Data & Privacy

Privacy & access

What Gitsprout does with your repository access, what API calls it makes, and what happens to your data.

Read-only access

Gitsprout only ever reads your commit history. It cannot push code, create branches, or modify anything in your repositories.

Your token is never stored

Your personal access token is used only to fetch your commits during the active request. It is never written to a database, never logged, and discarded immediately after.

Minimum permissions

Use a fine-grained token scoped to read-only repository access. Gitsprout warns you if your token has permissions broader than it needs.

Raw commits are discarded

Commit data is processed in memory and discarded after the report is generated. Only your final report is saved, not the underlying commits.

API calls we make

Every request Gitsprout makes on your behalf. No writes, ever.

GitHub

api.github.com

GET/userVerify your token and get your username

GET/user/orgsList organisations you belong to

GET/user/reposList your repositories

GET/orgs/{org}/reposList repos within a specific org

GET/repos/{owner}/{repo}/commitsFetch commits in your date range

GET/repos/{owner}/{repo}/pullsFetch merged pull requests

GET/repos/{owner}/{repo}/issues/{number}Resolve issue references in commit messages

GitLab

gitlab.com/api/v4

GET/userVerify your token and get your username

GET/personal_access_tokens/selfCheck token expiry

GET/groupsList groups you belong to

GET/projectsList projects you are a member of

GET/projects/{id}/repository/commitsFetch commits in your date range

GET/projects/{id}/merge_requestsFetch merged merge requests

Azure DevOps

dev.azure.com/{org}

GET/_apis/projectsVerify your token and list projects

GET/_apis/connectiondataGet your display name and email

GET/{project}/_apis/git/repositoriesList repositories in a project

GET/{project}/_apis/git/repositories/{repo}/commitsFetch commits in your date range

GET/{project}/_apis/git/repositories/{repo}/pullrequestsFetch completed pull requests

Common questions

Does Anthropic train on my commit data?

No. Gitsprout uses the Claude API, and Anthropic explicitly state that API inputs and outputs are not used for model training.

Can my employer or anyone else see my reports?

Reports are private to your account. No data is shared between accounts, and no one at Gitsprout reads your generated reports.

Can I delete my reports?

Yes, any time. Each report in the sidebar has a delete button. Deletion is immediate and permanent.

Do I need to trust Gitsprout with a token that has broad access?

No. We recommend a fine-grained token with read-only repository access. Gitsprout will warn you if your token has permissions broader than it needs.

Still have questions about how your data is handled? hello@talksprout.com