Privacy Policy

Last updated: June 2, 2026

This policy covers three surfaces operated by Reviu: the public website (reviu.dev), the Reviu desktop application, and the Reviu backend that the desktop application connects to when you sign in with GitHub. Sections 4 and 5 describe the desktop application specifically.

1. Data Controller

• Controller: Joris Gallot
• Privacy contact: contact@reviu.dev

2. Data We Process

Depending on your use of Reviu, we may process:

• Contact details you provide (for example, support email messages).
• Account data from GitHub OAuth (GitHub user id, email, name, avatar URL, and the OAuth access token used to call the GitHub API on your behalf).
• Session metadata when you are signed in (session token, IP address, user agent).
• Subscription metadata related to billing and plan status (handled through Polar).
• Crash and error reports from the desktop application, sent to Sentry (see section 5).
• Aggregate website traffic and sampled session replay on reviu.dev (see section 3).
• Anonymous desktop feature usage events (event name, application version, operating system, and a random per-install device identifier), only if you opt in (see section 5.5).

3. Website Analytics and Session Replay (Umami, Cookieless)

We use Umami in cookieless mode on the marketing website for aggregate traffic insights and sampled session replay. Session replay helps us understand navigation, scrolling, and interaction issues on public marketing pages.

Form input values are masked in replay recordings, but text already visible on public pages may appear. We do not use non-essential analytics cookies for this setup. If analytics implementation changes in the future and non-essential cookies are introduced, this policy and consent handling will be updated accordingly. The desktop application does not embed website-style page analytics or session replay; the only Umami usage on the desktop is the opt-in product analytics described in section 5.5.

4. Desktop Application: What Stays Local

Reviu is a desktop Git client. The following data is read, written, and processed only on your own device, and is not transmitted to the Reviu backend or any third party:

• The contents of your local Git repositories: working tree files, file diffs, commit history, commit messages, branch and tag names, stashes, and remote URLs.
• SSH keys and SSH agent material used for Git operations. Reviu uses the system SSH agent and does not read SSH private keys itself.
• Local application state stored under your user config directory (~/.config/reviu/ on Linux, the platform equivalent on macOS and Windows), including:
  • reviu.sqlite: recent repositories, theme, pinned repositories, keyboard shortcuts, GitHub home tab preferences, command usage timestamps.
  • logs/reviu.log: rolling local debug log, truncated to a small size.
  • agent-chats/ and agent.json: local agent conversation history (pruned after 30 days) and agent settings.
  • crash-reports/pending.json: pending crash reports awaiting your review before being sent (see section 5).
• The GitHub OAuth access token used by the desktop application, which is stored in the operating system keychain (Keychain on macOS, libsecret on Linux, Credential Manager on Windows) under the service name reviu_auth. It is held in memory while the app is running and is not written to plain files.

5. Desktop Application: What Is Transmitted

The desktop application talks to a limited set of services. Each is listed below with the data involved.

5.1 Reviu backend (GitHub API proxy)

When you sign in with GitHub (a paid Reviu Pro feature), GitHub notification, repository, pull request, issue, and review data is fetched through the Reviu backend rather than directly from your device. The backend acts as an authenticated proxy to the GitHub API using your OAuth token, and caches GitHub responses (PR metadata, commit messages, file metadata, branches, contributor info, notifications) in Redis to reduce GitHub rate limit usage and improve responsiveness. ETag and Last-Modified headers are used so cached entries can be revalidated.

The backend persists in its database: your GitHub account data (user id, email, name, avatar URL, OAuth access and refresh tokens, token expiry, granted scopes), session metadata (session token, IP address, user agent), and subscription state. It does not receive or store the contents of your local Git repositories.

5.2 GitHub

Git network operations (fetch, push, clone) talk directly to your configured Git remotes (typically GitHub) over SSH or HTTPS, using your existing credentials. GitHub API calls made on your behalf are subject to GitHub's own privacy policy.

5.3 Sentry (crash and error reports)

The desktop application uses Sentry for crash and error reporting. Reports include: stack traces, panic location, thread name, operating system and architecture, application version and build profile, and a small amount of in-app context (current page, the name of the active Git repository hashed with SHA-256, the current branch name, the relative path of the selected file, and for GitHub views the owner/repo/PR number).

Authorization headers, cookies, OAuth tokens, and password-shaped fields are stripped from outgoing reports before sending. Startup crashes are first written to ~/.config/reviu/crash-reports/pending.json so you can review them on the next launch.

5.4 Polar (billing)

We use Polar as our subscription and billing provider. When you start a Reviu Pro subscription, your email and subscription status are shared with Polar so it can manage payments and entitlements. Payment details (card numbers, etc.) are processed by Polar and its payment partners according to their security and compliance standards, and are not seen or stored by Reviu.

5.5 Umami (desktop product analytics)

The desktop application sends anonymous feature usage events to a Reviu-operated Umami instance. Each event contains: an event name (for example agent_opened, terminal_opened, commit_made), the application version, the operating system, and a random device identifier generated on first launch and stored locally. This identifier is not linked to your GitHub account or email.

The following are never transmitted: repository contents, file paths, diffs, commit messages, branch or remote names, GitHub data, your IP address (stripped at ingestion), or any other personally identifying information. Product analytics is enabled by default and can be disabled at any time from the in-app settings; disabling it stops further event collection immediately.

The desktop application does not contact any other third-party services. It does not embed PostHog, Google Analytics, or any usage analytics SDK other than the opt-in Umami integration described above.

6. Purposes and Legal Bases (EEA/UK)

• Provide and operate the service (performance of a contract).
• Handle support and service communications (legitimate interests and/or contract).
• Maintain security, abuse prevention, reliability, and product quality, including crash diagnostics (legitimate interests).
• Comply with accounting, tax, and legal obligations (legal obligation).
• Measure aggregate desktop feature usage to prioritize product work (legitimate interests, based on anonymous events with no personal identifiers and a one-click opt-out in the in-app settings).

7. Hosting and Infrastructure

The Reviu backend and website are hosted on infrastructure provided by Hetzner (EU). Website and desktop analytics are collected by a self-hosted Umami instance at analytics.jorisgallot.dev, also hosted in the EU. Sentry receives crash reports on its US ingestion endpoint. Polar processes billing on its own infrastructure.

8. Data Sharing

We do not sell personal data. We share data with service providers (Sentry, Polar, Hetzner) only as needed to provide the service, process subscriptions, secure infrastructure, and comply with legal obligations.

9. International Transfers

If personal data is transferred outside your jurisdiction (for example, crash reports sent to Sentry in the United States), we rely on appropriate safeguards where required by law, such as Standard Contractual Clauses.

10. Retention

We retain personal data only as long as necessary for service delivery, legal compliance, dispute resolution, and enforcement of agreements. Local agent chat history on your device is pruned after 30 days. Anonymous desktop product analytics events are retained in Umami for up to 6 months before being deleted or aggregated. You can delete your local application state at any time by removing the Reviu config directory.

11. Your Rights (EEA/UK)

Subject to applicable law, you may request access, rectification, deletion, restriction, objection, and portability of your personal data.

12. US and California Privacy Notice

If US state privacy laws apply to your data, you may have rights to know, access, delete, and correct personal information, and to exercise non-discrimination rights when using those rights.

13. Contact

contact@reviu.dev