Attestly

Legal

Privacy Policy

Effective May 6, 2026. Past versions on request.

Want this for your own product? Generate yours with Attestly.

Plain-English summary

Attestly helps companies generate compliance documents from their codebase. To do that, we read your repository (with read-only GitHub access), analyze it, and generate documents using AI. We don't sell your data, and we don't train models on your code.

  • What we read: the repos you connect, on a read-only basis.
  • What we keep: findings (e.g. “detected OpenAI”), not your source files.
  • What we never do: train models on your code, share with third parties beyond named subprocessors, or write to your repo.

Information we collect

Information you provide

  • Account details (name, email) via Clerk authentication.
  • Workspace facts you supply during onboarding (legal entity name, jurisdiction, customer types, contact email).
  • Billing information processed by Stripe; we never receive full card numbers.

Information from connected services

  • Read-only access to selected GitHub repositories (code, package manifests, file paths).
  • Repository metadata such as default branch and last push timestamp.

Usage information

  • Pages visited, features used, error reports.
  • IP address and user-agent for security and rate-limiting.

How we use information

  • To run scans and generate your AI Trust Center, Privacy Policy, DPA, and OSS attribution.
  • To detect drift on every pull request and alert your reviewers.
  • To operate, secure, and improve the service.
  • To comply with legal obligations.

Legal bases (GDPR): contract (Art. 6(1)(b)) for service delivery; legitimate interests (Art. 6(1)(f)) for security and improvement; legal obligation (Art. 6(1)(c)) where applicable; consent (Art. 6(1)(a)) for optional features.

GitHub access

When you connect GitHub, we request the read:user, user:email, and repo scopes. The repo scope is used solely to clone repositories you explicitly select; we never push commits or modify any code. Source code is downloaded into a short-lived ephemeral environment, scanned, and discarded once the scan completes. We persist findings (detected vendors, file:line citations) — not your source files.

AI processing

Document generation uses OpenAI APIs. Inputs sent to the model include scanner findings and the workspace facts you provided — never your raw source code. OpenAI's API processes data per their API data usage policy and does not use API inputs to train their models by default.

Sharing & subprocessors

We share information only with the following subprocessors, each bound by a written data-processing agreement:

SubprocessorPurposeLocation
Vercel, Inc.Application hostingUnited States
Neon, Inc.Managed Postgres databaseUnited States
Clerk, Inc.AuthenticationUnited States
OpenAI, L.L.C.AI document generationUnited States
Stripe, Inc.PaymentsUnited States
Resend Inc.Transactional emailUnited States
Inngest, Inc.Background jobsUnited States

We do not sell personal information. We do not share data with advertising networks.

Retention

  • Account data: until you delete your account.
  • Findings and generated documents: retained for the life of your workspace and for 30 days after deletion.
  • Audit logs: 13 months.
  • Source code archives: deleted immediately after each scan.

Your rights

Depending on your jurisdiction (GDPR, UK GDPR, CCPA/CPRA, Quebec Law 25, Australian Privacy Act), you may have rights to access, correct, delete, port, or restrict the processing of your personal information, and to object to processing or opt out of certain disclosures. To exercise any of these rights, email privacy@attestly.dev.

International transfers

Attestly is operated from the United States. When we transfer personal data out of the EEA, UK, or Switzerland, we rely on the EU Standard Contractual Clauses and apply supplementary measures where required.

Security

  • Encryption in transit (TLS 1.2+) and at rest (AES-256).
  • SSO + MFA enforced for all employees.
  • Least-privilege access controls and audit logging.
  • Annual third-party security review.

Children

Attestly is not directed to children under 16 and we do not knowingly collect personal information from children.

Changes

Material changes will be announced by email at least 30 days in advance. Past versions of this policy are available on request.

Contact

Attestly Inc. · Privacy Office
Email: privacy@attestly.dev