graphchat
Legal

Privacy Policy

Effective date: May 5, 2026

graphchat ("we", "our", or "the service") is an open-source tool that builds and stores repository knowledge graphs so that you — and the AI agents you authorise — can query structured context efficiently. This policy explains what data we store, why, and what we never do with it.

Short version: Your data belongs to you. We store it on your behalf so your tools can use it. We do not analyse, sell, share, or monetise it in any way.

1. What data we store

Account information

When you create an account we store your email address, a bcrypt hash of your password (never the plaintext), and an optional display name. If you sign in via GitHub OAuth we store your GitHub user ID and email instead of a password.

Repository graph data

When you connect a repository we store the following — exclusively for serving your own queries:

  • Repository metadata: name, remote URL, branch name, last-sync timestamp.
  • Graph nodes: file paths, symbol names, docstrings, and code chunks extracted by static analysis.
  • Graph edges: call-site relationships, import links, and inferred connections.
  • Vector embeddings: numeric representations of code chunks used for semantic search.
  • Community and cluster labels produced by the Leiden algorithm.

This data is stored solely so you and the agents you authorise can query it. It is never read, analysed, or used by us for any purpose beyond serving your requests.

API keys and session tokens

API keys (sk-graphchat-…) are stored as bcrypt hashes only. The plaintext key is shown once at creation and is not stored anywhere in our system. JWT access and refresh tokens are stored hashed and expire automatically.

Operational logs

We collect minimal data to keep the service running:

  • Request logs (endpoint, HTTP status, response latency) — retained for up to 30 days for debugging.
  • Error traces — retained for up to 14 days.
  • Aggregated Redis cache counters — not tied to individual users.

We do not use tracking cookies. Session cookies maintain your authenticated browser session only and expire on sign-out.

2. What we do not do

  • We do not sell, rent, or share your data with any third party.
  • We do not run analytics or machine-learning models on your repository content.
  • We do not use your code or graph data to train any AI model.
  • We do not serve advertising of any kind.
  • We do not track you across other websites or services.
  • We do not process your data for any purpose other than fulfilling your own requests.

3. Open-source transparency

graphchat is open-source software. The full server-side code — including every data-access path — is publicly available for inspection. You can verify exactly what queries run against your data and where results go. If you find a discrepancy between this policy and the code, please file an issue in the repository.

4. Data sharing

We share data only in the following narrow circumstances:

  • GitHub OAuth: if you choose GitHub sign-in, GitHub shares your public email and user ID with us per their OAuth flow. We do not send your repository data back to GitHub beyond the standard API calls needed to list branches you explicitly select.
  • Infrastructure providers: your data is hosted on servers running the graphchat software. Infrastructure providers have no access to application-layer data.
  • Legal obligation: if required by a valid court order we may disclose the minimum data necessary, and we will notify you in advance where legally permitted.

5. Data retention and deletion

Your data is retained for as long as your account is active. You can delete individual repositories — and all associated graph data — from the dashboard at any time. To delete your entire account, email privacy@graphchat.co. We will permanently erase all data within 30 days.

Operational logs are deleted on the schedules above. Database backups are purged within 90 days of account deletion.

6. Security

We protect your data using:

  • TLS encryption in transit for all API and web traffic.
  • Bcrypt hashing for passwords and API keys — no plaintext secrets are ever stored.
  • Per-user rate limiting via a Redis sliding-window counter.
  • SSRF protection on all repository URLs — only public http/https hosts are accepted.
  • Path containment checks to prevent directory traversal in file operations.
  • HTML entity escaping on all user-supplied node labels to prevent XSS in exported graphs.

No system is perfectly secure. If you discover a vulnerability please disclose it responsibly by opening a security advisory in the repository or emailing security@graphchat.co.

7. Your rights

Regardless of where you are located, you have the right to:

  • Access: request a copy of the data we hold about you.
  • Correction: update incorrect account information via the Settings page.
  • Deletion: remove individual repositories from the dashboard, or request full account deletion.
  • Export: use gph export or the REST API to download your graph data at any time in machine-readable JSON.
  • Portability: graph data is stored in open formats (node-link JSON, GraphML) with no vendor lock-in.

8. Children

graphchat is not directed at children under 13. We do not knowingly collect data from anyone under 13. If you believe we have inadvertently done so, contact us and we will delete it promptly.

9. Changes to this policy

If we make material changes we will update the effective date above and, where feasible, notify active users by email at least 14 days before the change takes effect. Continued use of the service after that date constitutes acceptance of the revised policy.

10. Contact

Questions about this policy or data requests:

privacy@graphchat.co

See also: Terms of Service