Privacy Policy

Quartet ("we", "our", "us")

Effective date: April 13, 2026

1. Who We Are

Quartet is an autonomous PR review platform for GitHub teams. It operates as a GitHub App that reviews pull requests using AI and manages the review lifecycle. Quartet is operated by an independent developer and we are the data controller for all information described in this policy.

2. What Data We Collect

We collect only the minimum data necessary to operate the service.

From GitHub

Data	Why we collect it
GitHub organization and repository names	Identifies which repositories Quartet reviews
Pull request metadata (number, branch, author, SHA)	Tracks review state and lifecycle
Pull request diff content	Sent to the tenant-configured AI provider's API for code review (not stored permanently by Quartet)
GitHub user login	Displayed in review comments and audit logs

Technical data

Data	Why we collect it
IP address	Rate limiting and webhook verification
Session ID (dashboard cookie)	Maintains your authenticated dashboard session
Operational logs	Service debugging; retained for 30 days

3. What We Do Not Collect

• Passwords, payment information, real names, postal addresses, or government IDs
• Biometric data of any kind
• Cross-site tracking data or advertising profiles
• Source code beyond what is in the PR diff (we do not clone repositories)

4. How We Use Your Data

Purpose	Legal basis
Reviewing pull requests and posting review comments	Contract (service operation)
Tracking PR review state and round history	Contract
Sending PR diff content to your configured AI provider for review	Contract
Dashboard authentication and session management	Contract
Audit trail for review actions	Legitimate interest (security and dispute resolution)

5. How We Store and Protect Your Data

All data is stored on Amazon Web Services infrastructure in the us-east-1 (N. Virginia) region.

• GitHub App credentials (private key, webhook secret) are stored in AWS Secrets Manager, encrypted at rest. They are never logged or exposed in plaintext.
• PR review state is stored in Amazon DynamoDB with encryption at rest and automatic TTL-based expiration (90 days).
• Dashboard sessions use HttpOnly, Secure, SameSite=Lax cookies with a 24-hour expiry.
• All data in transit is encrypted using TLS 1.2 or higher.

6. Third-Party Data Sharing

We do not sell, trade, or share your personal data with third parties for commercial purposes. We share data only in the following limited circumstances:

• Tenant-configured AI providers — PR diff content is sent to the AI provider configured by the tenant using their own API credentials (for example Anthropic, OpenAI, Mistral, or others). Each provider's own privacy policy governs their data handling. Quartet does not control, and makes no representations about, any third-party AI provider's data practices. You are responsible for reviewing and accepting your chosen provider's policies.
• GitHub — We interact with GitHub's API to read PRs and post review comments. GitHub's Privacy Statement governs their data handling.
• Amazon Web Services — All data is hosted on AWS, which acts as a data processor under our agreement with them.
• Legal authorities — We may disclose data if required by law, court order, or to protect the safety of users or the public.

7. Data Retention

Data type	Retention period
PR review state and round history	90 days (automatically deleted via DynamoDB TTL)
Dashboard sessions	24 hours (automatically deleted on expiry)
Operational logs	30 days
PR diff content	Not stored; sent transiently to your configured AI provider during review

Upon uninstalling Quartet, all associated data expires automatically via TTL. For immediate deletion, contact privacy@quartet.tools.

8. Your Rights

Depending on where you live, you may have the following rights regarding your personal data:

• Access — Request a copy of the data we hold about you
• Correction — Request that inaccurate data be corrected
• Deletion — Request permanent deletion of your personal data
• Portability — Request your data in a machine-readable format
• Objection — Object to processing based on legitimate interests
• Withdraw consent — Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing
• Lodge a complaint — You have the right to lodge a complaint with your local data protection supervisory authority (for example the ICO in the UK, or your EU member state's DPA)

To exercise any of these rights, contact privacy@quartet.tools. We will respond within 30 days.

9. Cookies

The Quartet dashboard uses a single session cookie:

Cookie	Purpose	Expiry
quartet_session	Maintains your authenticated dashboard session	24 hours; cleared on logout

This cookie is HttpOnly, Secure, and SameSite=Lax. We do not use advertising, tracking, or analytics cookies of any kind.

10. Children's Privacy

Quartet is not directed at children under 13. Our services are intended for software developers and team leads. If you believe we have inadvertently collected data from a minor, contact privacy@quartet.tools and we will delete it promptly.

11. International Data Transfers

Data is stored in the United States (AWS us-east-1). If you are located in the European Economic Area or United Kingdom, your data may be transferred to and processed in the United States. Where required by applicable law, we rely on Standard Contractual Clauses (SCCs) or other lawful transfer mechanisms to protect your data. We take appropriate measures to ensure your data remains protected in accordance with this policy.

12. Changes to This Policy

When we make material changes, we will update the effective date above. Continued use of Quartet after the effective date constitutes acceptance of the updated policy.

13. Contact