Zapat

Legal

Privacy Policy

Last updated: March 3, 2026

You are trusting us with access to your source code. We take that responsibility seriously. This policy explains clearly and plainly what data we collect, how we use it, and what we never do with it.

01Introduction & Our Commitment

Zapat is an AI-powered engineering automation platform. When you use Zapat, you connect your GitHub repositories and allow our AI agents to read your issues, write code, open pull requests, and request reviews. That means you are placing significant trust in us — and we will not betray it.

This Privacy Policy explains what personal data we collect, how we use it, who we share it with, and how you can control your data. We have written it to be readable by a human, not just a lawyer.

By using Zapat, you agree to the practices described in this policy. If you have questions, email support@zapat.ai.

02Information We Collect

Account Information

When you sign in with GitHub, we receive your GitHub profile information: your name, email address, avatar, username, and organization memberships. We use this to create and manage your Zapat account.

Repository Data

When you install the Zapat GitHub App, we receive access to the repositories you authorize. This includes repository names, issue content, pull request content, and source code — accessed only to perform the operations you have requested (see Source Code Handling for details). We also receive GitHub webhook events (issue labels, PR events) to trigger the pipeline.

Usage Data

We collect data about how you use Zapat: jobs run, features used, pipeline outcomes, pages visited in the dashboard, and error logs. This data is aggregated and used to improve the service.

Billing Information

Payments are processed by Stripe. We do not store your payment card details. We store only your Stripe customer ID, subscription plan, and billing status — the minimum needed to manage your account.

Device & Browser Information

We collect standard browser and device data (IP address, browser type, operating system, referring URLs) for analytics, debugging, and security purposes.

03How We Use Your Information

  • To operate the service: Running AI agents to process your issues, opening pull requests, coordinating review teams, and delivering results to your repositories.
  • To improve the service: We analyze aggregate usage patterns — which features are used, where jobs fail, what pipeline configurations work best. We do NOT read your code for training purposes. See Source Code Handling below.
  • To communicate with you: Service status updates, billing notifications, feature announcements, and support responses. You can opt out of non-essential communications at any time.
  • To ensure security: Abuse prevention, rate limiting, fraud detection, and protecting the integrity of the platform for all users.

04Source Code Handling

The most important section for developers

Your source code is yours. We access it only to perform the specific operations you have requested. Here is exactly what we do and do not do with your code:

  • Code is accessed only to complete the job you triggered — reading the relevant files, writing the implementation, opening the pull request.
  • Code is sent to Anthropic's Claude API for AI processing. Anthropic's data handling is governed by their usage policies (anthropic.com/policies).
  • In BYOC (Bring Your Own Compute) mode, code never leaves your infrastructure. Only job metadata flows through Zapat.
  • We do NOT use your code to train AI models — ours or anyone else's.
  • We do NOT store your source code after a job completes. Code is processed in-memory and discarded.
  • We do NOT access code outside the repositories you have explicitly authorized.
  • No Zapat employee reads your source code without your explicit written permission.

Anthropic processes code sent to Claude API subject to their data handling policies. We recommend reviewing anthropic.com/policies if you have specific requirements around AI data processing.

05Third-Party Services

We use the following third-party services to operate Zapat. Each has its own privacy practices.

Anthropic

AI processing

Data shared: Source code and issue content relevant to the current job

Why: Powers the AI agents that write and review code

GitHub

Source control integration

Data shared: OAuth profile, webhook events, repo read/write access

Why: Core integration — where your issues and PRs live

AWS

Infrastructure

Data shared: All data processed and stored in AWS (Lambda, DynamoDB, SQS)

Why: Compute, storage, and message queuing

Stripe

Billing

Data shared: Payment details (Stripe handles directly), subscription plan

Why: Subscription billing and payment processing

Google Analytics

Analytics

Data shared: Anonymized usage data: pages visited, session duration, referral source, browser/device type

Why: Understand how visitors use the marketing site and dashboard to improve the experience

06Data Retention

Source code

Not retained after job completion

Job metadata

Retained for the lifetime of your account

Event logs

90 days

Billing records

As required by applicable law (typically 7 years)

Account data

Deleted within 30 days of account deletion request

07Data Security

We implement industry-standard security measures across the entire platform:

  • Encryption in transit via TLS 1.2+ on all connections
  • Encryption at rest via AES-256 through AWS managed keys
  • Least-privilege access controls — each service can only access what it needs
  • No Zapat employee accesses user code without explicit written permission
  • GitHub App credentials stored in AWS Secrets Manager
  • SOC 2 compliance in progress — we are working toward certification

No system is perfectly secure. If you discover a security vulnerability, please email support@zapat.ai and we will respond promptly.

08Your Rights

Regardless of where you live, you have the following rights over your data:

  • Access: Request a copy of the personal data we hold about you.
  • Export: Download your job history, configuration, and account data.
  • Deletion: Delete your account and all associated data within 30 days.
  • Opt-out: Unsubscribe from non-essential communications (product updates, marketing). Transactional emails (billing, security) cannot be disabled while your account is active.

GDPR Rights (EU/EEA Users)

If you are located in the European Union or European Economic Area, you have additional rights under the GDPR: the right to rectification, restriction of processing, data portability, and the right to lodge a complaint with your local supervisory authority. To exercise these rights, contact support@zapat.ai.

CCPA Rights (California Users)

California residents have the right to know what personal information we collect, to delete that information, to opt-out of the sale of personal information (we do not sell personal information), and to non-discrimination for exercising these rights.

09Cookies & Tracking

We use a minimal set of cookies:

Essential cookies

Session management and authentication. Required for the service to function. Cannot be disabled.

Analytics cookies

We use Google Analytics (GA4) to collect aggregate usage data — pages visited, session duration, referral source, and device type. IP addresses are anonymized. No personally identifiable data is collected. You can opt out via Google's browser add-on.

Advertising cookies

We do not use advertising cookies or sell data to ad networks.

You can manage cookie preferences in your browser settings. Disabling essential cookies will prevent you from logging in.

10Children's Privacy

Zapat is not intended for users under the age of 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, contact support@zapat.ai and we will delete it promptly.

11International Data Transfers

Zapat is operated in the United States. If you are accessing the service from outside the US, your data may be transferred to and processed in the US and other countries where AWS operates. We rely on Standard Contractual Clauses and other appropriate safeguards for international data transfers in compliance with applicable law.

12Changes to This Policy

We will update this policy as our practices change. For material changes — changes that meaningfully affect how we handle your data — we will notify you by email at least 30 days before the changes take effect. The “Last updated” date at the top of this page reflects the most recent revision.

13Contact

If you have questions about this policy or want to exercise your rights, contact our privacy team:

Zapat Support

Email: support@zapat.ai

We aim to respond to all privacy requests within 5 business days.