Privacy Policy

Last updated: March 6, 2026

What We Collect

From GitHub OAuth

When you sign in, we receive your GitHub user ID, username, display name, and avatar URL. We use read:user scope only — we cannot access your repositories, code, organizations, or any other GitHub data.

Content You Submit

We store the messages, source files, and documents you upload to your review sessions. This data is stored in an encrypted database on our server and is only accessible to you (and server administrators for operational purposes).

API Keys

If you add an OpenRouter API key, it is encrypted with AES-256 (Fernet symmetric encryption) before storage. The plaintext key is never written to disk or logs. It is decrypted in memory only during your review sessions, then discarded. All key operations are recorded in an audit log.

Personal API Keys

If you generate a personal API key for MCP/REST access, we store only a SHA-256 hash — we cannot recover the plaintext key. If you lose it, generate a new one.

How We Use Your Data

  • To run the Service — your content is sent to AI model providers (via OpenRouter) for analysis during reviews
  • To display your sessions — messages, reviews, and synthesis results are stored so you can access them later
  • To authenticate you — GitHub profile data identifies your account

Third-Party AI Providers

Your content is processed by AI models from Anthropic (Claude), OpenAI (ChatGPT), Google (Gemini), and xAI (Grok), routed through OpenRouter. Each provider has its own data processing policies. We recommend reviewing them if you work with sensitive material.

What We Don't Do

  • We don't sell your data
  • We don't use your content to train AI models
  • We don't track you with analytics or advertising pixels
  • We don't share your data with third parties beyond the AI providers needed to run reviews

Data Retention

Your sessions and content are stored indefinitely unless you delete them. You can delete individual sessions from the sessions page. If you want all your data removed, contact us.

Security

  • All traffic is encrypted via HTTPS (TLS)
  • API keys encrypted at rest with AES-256
  • Application runs as an unprivileged system user with sandboxed permissions
  • Database backed up daily to a private repository
  • SSH hardened, fail2ban active, all unnecessary ports closed

Your Rights

You can:

  • Delete your sessions and uploaded content at any time
  • Remove your API key at any time from Settings
  • Request full account deletion by emailing us

Contact

council@stardreamgames.com