RoastMyCode.ai

Privacy & Security

Your code is yours. We never store it, log it, or share it.

Read-only access

We only read your repository files through the GitHub API. We never write to, modify, or fork your code.

Code is never stored

Your source code is fetched, analyzed in memory, and immediately discarded. Only the analysis results (scores, issues, burns) are saved — never your code.

No logs, no retention

Source code is not written to application logs, databases, or any persistent storage. The app authors have no access to your code at any point.

Your access, your control

Private repo access uses the RoastMyCode GitHub App with read-only permissions. You can uninstall the app anytime from your GitHub settings.

How analysis works

  1. You paste a GitHub URL and hit “Roast My Code.”
  2. We fetch your repository files via the GitHub API (using the GitHub App for private repos, or unauthenticated for public repos).
  3. The code is sent to an LLM (via OpenRouter) for analysis. The LLM provider processes it in memory and does not retain it after the request.
  4. We save the analysis results — grades, issues, burns, and recommendations — to our database.
  5. Your source code is discarded. It is not saved to any database, file system, or log.

Third-party services

  • OpenRouter — routes LLM requests. They do not store prompts or completions by default. Inputs are categorized for metrics then discarded. They have opted out of model training with AI providers where possible.
  • Langfuse — LLM observability. We use it for trace structure and performance metrics only. Prompt and completion content recording is disabled — no source code is sent to Langfuse.
  • Supabase — hosts our database. Stores analysis results and user accounts only, never source code.
  • GitHub — provides authentication via OAuth. Signing in only requests your email and profile. Private repo scanning uses our GitHub App with read-only access to repository contents — we never have write access to your code.
  • PostHog — anonymous product analytics (page views, scan counts). No code or repo contents are sent.

Data you can delete

You can delete any scan from the report page. This permanently removes the scan record, report, and all associated issues from our database. You can also revoke GitHub OAuth access from your GitHub settings.

Questions?

If you have questions about how we handle your data, reach out at josiah@roastmycode.ai.