Privacy Policy
Last updated: 3 May 2026
Privacy at a glance
- Heymow Studio runs TriRev. When you install TriRev on a GitHub repo, we receive what GitHub forwards (the diff, file context for files under 500 lines, PR metadata) and process it to produce one review comment.
- We don't keep your code. Diff content lives in transient memory only. After the review job completes, it's gone from our infrastructure. We keep operational metadata (install ID, review counts, billing events) so we can run the service.
- We don't train any model on your code. Anthropic, our AI provider, may keep inputs up to 30 days for safety review under their Commercial Terms; that's their commitment, version-pinned below.
- You have the GDPR rights. Access, deletion, portability, rectification, objection, all of them. Email support@trirev.dev and we respond within 30 days.
- If something is wrong, you can complain to the CNIL. The full sub-processor list, retention durations, lawful basis, and Schrems II framing are in the sections below.
1. Who we are
This service is operated by Heymow Studio. The legal structure behind Heymow Studio is a French sole proprietorship (auto-entrepreneur), Khaled Chehab EI, registered at 173 rue de Courcelles, 75017 Paris, France, SIREN 999208556. For data protection purposes, that legal entity is the data controller.
References below to "TriRev", "we", "us", or "our" mean Heymow Studio acting in its capacity as the operator of the TriRev service.
Privacy contact: support@trirev.dev. Heymow Studio does not meet the GDPR Article 37 thresholds that would require the appointment of a formal Data Protection Officer; the contact email is the right address for any privacy question, request, or complaint.
2. What data we process
2.1 Code and pull request data
When you install TriRev on a repository and a pull request triggers a review, we process:
- The diff (changed lines) of the pull request.
- The contents of files touched by the diff, but only for files smaller than 500 lines, in order to give the AI reviewer enough context.
- Pull request metadata: title, source and target branch names, author username, PR number, repository identifier.
What we do not do: we don't clone the repository, don't read files outside the diff context window, don't access branches other than those involved in the pull request, and don't retain any of this content after the review job completes (see Section 4).
2.2 Operational metadata
To run the service, bill correctly, and meet our reliability obligations we keep:
- Installation identifier (assigned by GitHub).
- Review counts per installation per calendar month (used to enforce the Free plan quota).
- Plan type (Free, Pro, Team) and seat count where applicable.
- Billing event timestamps (subscription created, upgraded, downgraded, cancelled).
- Service logs strictly necessary for operating the platform (error traces, latency, abuse signals), with personal identifiers redacted where reasonably possible.
2.3 Account-level data received from GitHub
When the App is installed, GitHub provides us with:
- The organization or user identifier on which the App is installed.
- The installation owner's email address, where exposed by the GitHub Marketplace API.
3. Lawful basis (GDPR Article 6)
- Code and pull request data: Article 6(1)(b) (necessary for the performance of the review service contract).
- Operational metadata: Article 6(1)(f) (legitimate interest in service reliability, abuse prevention, and accurate billing). You can object to this processing under Article 21; objecting may end your ability to use the service, since we cannot run a metered Free plan without review counts.
- Marketplace billing data (payment instrument, billing address, invoices): processed by GitHub Inc. under Article 6(1)(b) for its own contractual relationship with you. We are not the controller for that data. See GitHub's privacy statement for details.
4. How long we keep your data
- Code and pull request content: not retained. The diff, file context, and PR metadata listed in Section 2.1 exist only in transient memory for the duration of the review job and are discarded when the job completes.
- Operational metadata: kept for as long as the installation is active, plus a tail of up to 90 days after uninstall to support reinstall, dispute resolution, and abuse review. We then purge this data within 7 days.
- Billing event records: kept for 10 years to comply with the French Code de commerce (Article L.123-22) and applicable tax law. These records contain transaction timestamps and amounts, not the underlying code.
- Service logs: kept up to 30 days for operational and security purposes, then deleted or fully anonymized.
5. Sub-processors
TriRev relies on the following sub-processors. We commit to giving 30 days advance notice (via the GitHub Marketplace listing and the "Last updated" date on this page) before adding or replacing any sub-processor.
| Sub-processor | Country | Role |
|---|---|---|
| Anthropic PBC 548 Market St PMB 90375, San Francisco, CA 94104, USA |
USA | AI inference for the review (large language model API). TriRev uses the Anthropic Commercial API with standard data retention: Anthropic may retain inputs and outputs for up to 30 days for trust and safety review under its Commercial Terms. TriRev has not enabled the Anthropic Zero-Retention option at MVP. |
| Railway Corp 548 Market St #34059, San Francisco, CA 94104, USA https://railway.com |
USA | Hosting infrastructure (compute, managed Postgres, object storage). |
| GitHub Inc. (a Microsoft subsidiary) | USA | Distribution platform, source of the diff data we receive via webhook, and billing intermediary for paid plans. |
| Gandi SAS 63-65 boulevard Massena, 75013 Paris, France |
France (EU) | Email infrastructure for support@trirev.dev and other @trirev.dev aliases. |
6. International data transfers (Schrems II)
Some of our sub-processors are based in the United States. We don't consider that neutral; here's the transfer mechanism for each:
- Anthropic PBC (USA): relies on the EU-US Data Privacy Framework certification. We have reviewed Anthropic's published privacy and security commitments and consider them adequate for the categories of data transferred.
- Railway Corp (USA): relies on Standard Contractual Clauses under EU Commission Implementing Decision 2021/914, supplemented by our Transfer Impact Assessment.
- GitHub Inc. (USA): relies on its parent Microsoft's EU-US Data Privacy Framework certification. The data flow from GitHub to us originates with you, the customer, who has chosen to install a Marketplace application.
Data processed by Gandi SAS remains in the European Union; no transfer mechanism is required for that flow.
7. Your rights
If the GDPR applies to you, you have these rights:
- Access (Art. 15): get a copy of the personal data we hold about you.
- Rectification (Art. 16): correct inaccurate or incomplete data.
- Erasure (Art. 17), also known as the "right to be forgotten".
- Restriction (Art. 18): ask us to limit how we use your data while a dispute is resolved.
- Portability (Art. 20): receive your data in a structured, machine-readable format.
- Objection (Art. 21): object to processing based on legitimate interest.
- Withdrawal of consent (Art. 7), where processing is based on consent.
To exercise any of these rights, email support@trirev.dev. We respond within 30 days. We may need to verify your identity before acting on a request.
If you believe we haven't handled your data properly, you have the right to lodge a complaint with the French data protection authority, the Commission Nationale de l'Informatique et des Libertés (CNIL), at www.cnil.fr, or with the supervisory authority of your country of residence.
8. Children
TriRev is a developer tool aimed at professional software teams. It's not directed at children. We rely on GitHub's age gate (13 years in the United States, 16 years in jurisdictions where the GDPR applies) and don't knowingly process the personal data of users under 16. If you believe a child under 16 is using TriRev through your installation, please contact us at support@trirev.dev and we'll take appropriate action.
9. California residents (CCPA / CPRA)
If you're a California resident, you have additional rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act. The categories of personal information we collect are:
- Identifiers (GitHub username, installation owner email).
- Commercial information (plan type, billing event timestamps).
- Internet or other electronic network activity (operational logs tied to webhook traffic).
We don't sell personal information. We don't share personal information for cross-context behavioural advertising. To exercise California rights (know, delete, correct, limit), email support@trirev.dev. We won't discriminate against you for exercising these rights.
10. AI transparency (EU AI Act, Article 50)
TriRev's review output is generated by an AI system. You're informed of this every time, by a visible header on each PR comment that TriRev posts. The output is advisory: it's intended to assist human reviewers, not to replace them. You remain responsible for the decision to merge, edit, or ignore any suggestion. See our Review agents documentation for further detail on the model used, its limitations, and known failure modes.
11. Security
We take technical and organisational measures appropriate to the risk, including TLS in transit, encryption at rest for stored operational metadata, secret rotation, least-privilege access control, network isolation of our database (private network only), and routine dependency vulnerability scanning. No system is perfect; if you discover a vulnerability, please contact support@trirev.dev.
12. Changes to this policy
If we make material changes to this policy we'll give at least 30 days advance notice by updating the "Last updated" date at the top of this page and by posting a notice on the GitHub Marketplace listing. Continued use of TriRev after the effective date of the change means you accept the updated policy. If you don't accept it, you can uninstall the App at any time.
13. Contact
Heymow Studio
Email: support@trirev.dev
Address (for legal correspondence): 173 rue de Courcelles, 75017 Paris, France
Legal form: Khaled Chehab EI (French auto-entrepreneur), SIREN 999208556