Last modified: June 15, 2026.

Privacy Policy

Privacy Policy Overview

Scitor (scitor.io / scitorapp.com) is owned and operated by MindByte. Scitor ("we", "us" or "our") applies this policy to the Subscriber (the "Subscriber", "user", "you" or "your"). By using Scitor, you expressly consent to the data handling practices described in this notice.

We collect minimal information when you install Scitor: the name of the repositories, the owner organisation, and the GitHub user who initiates the installation. We also collect aggregate information on what pages visitors access on our website. The information we collect is used to improve the content of our web pages and the quality of our service, and is not shared with or sold to other organisations for commercial purposes, except to provide products or services you have requested, when we have your permission, or under the following circumstances: it is necessary to share information in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, or as otherwise required by law. We transfer information about you if Scitor is acquired by or merged with another company. In this event, Scitor will notify you before information about you is transferred and becomes subject to a different privacy policy.

Platform Scope

Scitor is designed exclusively for use with GitHub.com. We do not support GitHub Enterprise Server, self-hosted GitHub instances, or other source code hosting platforms. By using Scitor, you acknowledge that your data flows through GitHub.com and is subject to GitHub's privacy policy in addition to this policy.

Information Gathering and Usage

You may provide personal information to Scitor when you sign up to use the service. Scitor uses collected information for the following general purposes: product and service provision, identification and authentication, service improvement, contact, and research. We do not persistently store email contents or email headers. Incoming email content is processed in-memory to create GitHub Issues or Discussions, then discarded. Email addresses used for sender blocking are stored in a hashed format and cannot be retrieved or reversed.

AI Processing

Incoming messages may be processed by AI to generate summaries, detect sentiment, classify request types, and suggest matching saved replies. This processing runs on Cloudflare Workers AI — the same edge infrastructure as the rest of the service. AI processing is used solely to apply labels, metadata, and agent-facing suggestions to the resulting GitHub Issue or Discussion. Message content is not stored, logged, or used for model training by Scitor. Cloudflare's Workers AI processes data in accordance with Cloudflare's privacy policy and does not use customer data for model training.

Analytics

The Scitor marketing website (scitor.io) uses Statsig for conversion funnel analytics. Statsig records anonymised interaction events — such as which call-to-action buttons were clicked or whether the pricing section was viewed — to help us understand how visitors engage with the site. No personally identifiable information (name, email address, or GitHub username) is included in these events. Statsig processes data in the United States. See Statsig's privacy policy.

The Scitor app dashboard (app.scitor.io) uses PostHog for product analytics and session replay. PostHog records page views and feature interactions — such as AI draft usage and billing upgrade attempts — and session recordings to help us identify usability issues and improve the product. Users are identified by their GitHub user ID only, not by name or email address. PostHog is configured to run on their EU cloud (eu.i.posthog.com), meaning all data is stored and processed within the European Union under GDPR-compliant infrastructure. See PostHog's privacy policy.

Both tools are used solely for our own product improvement. We do not sell or share analytics data with advertisers or other third parties.

Cookies

The Scitor marketing website sets a session-level cookie via Statsig for analytics purposes. The app dashboard sets cookies and uses local storage via PostHog for product analytics and session replay. Neither service sets advertising or cross-site tracking cookies. You may disable non-essential cookies through your browser settings.

Data Storage

Scitor runs on Cloudflare's global edge network. Cloudflare acts as a data processor on behalf of Scitor. Customer account data (installation details, configuration, metrics) is stored in Cloudflare D1. Email attachments are stored in Cloudflare R2. Temporary data such as cached configuration and authentication tokens is stored in Cloudflare Workers KV. All data is encrypted in transit and at rest. Although Scitor owns the code, databases, and all rights to the application, you retain all rights to your data.

Saved Replies & Configuration Data

Saved reply templates and configuration files (e.g. .github/scitor.yaml) are read from your GitHub repository via the GitHub API and cached at the edge (Cloudflare Workers KV) for up to 5 minutes for performance. These files are not permanently stored outside of your GitHub repository. Cache entries are automatically invalidated when you push changes to the relevant files.

Source Code

Scitor does not store any of your private source code unless given explicit, written permission to access it in order to provide support. Scitor does not store GitHub credentials. As a GitHub App, Scitor uses certificate authentication to obtain temporary tokens scoped to the permissions you grant during installation. You can revoke access at any time from your GitHub settings.

Email Delivery

Outbound emails (replies sent via slash commands) are delivered through a third-party email provider (currently Resend). The email provider processes the message content solely for the purpose of delivery and is subject to its own privacy policy. Scitor does not retain copies of outbound email content after delivery.

GitHub Actions & Workflows

Scitor triggers GitHub events (Issues, Discussions, labels) that may in turn trigger GitHub Actions workflows configured in your repository. Any data processing performed by your own GitHub Actions workflows is outside the scope of this policy and is your responsibility. Scitor does not control, monitor, or have access to the execution environment of your GitHub Actions.

Data Security

We always put security at the forefront of our services. All webhook payloads are verified using cryptographic signatures before processing. GitHub API access uses short-lived, scoped tokens. We cannot, however, ensure or warrant the security of any information you transmit to Scitor, and you do so at your own risk. We make industry-reasonable efforts to ensure the security of our systems. If you find a vulnerability, please report it to us immediately at info@scitor.io. We ask that you do not publicly share the issue until it has been resolved.

Disclosure

Scitor may disclose personally identifiable information under special circumstances, such as to comply with subpoenas or when your actions violate the Terms of Service.

Changes

Scitor may periodically update this policy without further notice to you. Changes will be reflected by the "last modified" date above. It is your responsibility to check this policy periodically for changes. Your continued use of or access to the Service following the posting of any changes to this policy constitutes acceptance of those changes. We will notify you about significant changes in the way we treat personal information by placing a prominent notice on our site.

Questions

Any questions about the Privacy Policy should be addressed to support@scitor.io.