The paper trail

Data handling, without the runaround

What Wiseguy Review can access, what we retain, and where review data travels.

Effective July 16, 2026

GitHub access

The GitHub App is configured for Contents: Read, Pull requests: Read and write, Issues: Read and write, and Metadata: Read. Contents are read to assemble review context. Pull-request and issue access lets us publish reviews, maintain the summary, and process @wiseguy commands. Metadata is required by GitHub.

During installation, a separate GitHub OAuth authorization verifies that the signed-in user can access the installation. That user access token is used for the verification request and is not stored.

What we do and do not store

Not persisted: repository source, diffs, webhook request bodies, model prompts containing source, GitHub installation tokens, and raw provider responses. These values must not enter Postgres, application logs, analytics, or error reports.

Persisted: installation and repository identifiers, repository visibility and configuration, pull-request metadata, review status and timing, provider/model names, token and cost counts, finding paths and line numbers, customer-visible review comment text, billing records, webhook delivery identifiers, and source-free audit events.

Review comments can include a small suggested replacement selected for publication. GitHub stores the posted comment, and Wiseguy retains the same customer-visible comment text so the dashboard and audit trail remain accurate.

Retention and deletion

  • Finding and customer-visible comment text is hard-deleted after 400 days.
  • Uninstalling immediately suspends access. Installation-scoped records are hard-deleted within 30 days.
  • A verified manual deletion request is completed within 7 days. Contact [email protected].
  • A narrowly scoped, audited legal or incident hold can delay deletion until the hold is released.

Model providers

RouteProviderControl
BulkOpenRouter and an explicit operator-configured host allowlistRequests require data collection denied, zero-data-retention capable routing, and provider fallbacks disabled.
EscalationAnthropic APIDirect commercial API requests. Anthropic documents deletion within 30 days by default unless stricter retention terms apply.

Operators can stop all model traffic or either provider with deployment kill switches. Provider models and allowlists are launch configuration, not customer data.

Subprocessors

  • GitHub — source of repository context and destination for reviews.
  • DigitalOcean — App Platform application, worker, and scheduler hosting, plus managed PostgreSQL and Valkey.
  • OpenRouter and its configured model hosts — bulk inference.
  • Anthropic — escalation inference.
  • Stripe — subscription and payment records; Stripe does not receive source code.
  • Sentry, when enabled — error reporting after request bodies, source-bearing fields, secrets, and review-engine locals are removed.

Security contact and changes

Report security concerns to [email protected]. We ask for 90 days to investigate and coordinate disclosure. Material edits to this page will update the effective date and be recorded in the repository history.