What AntFleet collects, where it goes, and what we don't do.

When you install the AntFleet GitHub App on a repo, the webhook receives events for every pull-request open or synchronize. For each such event we receive — and store — the PR's diff against base, the list of changed files, the commit SHA, the PR number, and the identifiers GitHub needs us to authenticate back as the App installation (installation id, owner, repo).

We then send the changed-file content to two model providers in parallel for review. Their full responses (raw JSON, including any findings they generate) are persisted in our database. After posting agreed findings as a PR comment, we record the comment id and url so the sweeper can reconcile the finding against main later. Daily, the sweeper polls maintainer reactions on those posted comments at the 24-hour, 7-day, and 30-day marks.

Three places, each with a different access boundary:

Model providers

Anthropic (Claude Opus 4.7) and OpenAI (GPT-5) receive the changed-file contents and our review prompt over their respective APIs. Both providers' API terms forbid training on API inputs by default. We don't opt in to any training arrangement on customer code. Provider policies: Anthropic · OpenAI.

Our database

Postgres at Vercel Marketplace (Neon), in the EU region. Three tables: reviews, finding_status, maintainer_reactions. Schema is documented in apps/web/db/schema.ts. Per-customer raw rows are accessible only via explicit auth (database credentials, not the web app).

GitHub

Agreed findings are posted as a comment on your PR. When the sweeper detects the finding is no longer present on main, a closure-receipt comment is posted on the same PR. These comments live on GitHub's event log and are governed by GitHub's terms, not ours.

The /receipts page is the public artifact, and it is opt-in per install (default: off). Until you explicitly enable public receipts for a repo, none of its closed findings reach the public page — the review still runs, the comment still posts to your PR, the sweeper still closes findings — but the resulting receipts stay private to your install. New installs are private by default; the v1.5 customer dashboard will expose the toggle, and until it ships enabling public receipts requires a request to privacy@antfleet.dev.

When public visibility is enabled, each row contains the severity, category, finding title, PR number, the closing commit SHA (shortened), and an anonymized repo label — repo <8-char-prefix> where the prefix is the first 8 characters of a SHA-256 of owner/repo. The full owner/repo string is not rendered on the public page.

The receipt link, however, points at the actual PR comment on GitHub — for installs on public repos, the URL itself contains owner/repo and the comment content is publicly visible. This is intentional and load-bearing: the link is the receipt, and a third-party-witnessed artifact only counts because anyone can click and verify the SHA on GitHub. The opt-in gate above is what ensures you choose whether your repo participates in this public surface at all.

The raw owner/repo, raw diff content, raw provider responses, and per-customer maintainer-reaction history live only in our database and are not exposed on any public surface, regardless of the public-receipt setting.

• We do not train models on your code. We use provider APIs under terms that exclude API inputs from training.
• We do not sell, share, or syndicate your data to third parties beyond the two model providers required to run the review.
• We do not use your code, repo identifiers, or finding titles in marketing, case studies, or sales conversations without explicit written opt-in.
• We do not bot-comment beyond the two comment types described above (the review comment on PR open, and the closure receipt when the finding is resolved).

We are building a curated public eval corpus of (bug, accepted-fix, severity) tuples to drive provider/agent routing decisions over time. Participation is opt-in per repo, off by default, and contributions are anonymized on the same boundary as the receipts page (repo_hash only). When this opt-in surface ships, it will live in the per-customer dashboard with a clear toggle and a preview of exactly what tuples would be contributed before any data leaves.

Until that surface ships, no eval-corpus extraction happens.

To uninstall: revoke the GitHub App from your repo or organization settings. The webhook stops firing immediately.

To request deletion of historical rows (reviews, finding_status, maintainer_reactions) attached to your owner/repo, email privacy@antfleet.dev. Deletion of our DB rows is straightforward. The PR comments and closure-receipt comments posted to GitHub live on yourrepo's event log — you control whether to delete those, and we can issue API calls on your behalf if you authorize it via the same email.

We'll post material changes to this page and stamp a new last-updated date below. Substantive changes — anything affecting where data flows or what's collected — will also be announced via the design-partner channel before they take effect.

Last updated: 2026-05-17