Privacy Policy

EDITH (“we”, “us”, “edith.expert”) builds a SaaS product that audits AI-generated web applications. This Privacy Policy explains what personal data we collect when you use our website, dashboard, GitHub App, browser extension, MCP server, or any other EDITH-branded service (collectively, the “Service”), how we use that data, and your choices.

We are a registered business operating EDITH on the domain edith.expert. For any privacy question, contact us at support@edith.expert.

Account data

When you sign in via GitHub OAuth, we receive your GitHub username, display name, email address, avatar URL, and the OAuth access token required to call the GitHub API on your behalf. We store these in our user database so we can show you your repositories and post PR comments under your installation.

Repository scan data

When you install the EDITH GitHub App on a repository and trigger a scan (manually or via webhook), we fetch the repository's file tree and the contents of files we recognise as scannable (source code, configuration files, schemas). We parse this content server-side to run our static analysis checks, store the resulting issues, scores, and metadata, and discard the raw source files at the end of the scan. We never persist your full source code; only the small code snippets (typically 1-3 lines) attached to each finding for context.

Search Console data

If you connect your Google Search Console account, we receive a refresh token from Google scoped to webmasters.readonly. We use it to pull aggregated search-analytics data (impressions, clicks, CTR, position) for the properties you bind to your EDITH repositories. We never modify your Search Console settings. You can revoke this access at any time from your Google Account settings or by clicking “Disconnect” on your EDITH dashboard.

Extension telemetry

If you install the EDITH browser extension and sign it into your account, it sends the following from the pages you actively scan: URL, page title, Core Web Vitals measurements, a snapshot of the rendered <head> metadata, and any console errors captured during the probe window. The extension never reads form inputs, cookies, or local storage from the pages you visit. We store this telemetry against your account to surface it on your dashboard.

Usage and product analytics

We log technical events necessary to operate the Service: API requests, scan triggers, billing events, errors, and aggregated performance metrics. These logs include your IP address and user agent and are retained for up to 90 days for security and debugging purposes.

Billing data

When you upgrade to a paid plan, our payment processor (PayU) collects and processes your payment information directly. EDITH stores only a non-sensitive customer reference, plan tier, subscription status, and invoice metadata. We do not store full card numbers, CVVs, or banking credentials on our servers.

• To operate the Service. Run scans, generate fix prompts, post PR comments, sync Search Console data, render your dashboard, send transactional emails (login links, invoices, critical alerts you opt into).
• To improve product quality. Aggregate, de-identified metrics about which checks fire most often, average scan duration, and feature usage. We never use the contents of your source code to train machine-learning models.
• To prevent abuse. Rate-limit, detect anomalous traffic, investigate fraud, comply with applicable law.
• To communicate with you. Send service notices, billing receipts, and (only with your opt-in) product updates.

EDITH uses a small set of vetted infrastructure providers to operate the Service. We have data-processing terms in place with each. The current list:

• Supabase (PostgreSQL hosting + auth) — primary database and user authentication store. Region: their default data-centre for our project.
• Vercel (compute + edge network) — hosts the web app, API routes, and the cron orchestrator.
• GitHub (source repository access) — only the repositories you explicitly install the EDITH App on are accessible to us.
• Anthropic (Claude API) — generates the natural-language fix-prompts and runs the LLM citation tracker. We send only the issue context relevant to the prompt, never your entire codebase.
• Google — Search Console API (only with your OAuth consent), Cloud authentication services.
• Inngest — background job queue for scan workers and cron-triggered tasks.
• PayU — payment processor. They directly receive your billing details and return a customer reference to EDITH.
• Slack (optional) — only if you supply an ops webhook to receive your own alerts.

EDITH uses large-language models in two clearly-scoped ways:

• Fix-prompt generation.When you expand an issue, we send the issue title, severity, dimension, file path, line number, and a small snippet of the affected code to Anthropic's Claude API. Claude returns a natural-language fix prompt. We cache the result so the same issue is not re-sent.
• LLM citation tracking. Periodically, we ask Claude what it knows about your brand and parse the response for citations. The query sent to Claude contains only the brand name and the question template; it does not contain your source code or user data.

We have configured our API integrations such that Anthropic and other AI providers do not use the data we send to train their underlying models. We do not enable any kind of long-term memorisation of customer content.

EDITH's use of Google user data conforms to Google's API Services User Data Policy, including the Limited Use requirements.

What we access

The only Google scope EDITH requests is https://www.googleapis.com/auth/webmasters.readonly. This grants read-only access to your Search Console properties (the list of verified sites and their search-analytics data). We do not request access to Gmail, Drive, Contacts, Calendar, or any other Google service.

How we use it

We pull aggregated search-analytics data (impressions, clicks, CTR, average position) and store the result in our database against your EDITH organisation. We use this exclusively to render the SEO dashboard, correlate ranking data with on-page findings, and surface low-hanging-fruit recommendations to you. We do not transfer, sell, or use your Google user data for advertising or other commercial purposes.

Revoking access

You can disconnect Google at any time at myaccount.google.com/permissions or from your EDITH dashboard. When you disconnect, we immediately delete the refresh token and stop syncing new data. Existing aggregated metrics in your dashboard remain until you delete your account.

EDITH operates as a GitHub App that you (or an organisation admin) install on specific repositories. We request the minimum permissions required: contents:read (to fetch source for scanning), pull_requests:write (to post PR comments and status checks), and metadata:read.

You can revoke the installation at any time at github.com/settings/installations. When you do, we stop receiving webhooks for that repo. Existing scan history is retained per the retention rules below until you delete it or your account.

• Account data — kept while your account is active and for 30 days after you delete it, then permanently removed.
• Source code fetched during scans— held only for the duration of the scan (typically < 2 minutes), then deleted. Never persisted.
• Scan results, issues, scores — retained for the lifetime of your account or until you delete the repository, whichever comes first.
• Search Console metrics — last 90 days rolling.
• Operational logs — 90 days.
• Billing records — retained for the legally-required period (typically 7 years for tax purposes).

You have the following rights regarding your personal data, subject to applicable law:

• Access. You can request a copy of the personal data we hold about you.
• Correction. You can update inaccurate data directly in your dashboard, or contact us.
• Deletion. You can delete your account at any time from Settings, which removes your personal data (subject to limited legal-hold exceptions).
• Portability. You can export your scan history and findings as JSON from the dashboard.
• Objection / withdrawal of consent. You can revoke any OAuth grant (GitHub, Google) at the source provider; we honour that immediately.
• Complaint. If we mishandle your data, you have the right to lodge a complaint with your local data-protection authority.

To exercise any of these rights, email support@edith.expert. We respond within 30 days.

EDITH uses a small number of cookies and similar technologies, all strictly necessary or first-party:

• Authentication cookies set by Supabase Auth — keep you signed in.
• Short-lived OAuth state cookies set during the GitHub and Google OAuth flows — expire in 10 minutes.
• Theme / preference stored in localStorage — never sent to our servers.

We do not use third-party advertising or cross-site tracking cookies.

We use industry-standard controls to protect your data: TLS in transit, encrypted database storage at rest, row-level security policies on all sensitive tables, principle-of-least-privilege for service-role keys, and regular dependency vulnerability scanning (EDITH itself runs against EDITH). We do not store plaintext API keys or OAuth secrets in version control. Service tokens are rotatable from your dashboard.

No system is perfectly secure. If you discover a vulnerability, please disclose it responsibly to support@edith.expert and we will acknowledge within 72 hours.

EDITH is a tool for professional software developers and is not directed to anyone under 16 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal data from children. If you believe we have, contact us and we will delete it.

Our infrastructure providers may process data in the United States, European Union, India, or other regions. Where required by law, we rely on appropriate transfer mechanisms (Standard Contractual Clauses or equivalent). By using the Service, you consent to your data being processed in these regions.

We may update this Privacy Policy from time to time. When we make material changes we will update the “Last updated” date at the top of this page and, where required, notify you by email or in-app banner. Continued use of the Service after a change constitutes acceptance.

Questions, requests, or complaints — email support@edith.expert. For urgent security disclosures, mark the subject line “SECURITY” and we will prioritise.