Replokit← Home

Privacy Policy

Last updated: June 2026

Replokit ("we", "us") helps teams inventory the cloud, database, and AI services their code depends on. This policy explains what we collect, how we use it, and your choices. Questions: support@replokit.com.

What we collect

  • Account data: your email, display name, and authentication identity (via GitHub or email).
  • Repository data (read-only): repository metadata and the contents of dependency, environment-example, infrastructure, and CI configuration files — read solely to detect the services your code uses.
  • Derived findings: the services, dependencies, and AI models we detect, with file paths as supporting evidence.
  • Usage & diagnostics: basic logs and error reports to operate and improve the service.

What we do NOT collect

  • We do not store your source code — only derived findings and evidence references.
  • We do not read secret values — environment files are parsed for key names only. Any token-shaped string shown is masked to its last 4 characters.
  • We never write to your repositories and never open pull requests.

How we use data

To provide the infrastructure inventory and insights, secure and operate the service, and communicate with you about your account. We do not sell your data or use it for advertising.

Sub-processors

We share data with these providers strictly to operate the service:

  • Supabase — database & authentication
  • Vercel — application hosting
  • Sentry — error monitoring
  • Resend — transactional email
  • Anthropic — AI-powered insights (only when that feature is enabled)
  • GitHub — accessed read-only to perform scans

Security & encryption

  • In transit: all traffic is encrypted with TLS 1.2+.
  • At rest: the database is encrypted with AES-256.
  • Sensitive values (any access tokens or provider credentials) are additionally encrypted at the application layer with AES-256-GCM before storage — they are never stored in plaintext.
  • Repository access uses a GitHub App with read-only Contents and Metadata permissions and short-lived installation tokens.
  • Isolation: every workspace's data is separated with row-level security.
  • Secrets we find in your code are masked (last 4 characters only) before storage — the raw value is never persisted.

Code analysis — no AI training

Code analysis is performed by deterministic parsers. Your source code is not sent to any AI or large language model and is not used to train any model. We store only derived findings (service names and file-path evidence), never your source code.

Retention & deletion

We retain your data while your workspace is active. You can permanently delete your account and all associated data at any time, self-serve, from the application's Settings. Deletion is immediate and irreversible.

Your rights

Subject to applicable law (including GDPR), you may access, correct, export, or delete your personal data. Contact support@replokit.com and we will respond promptly.

Changes

We may update this policy; material changes will be reflected by the "last updated" date above.