Privacy Policy
Last updated: April 27, 2026
Fixor (“we”, “our”, or “us”) provides automated security review for GitHub pull requests. This Privacy Policy explains what data we access, what we store, who else processes it, and what control you have. We try to keep the policy short and concrete — if anything is unclear, contact us (section 9).
1. What we access from GitHub
When you install Fixor on a GitHub user account or organization, our GitHub App receives:
- Pull request diffs — the changed lines for each PR Fixor scans.
- Repository metadata — repo full name, PR number, head commit SHA.
- Installation events — when Fixor is installed, updated, or uninstalled.
- Your installer email (optional) — when you sign in to the dashboard with GitHub OAuth, we receive your primary email from GitHub via Clerk.
Fixor does not access issues, discussions, releases, secrets, environment variables, GitHub Actions logs, or files outside the PR diff.
2. What we store, and for how long
Fixor stores the minimum needed to deliver the service. Code from your diffs is processed in memory and is not stored on our database after the scan completes. Specifically, our database contains:
| Data | Why we store it | Retention |
|---|---|---|
orgs — one row per GitHub installation: installation id, plan tier, monthly cap, Paddle customer / subscription ids (when paid), installer email |
Identify your account, route billing, send transactional email | Until you uninstall + 30 days, then deleted |
org_settings — severity threshold, ignored globs, enabled detectors, optional Slack webhook |
Apply your filtering preferences to scans | Same as the org row |
cost_ledger — one row per Anthropic API call: timestamp, USD cost, token counts (no diff content) |
Enforce monthly budget caps; show your spend in the dashboard | 13 months (rolling), then aggregated and the row-level data is deleted |
scan_runs — one row per scan: repo + PR number, status, finding counts, head SHA, started/finished timestamps |
Show scan history + trends in the dashboard | Same as cost_ledger |
audit_log — settings changes, plan changes, webhook events |
Security trail for billing + settings | 2 years |
api_tokens — SHA-256 hashes of any API tokens you generate (the plain token is shown to you once and never stored) |
Authenticate API calls | Until you revoke + 30 days |
| Generated PDF + SARIF reports | Linked from the PR comment for download | 90 days, then purged from object storage |
The PR comment itself is owned by GitHub, not us; deleting the PR or the comment is a GitHub action and we don't retain a copy.
3. How we use your data
- Analysis. The PR diff plus minimal repo context is sent to Anthropic's Claude API and Fixor's analysis engine to detect business-logic vulnerabilities — authentication bypass, IDOR, weak admin checks, env exposure, secrets exposure, and unverified webhook handlers — and produce a precise explanation and remediation steps for each finding. Diffs are not used to train models. (See Anthropic's Trust Center for their commitments.)
- Billing. When you upgrade to a paid plan, Paddle (our merchant of record) processes the payment. We send Paddle the price id and a correlation id; Paddle returns the customer + subscription ids we store on your
orgsrow. - Transactional email. We email you on first scan, on payment events (welcome / payment failed / subscription canceled), and once per calendar month if you cross 80% of your monthly Anthropic budget. We do not send marketing email.
- Diagnostics. Server logs include installation id, PR number, and error stack traces. Sensitive values (API keys, GitHub App private keys, Stripe-style ids) are redacted at the logger layer.
4. Subprocessors
The following third parties process data on our behalf:
| Subprocessor | Purpose | Region |
|---|---|---|
| Anthropic | Diff analysis (Claude API) | USA |
| Neon | Postgres database (orgs, settings, ledger, audit log) | USA / EU (your project's region) |
| Railway | Backend webhook + analysis runtime | USA |
| Vercel | Dashboard hosting | USA / EU |
| Clerk | GitHub OAuth + dashboard sessions | USA |
| Paddle | Payments + merchant of record (handles VAT / sales tax) | USA / EU / UK |
| Resend | Transactional email delivery | USA |
| Cloudinary | PDF + SARIF report storage (signed URLs, 1h TTL) | USA |
| Sentry | Server error tracking | USA |
| GitHub | Webhook source; we are a GitHub App | USA |
We don't sell your data to anyone, and we don't add tracking pixels or third-party analytics on the marketing site.
5. International data transfers
Most of our subprocessors process data in the United States. If you're an EU/UK/EEA user, transferring data outside those regions relies on the Standard Contractual Clauses each subprocessor publishes. Paddle, as merchant of record, additionally handles GDPR / UK-GDPR compliance for the billing relationship.
6. Cookies and tracking
The marketing site (fixor.dev or the GitHub Pages URL) sets no cookies and runs no analytics. The dashboard sets a Clerk session cookie when you sign in — required to keep you logged in — and nothing else. We do not use third-party trackers, ad networks, or fingerprinting.
7. Your rights
- Access. Email us and we'll send you a JSON export of every row in our database that references your org.
- Deletion. Uninstall Fixor from your GitHub settings. We delete the org and its associated rows after a 30-day grace window (kept in case of accidental uninstall). Uploaded reports purge on the same schedule plus the 90-day cap.
- Correction. Most settings are editable directly in the dashboard. For anything else, email us.
- Portability. The JSON export above doubles as your portability artifact.
- Objection. You can opt out of transactional email by uninstalling; we don't send marketing email so there is no separate opt-out for that.
EU/UK/EEA residents have the additional rights granted by the GDPR / UK-GDPR — including the right to lodge a complaint with your local supervisory authority. California residents have the rights granted by the CCPA / CPRA. We respond to verified rights requests within 30 days.
8. Security
- GitHub webhooks are verified with HMAC-SHA256 against our shared secret (5A series).
- Paddle webhooks are verified with HMAC-SHA256 against the Paddle webhook secret, with a 5-minute replay window.
- Installation tokens are short-lived (≤1 hour) and never stored.
- Database connections use TLS; report URLs are signed (1-hour TTL by default).
- API token strings are stored only as SHA-256 hashes; the plain token is shown to you exactly once at creation.
9. Contact
Email support@fixor.dev for privacy questions, data export, or deletion requests. For non-privacy issues, you can also open a GitHub issue at github.com/tornidomaroc-web/fixor.
10. Changes
Material changes to this policy are announced on the GitHub repository and reflected on this page with an updated date at the top. Continued use of Fixor after a change constitutes acceptance of the updated policy.