Privacy Policy
Effective April 23, 2026
1. What We Collect
When you sign in with GitHub, we receive your GitHub user ID, username, email address, and avatar URL. When you install the Arbor GitHub App, we receive repository metadata (names, visibility, branch info) needed to run analyses. We do not store your source code.
2. How We Use It
We use your data solely to: (a) authenticate you and maintain your session; (b) run pull-request analyses on repositories you have authorised; (c) display results in your dashboard; (d) process payments if you subscribe to a paid plan.
3. Data Retention
Analysis results are retained for 90 days on paid plans and 7 days on the free plan. You can request deletion of your account and associated data at any time by emailing support@getarbor.dev.
4. Third-Party Services
We use the following sub-processors: Neon (PostgreSQL database, US East), Render (API hosting, US East), Vercel (frontend hosting, global CDN), Stripe (payment processing). Each operates under its own privacy policy.
5. GitHub App Permissions
The Arbor GitHub App requests read access to repository contents and pull requests, and write access to post PR comments and check runs. We request the minimum permissions necessary and never access repositories you have not explicitly installed the App on.
6. Cookies
We use a single session cookie to keep you signed in (NextAuth.js JWT). We do not use tracking cookies or third-party advertising cookies.
7. Security
All data is transmitted over TLS. Secrets are stored as environment variables, never in source code. Webhook payloads are verified with HMAC-SHA256 signatures before processing.
8. Your Rights
You may request access to, correction of, or deletion of your personal data at any time. Contact us at support@getarbor.dev. We will respond within 30 days.
9. Changes
We will notify users of material changes to this policy by email or via a banner on the dashboard.
10. Contact
Privacy questions: support@getarbor.dev.