Legal

Security & What We Store

Last updated July 6, 2026

This document is a plain-language template provided for convenience — it is not legal advice. Have a qualified attorney review and adapt it (contacts, jurisdiction, specifics) before relying on it.

Slovey reads engineering discussion to build your team’s decision memory. The most common question we get is “you’re reading my code — what exactly do you keep?” This page is the plain-English answer.

1. What we store

  • Decisions, not source. The memory is built from pull-request titles, descriptions, review comments, and documentation (READMEs, ADRs, docs folders). What we persist are the extracted decisions— short statements like “we rejected Redis for session storage because…” — with links back to the PRs they came from.
  • Embeddings. Numeric vectors of those decisions (not of your source code) so search and PR matching work.
  • Check results. For each PR we check: the PR number, title, author, verdict, and the comment we posted.
  • Account data. Your GitHub login, email, and avatar from sign-in; org membership and roles you configure.

2. What we never store

  • Your codebase. Diffs are read transiently during a check or extraction and are not persisted. There is no copy of your repository in our database.
  • Secrets. The Preflight CLI redacts anything key-shaped from command output before it leaves your machine, and the hosted secret-scan blocks key-shaped strings in submitted changes rather than storing them.

3. How it’s protected

  • Connector tokens (Linear, Notion, Slack) are encrypted at rest with AES-256-GCM and are never returned by any API after you save them.
  • CLI tokens are stored only as SHA-256 hashes, compared in constant time, revocable at any moment from the dashboard, and scoped to a single repository.
  • Webhooks from GitHub and Stripe are signature-verified before a single byte is processed.
  • Tenancy is enforced on every API route: your data is only reachable by members of your organization, with role-based read/write separation.
  • Transport & storage. TLS everywhere; the database (Supabase Postgres) is encrypted at rest by the provider.

4. Deleting your data

Uninstalling the GitHub App stops all ingestion. Deleting a repository connection deletes its decisions, embeddings, and check history (cascading deletes at the database level). For full account deletion, contact us and we remove the organization and every associated row.

5. Questions

Security question or something you’d like to report? Email us — we read everything and respond fast.