Your code stays in your CI.
ReviewRouter is designed for complex private codebases where code review needs central policy without centralizing source code. The SaaS keeps setup, model settings, health, and audit state while repository code, provider credentials, and review execution stay in customer GitHub Actions by default.
Review execution stays in customer CI by default.
ReviewRouter SaaS stores metadata needed for setup, config, health, audit, and support diagnostics. Source code, PR diffs, prompts, model responses, provider credentials, and review workloads stay out of ReviewRouter cloud by default.
The repository checkout and review prompt are created inside the customer's GitHub Actions job, not inside ReviewRouter cloud.
When AI review runs, the action calls the provider selected by the customer using credentials controlled by the customer.
ReviewRouter cloud keeps setup metadata, policy, audit, and health state so teams can operate reviews across many repositories.
What the SaaS may store
- GitHub account login, avatar URL, and GitHub user id after sign-in
- workspace, installation, repository, and selected-repository metadata
- workflow setup PR URLs, action refs, config versions, and safe health summaries
- audit events for setup, config, support diagnostics, and operational actions
- user-confirmed Balanced Memory snippets and safe memory metadata when Memory is enabled
What should not enter the SaaS
- repository source code
- pull request diffs, prompts, or model responses
- Codex auth.json, Claude Code OAuth tokens, OpenAI API keys, or OpenRouter keys
- raw GitHub webhook payload bodies after normalization
- raw memory source comments, embeddings, or deleted memory bodies in exports
Beta metadata is retained for setup, audit, support, and health operations. Balanced Memory usage telemetry is pruned on a bounded retention schedule, and deleted memory is removed from runtime retrieval immediately before later hard-delete maintenance.
Uninstalling the GitHub App stops future access. Workspace metadata deletion should be requested through quantjumppro@gmail.com until an owner self-serve deletion flow exists.
Hosted beta uses the production hosting, database, and GitHub integration stack. A formal subprocessor list belongs in the production legal package.
Memory is confirmed knowledge, not conversation custody.
When Memory is enabled, ReviewRouter may store short distilled snippets that a user explicitly asks to remember or that a model suggests for maintainer approval. Raw discussion threads, repository code, pull request diffs, prompts, model responses, and provider credentials are outside the Memory storage boundary.
Confirmation required
Repository and workspace memory is saved only after an authorized maintainer, repository admin, or workspace admin confirms it.
Distilled text only
Memory stores short confirmed guidance, preferences, or project facts. Raw code, diffs, prompt text, model output, and secrets are rejected before storage.
Scoped retrieval
Repository memory is scoped to that repository. Workspace memory stays inside the workspace. User preference memory is limited to safe response preferences.
Admin export
Workspace memory export is admin-only, audited, size bounded, and excludes deleted rows, embeddings, raw source excerpts, and source hashes.
Runtime access stops before hard delete.
| Object | Retention behavior | Runtime exposure |
|---|---|---|
| Pending suggestions | expire if not confirmed | not used at runtime |
| Active memory | kept until disabled, deleted, or TTL-expired | retrievable when scope policy allows |
| Disabled memory | kept for admin inspection | not used at runtime |
| Deleted memory | redacted immediately, then pruned after retention | not used at runtime |
Workspace admins can export active, disabled, and expired memory as JSON. Deleted memory is excluded from export and runtime retrieval.