Privacy Policy

Last updated: June 10, 2026

Sealrepo is built so that the most sensitive thing — your source code — is something we cannot see, not merely something we promise not to look at. This policy explains the small amount of data we do hold, why, and your rights over it.

What we never see

Your source code, your encryption keys, your passphrase, your recovery code, your escrow passphrase, and plaintext access codes. Encryption happens on your device; only opaque ciphertext ever reaches our servers (and only if you enable cloud escrow). We cannot decrypt it, and neither can anyone who compromises our servers.

What we store, and why

• Your email, hashed password, and display name — to run your account.
• Project metadata (name, description, an opaque repo fingerprint) and team membership (member emails, roles) — to render your dashboard and enforce access.
• Hashed temporary access codes and their lifecycle metadata — never the plaintext code.
• An audit log of account, project, and access events (IP address, user agent, action, timestamp) — so you can see who did what, when.
• CLI device records (hostname, platform, CLI version, token) — so you can review and revoke paired devices.
• Billing identifiers from Stripe (customer and subscription IDs, plan, seat count) — we never see or store your card number.
• If you enable cloud escrow: an encrypted blob we cannot open. That is the point of it.

Who processes data for us

We use a small set of processors: Amazon Web Services (hosting), Cloudflare (DNS, TLS, and proxying), Stripe (payments), and Resend (transactional email). Each receives only what its function requires. We do not sell personal data, and we do not use advertising trackers.

Cookies

We set first-party session cookies so you stay signed in. No analytics, advertising, or third-party tracking cookies.

Retention & deletion

We keep account data while your account is active. After you close your account we delete or anonymize it within 90 days, except minimal records we must retain for legal, billing, or security reasons. Audit log entries age out on a rolling basis.

Your rights

You can access, correct, export, or delete your personal data. Depending on where you live (for example the EU/UK under GDPR), you may have additional statutory rights, including complaint to a supervisory authority. For business customers who need a data-processing agreement (DPA), contact us. For any request, email [email protected] and we will respond within 30 days.

Changes

If we make material changes to this policy we will notify you by email or in-app before they take effect.