RepoFold
← Back to RepoFold

Privacy Policy

Last updated: 12 July 2026

RepoFold is operated by Benji, registered with the Dutch Chamber of Commerce (KVK) under number 96684062, established in the Netherlands (the "controller" under the GDPR). Contact: info@repofold.dev. This policy describes what personal data we process, why, and what your rights are.

What we process

  • Account data. When you sign in with GitHub we receive your GitHub ID, username, display name, avatar, and email address.
  • Repository data. Source code of repositories you connect is processed temporarily to generate documentation and is deleted when the indexing job finishes. Derived data remains: the generated wiki, file hashes, symbol and language metadata, and summaries. Details are on the Security page.
  • Usage data. Job runs, token usage and cost per repository, rate-limit counters, and timestamps such as when an API key was last used. We use this to operate the service, enforce limits, and prevent abuse.
  • Content you submit. Questions you ask the wiki, page feedback, and feedback messages you send us.
  • Technical logs. Server logs and, when enabled, error reports (stack traces with request context) for reliability monitoring.

Why we process it (legal bases)

  • Providing the service (performance of a contract): account handling, indexing your repositories, generating and serving wikis, MCP access.
  • Security and abuse prevention (legitimate interest): rate limiting, token budgets, API key verification, logging.
  • Improving the service (legitimate interest): reviewing feedback and aggregate usage. We do not profile you and we do not sell data.

Subprocessors

  • GitHub (Microsoft): source of your repositories and sign-in provider.
  • DeepSeek: AI model provider. Selected source excerpts and derived repository context are sent to DeepSeek's API to generate and verify documentation. This may involve transfer of data outside the European Economic Area. Connect only repositories for which you accept this processing.
  • Hetzner Online GmbH (Germany, EU): hosting. Application data and backups are stored on servers in the EU.
  • Sentry: error monitoring, when enabled, receiving error reports with technical request context.

Retention

  • Account data: until you delete your account.
  • Generated wikis and analysis metadata: until you delete the repository or your account.
  • Temporary source copies: deleted when the indexing job finishes.
  • Database backups: rotated after 7 days.
  • Usage records: kept while your account exists, for limits and (future) billing.

Cookies

RepoFold uses only functional cookies: a session cookie that keeps you signed in and a CSRF cookie that protects forms. These are strictly necessary for the service, so no consent banner is required. We use no advertising, analytics, or tracking cookies of any kind, which you can verify: the Content-Security-Policy on every page blocks third-party scripts entirely. Error monitoring also works without cookies; it only transmits a report when an error occurs.

Your rights

Under the GDPR you can request access to, correction of, deletion of, or export of your personal data, object to processing based on legitimate interest, and withdraw consent where processing is based on it. Most of this is available directly in the app: deleting a repository or your account removes the associated data immediately. For anything else, email info@repofold.dev; we respond within 30 days. You also have the right to lodge a complaint with the Dutch supervisory authority, Autoriteit Persoonsgegevens.

Security

Technical measures (encryption at rest, hashed keys, signed webhooks, strict browser protections) are described on the Security page.

Changes

We may update this policy. Material changes will be announced in the application; the date above always reflects the current version.