Swiss references as applicable) and, where required, a transfer impact assessment. You may request a copy of the relevant safeguards or links by contacting us at the address above.

8. Retention

We keep personal data only as long as necessary for the purposes in Section 5, including to:

• operate the service, recover from failure, and resolve disputes; and
• meet legal, tax, and accounting requirements where they apply.

For example, short-lived idempotency records for certain webhook flows may be deleted on a rolling basis (our infrastructure supports automatic cleanup of records older than a short window). Other product records (such as generated summaries) may be retained for the lifetime of a repository or account relationship unless a different schedule is agreed, or you exercise your deletion rights, subject to legal holds.

Exact retention can depend on [RETENTION_TABLE_OR_LINK] (insert a customer-facing table or a link to your internal schedule when finalized).

9. Security

We implement appropriate technical and organizational measures appropriate to the risk, such as access controls, encryption in transit where supported by the platforms we use, secrets management, and least-privilege access to production systems. No method of transmission or storage is 100% secure; we cannot guarantee absolute security.

10. Your rights (EEA, UK, and similar laws)

Subject to conditions and limitations in law, you may have the right to:

• access, rectify, or erase personal data we hold about you;
• restrict or object to certain processing;
• data portability, where the right applies;
• withdraw consent, where we rely on consent; and
• lodge a complaint with a supervisory authority.

To exercise these rights, contact [PRIVACY_EMAIL]. We may need to verify your identity. If we process data as a processor on behalf of a GitHub organization, we may need to refer certain requests to that organization’s administrator.

11. Supervisory authority

If you are in the EEA, you may lodge a complaint with your local supervisory authority. If you are in the UK, you may contact the Information Commissioner’s Office (ICO). A list of EU authorities is available from the EDPB.

12. Children

PR Clarity is not directed at children under 16, and we do not knowingly process their personal data. If you believe a child has provided us personal data, contact us and we will take appropriate steps to delete it.

13. Changes to this policy

We may update this policy to reflect product, legal, or operational changes. We will post the revised version on this page and adjust the “Last updated” date. If changes are material, we will take additional steps as required by law (for example, a notice in the app or by email, where we have your address).

14. Contact

For privacy questions or to exercise your rights, email [PRIVACY_EMAIL]. You can also use the contact form on our home page for general inquiries, though rights requests are easier to handle by email to the address above.

This document is provided to help you describe PR Clarity’s data practices. It is not a substitute for legal review. [LEGAL_COUNSEL_REVIEW_NOTES]