Privacy

Sign-in uses GitHub OAuth. When you authorize AskScout, GitHub returns your user ID, username, display name, email, avatar URL, and a scoped access token.

Of those, only your GitHub user ID and username are stored in our database long term. Display name, email, and avatar URL live in your session cookie and are read from GitHub on each sign-in. We do not persist them in our database.

The OAuth scope we request is read:user repo. The repo portion of that scope is broad. GitHub doesn't offer a read-only repository scope, so granting access necessarily includes permissions we don't use (like writing to repos). AskScout only ever reads commits and diffs. It does not create, modify, or delete anything in your repos.

You can revoke the OAuth grant at any time at github.com/settings/applications.

• Digest content: the daily/weekly summaries Scout generates from your git history, plus the underlying stats (commit count, files changed, lines added / removed)
• Per-repo settings: your default repo, which digest sections you choose to show or hide
• Quiet-day check-ins: a small record (date + repo) when you visit on a day with no commits, so your streaks stay alive
• Project summary: a short rolling description of each repo we track, regenerated each run, used to give the next digest context

We do not collect analytics, behavioral telemetry, or third-party tracking pixels. We do not sell or rent any user data.

To generate a digest, AskScout reads commits and diffs from your repository through the GitHub API and sends them to a large language model to summarize. Specifically:

• Commit messages, timestamps, authors, and the list of files each commit touched are sent to the LLM
• Diff patches (the lines added and removed) are sent to the LLM, truncated against a global ~16,000-character cap per run with the largest patches trimmed first
• Pull request titles and descriptions, plus the titles and bodies of any GitHub issues those pull requests reference (via #N), are sent to the LLM so the digest can ground itself in the stated intent behind each change. Each body is truncated to ~1,500 characters and the list is capped at the 10 most recent pull requests and 10 referenced issues per run.
• For up to the 8 most-changed files in each digest, ~15 lines of surrounding source code around every changed hunk are sent so the LLM can read refactors, renames, and sparse edits in context. The content is pulled at the digest's starting commit (the parent of the oldest commit in the window). Each file's context is capped at ~3,000 characters and the total across all files is capped at ~24,000 characters per run.
• Project metadata files (README, plus a single package manifest like package.json, pyproject.toml, Cargo.toml, go.mod, composer.json, or Gemfile) are read at the repository's default branch so the digest can frame each change in the right project context. README content is truncated to ~3,000 characters and manifest content to ~2,000 characters; package.json is filtered to name, description, version, scripts, and dependency lists before being sent. Lock files (package-lock.json, pnpm-lock.yaml, etc.), node_modules, and build artifacts are never read.
• File paths are sent. Full source files outside the changed regions, environment variables, secrets, and build artifacts are not.

The LLM provider processes this content to produce the digest text. Treat AskScout the same way you would any tool that shares code with an LLM. Do not use it on repositories that contain credentials, secrets, or content you would not paste into an AI chat.

• User account, digests, settings, check-ins, project summaries: stored in our Supabase database, scoped to your user ID. Other users cannot read your data
• Session: handled by NextAuth via an HTTP-only cookie that holds your GitHub access token. The cookie expires when your session does
• API keys (LLM providers): held server-side as environment variables. Never written to the browser or shared with users

AskScout is hosted on Vercel and uses Supabase for database storage, both US-headquartered providers. If you sign up from outside the United States, your data is transferred to and processed in the United States. By using AskScout you consent to that transfer. We do not currently offer regional data residency.

• In transit: all traffic to askscout.dev, the GitHub API, and the LLM provider runs over TLS
• At rest: Supabase encrypts the database at rest by default
• Access control: every database row is keyed to a user ID. Queries from the app server filter by the signed-in user. There is no admin UI that lets one user read another user's data
• Secrets: LLM API keys and OAuth client secrets live in server-side environment variables and are never sent to the browser

AskScout uses the following services to operate. Each has its own privacy policy:

• GitHub: sign-in, repository access, commit and diff fetches
• Supabase: database hosting for the data described above
• Vercel: web hosting and edge delivery
• An LLM provider (Anthropic or OpenAI, depending on which API key the app is configured with). Receives the commit / diff payload during digest generation and returns the summary text

We do not embed third-party analytics, advertising trackers, or social-media pixels.

AskScout sets one essential cookie, the NextAuth session cookie, used solely to keep you signed in. It is HTTP-only and Secure-flagged. We do not set marketing or analytics cookies.

• See your data: everything we have on you is rendered in the app on the Dashboard, Insights, and Settings pages
• Clear individual digests: Settings → Clear History (per repo or all at once)
• Delete your account: Settings → Danger Zone → Delete Account. This removes every record tied to your user ID from our database. You'll need to sign in with GitHub again to use AskScout afterwards
• Revoke GitHub access: at github.com/settings/applications. This stops us from making any further reads but doesn't delete data already stored. Use the account-deletion option above to remove that

Digests, project summaries, settings, and check-ins are retained as long as your account exists. They are deleted when you clear them in-app or delete your account. We do not keep backups of deleted user data beyond standard short-term operational backups maintained by Supabase, which roll off on their normal cycle.

If we learn of a personal-data breach that meaningfully affects users, we will notify affected users by email within 72 hours of confirming the breach, in line with the GDPR Article 33 timeline. The notice will describe what happened, what data was affected, what we have done in response, and what you can do.

We offer the same set of in-app controls and email-based requests to every user regardless of location. If you are in the EU/UK or California, the rights described under "Your rights and controls" (access, deletion, correction, restriction of processing, data export) cover the equivalent rights under GDPR and CCPA. We do not sell or share personal data within the meaning of CCPA. Our legal basis for processing under GDPR is performance of contract (running the AskScout service for you) and your consent at sign-in.

AskScout is not directed at children under 13 and we do not knowingly collect data from them. If you believe a child has signed up, contact us and we will delete the account.

If we change how data is handled in a meaningful way, we'll update this page and change the "last updated" date at the top. Material changes will be surfaced in the app the next time you sign in.