Privacy policy

This policy applies to cloud-connected CLI features, the hosted dashboard and APIs at https://difflore.dev, GitHub App integrations, billing flows, support, and public product pages. Local-only CLI use remains on your machine unless you log in, sync, upload observations, or install/connect a cloud integration.

• Account data: email, display name, avatar, OAuth provider IDs, team memberships, roles, and authentication/session records.
• Product data: rules, candidate rules, file patterns, origins, confidence signals, settings, review memory, and related governance decisions.
• GitHub App data: repository installation metadata, pull request metadata, review comments, thread context, merge metadata, and webhook delivery records needed for review extraction.
• Limited code context: difflore does not upload full repository snapshots as a normal telemetry path. Some cloud features may process file paths, review comments, small diff excerpts, prompts, generated patches, or accepted-outcome context when you explicitly use cloud ingestion or managed inference.
• Billing data: billing customer IDs, subscription IDs, invoice references, plan status, and usage/overage records. The configured billing provider handles payment card numbers and payment-method details.
• Operations data: IP address, user agent, request timestamps, endpoint usage, errors, webhook events, audit logs, and security logs.

We use data to operate, secure, debug, and improve the service; sync rules and settings; provide retrieval and explainability workflows; run review extraction and team governance; process managed inference; prevent abuse; provide billing; and respond to support requests.

We do not sell personal data.

In managed mode, difflore may send the minimum task context needed for review extraction, embeddings, Reviewer Context, or explicitly enabled accepted-outcome workflows to configured model providers. In BYOK mode, inference is routed to your selected provider using your key where supported, and hosted managed capacity limits may differ.

Depending on enabled features, deployment mode, and environment configuration, difflore may use these subprocessors or categories:

• GitHub
• Stripe
• Anthropic
• OpenAI
• Voyage AI
• Cloud hosting provider
• Managed PostgreSQL / Redis provider

Processing regions currently configured for public disclosure: United States.

• Local CLI data remains under your control on your machine.
• Retained while your account or workspace is active, then deleted or anonymized according to the active retention policy.
• Operational logs are currently retained for approximately 30 days unless needed longer for security, abuse prevention, legal, or billing records.
• You may request export or deletion by contacting hello@difflore.dev.

difflore uses TLS in transit, access controls, audit logs, encrypted secrets where supported, scoped GitHub App installation tokens, and hosted payment collection through Stripe. No system can guarantee absolute security.

DPA status: Available for Enterprise plans during procurement.

SOC 2 status: Not certified yet; security documentation is available on request.

Depending on your jurisdiction, you may have rights to access, correct, delete, export, or restrict processing of personal data. Contact hello@difflore.dev for privacy requests.

Privacy: hello@difflore.dev . Security: hello@difflore.dev . Support: hello@difflore.dev.