This policy explains what personal data we collect when you visit this website or use the Scryable application, why we collect it, how we use it, and what rights you have. We have written it in plain English. Where legal terms are unavoidable, we explain them.
Controller: Vigh Ventures Ltd, trading as Scryable, registered in England and Wales.
Vigh Ventures Ltd is registered with the Information Commissioner's Office (ICO) as required under UK GDPR.
For any privacy-related question, request, or complaint, contact us at privacy@scryable.ai.
This policy applies to personal data we process when you:
It does not cover data practices of third-party websites that we may link to.
When you browse scryable.ai we do not ask you to create an account or submit any personal data. The only data we may collect is:
When you sign in via GitHub, GitLab, or Bitbucket OAuth, we receive and store:
We use this data to create and manage your account, identify you when you sign back in, and display your profile within the Service.
To read data from your repositories on your behalf, we store the OAuth access token and refresh token issued by your provider. These tokens are encrypted at rest using AES-256 encryption before being stored and are never stored in plain text.
When you are signed in, we maintain a server-side session record tied to your account. A signed, httpOnly session cookie (scryable_session) is placed in your browser. This cookie is essential to the Service. Two additional short-lived cookies (scryable_oauth_state and scryable_oauth_link) are set during sign-in only and expire after 10 minutes.
When you connect a repository, we store basic identifying information: repository owner and name, provider-assigned repository ID, default branch name, whether the repository is private, and sync status. We do not access or store source code content.
Once a repository is connected, we read and store the following commit-level data:
This data relates to everyone who has made commits to a connected repository, including people who are not Scryable users. If you connect a repository, you are responsible for ensuring you have the right to share this metadata with us. Where that repository contains commits from colleagues or contributors, we recommend that you inform those individuals that their commit metadata will be processed by Scryable, in accordance with your obligations as a data controller under UK GDPR.
Where supported by the provider, we also store pull request ID, number, and title; author identity; state; timestamps (created, merged, closed, first review); and lines added, deleted, and files changed.
We create internal contributor records to group commit authors who appear under multiple names or email addresses. These records hold a display name, a primary email address, an avatar URL where available, and associated email addresses and names from commit history.
If you subscribe to a paid plan, we pass your email address to Stripe to create a billing customer record. Stripe handles all card data — we never see or store your payment card details. We store on our own systems: your Stripe customer ID and subscription ID, your current plan and billing cycle, subscription status and renewal dates, and whether you are on a free trial and when it ends.
If you use the Business plan team-seat feature, we store invitation records linking your account to teammates by their provider login.
We record the timestamp when you last used the Service and the timestamp when you last ran an analysis. We also collect anonymised product analytics events (see Section 5).
Under UK GDPR, we must have a lawful basis for processing personal data.
Scryable operates a self-hosted logging and metrics stack running on our own servers within the same infrastructure as the application. Logs and operational metrics contain internal identifiers (such as your numeric user ID and subscription plan tier) and technical information (request IDs, error messages, job identifiers). They do not contain your email address, OAuth tokens, or source code content. This data never leaves our own infrastructure and is not shared with any third party.
We use Google Analytics 4 (GA4) and Microsoft Clarity on this website to understand how visitors find and use the site. GA4 and Clarity are only loaded after you have clicked Accept on the cookie notice at the bottom of the page. If you decline, neither service is loaded and your visit is not tracked. IP anonymisation is enabled for GA4. Clarity records mouse movements, clicks, and scrolls to generate heatmaps and session recordings.
Within the Scryable application, we use GA4 to understand how users move through onboarding and how features are adopted. Events sent to GA4 include page navigation and named product events (for example: account created, repository connected, report viewed). These events do not include your email address, repository names, commit content, or any data that identifies another person.
Both this website and the application load fonts from Google Fonts (fonts.googleapis.com). This results in your IP address being sent to Google's servers when you load a page.
Location: The Service runs on a virtual server provided by DigitalOcean, LLC, hosted in the EU (Amsterdam region). Your data is stored in a PostgreSQL database on that server.
Encryption in transit: All traffic between your browser and the Service is encrypted via TLS (HTTPS).
Encryption at rest: OAuth access and refresh tokens are encrypted at rest using AES-256 encryption before being written to the database.
Access control: Our systems use signed, httpOnly session cookies. OAuth tokens are never exposed in API responses. The observability stack is not accessible from the public internet.
Data retention: We retain your personal data for as long as your account is active. If you delete your account, all your data — including repository metadata, commit data, contributor records, and subscription records — is permanently deleted from our database via cascading deletion. Encrypted backup copies are retained on the same server for up to 14 days before being automatically pruned.
We share personal data only with the parties listed below and only to the extent necessary to provide the Service. We do not sell your personal data and do not share it with advertising networks or data brokers.
| Third party | Purpose | Data shared | Location |
|---|---|---|---|
| DigitalOcean, LLC | Server hosting | All application data (stored on their infrastructure) | USA (server in EU/Amsterdam) |
| GitHub, Inc. | OAuth auth & repo data | OAuth code exchange; commit/PR metadata read via your token | USA |
| GitLab B.V. / GitLab Inc. | OAuth auth & repo data | As above | Netherlands / USA |
| Atlassian Pty Ltd (Bitbucket) | OAuth auth & repo data | As above | USA |
| Stripe, Inc. | Payment processing | Your email address, subscription plan and status | USA |
| Google LLC (Google Analytics 4) | Product analytics | Anonymised page paths and usage events; IP address (anonymised before processing) | USA |
| Microsoft Corporation (Clarity) | Heatmaps & session recordings | Mouse movements, clicks, scroll depth, page interactions; IP address | USA |
| Google LLC (Google Fonts) | Font rendering | Your IP address via standard browser font request | USA |
Some of the third parties above are based outside the UK. Where we transfer personal data to a country that does not benefit from a UK adequacy decision, we rely on appropriate safeguards.
DigitalOcean: your data is stored on a server physically located in DigitalOcean's Amsterdam (EU) data centre. DigitalOcean, LLC is a US entity, so this constitutes a transfer to a US company. DigitalOcean relies on Standard Contractual Clauses (SCCs) for UK/EU data transfers. The server location means your data does not physically leave the EU.
Stripe, GitHub, GitLab, Bitbucket, and Google: each of these organisations participates in a recognised data transfer mechanism (such as the UK International Data Transfer Agreement or Standard Contractual Clauses) or relies on the UK adequacy decision for transfers to the EEA. You can verify the applicable mechanism by reviewing each provider's privacy policy or data processing terms.
For questions about specific safeguards in place, contact us at privacy@scryable.ai.
You have the following rights in relation to your personal data:
To exercise any of these rights, contact us at privacy@scryable.ai. We will respond within one month and may need to verify your identity before acting.
The cookie notice shown at the bottom of this site defaults to denying analytics storage. GA4 and Clarity are only loaded if you click Accept.
Your cookie preference is stored in your browser's localStorage under the key scryable_cookie_consent. This is not a cookie — it contains only "granted" or "denied" and no personal data.
The application uses three first-party cookies that are strictly necessary for the Service to function:
The application also uses Google Analytics 4 cookies (_ga, _ga_*) to understand feature adoption. IP anonymisation is enabled. If you wish to prevent GA4 tracking, you can use the Google Analytics Opt-out Add-on or a content-blocking browser extension.
We do not use cookies for advertising, remarketing, or profiling.
For full details, see our Cookie Policy.
The Service is intended for business use by adults. We do not knowingly collect personal data from anyone under the age of 18. If you believe we have inadvertently collected such data, please contact us and we will delete it promptly.
We may update this policy from time to time. When we make material changes, we will update the date at the top of this page. Where changes are significant, we will notify you by email or by a notice within the Service.
If you are unhappy with how we have handled your personal data, please contact us first and we will do our best to resolve your concern.
Vigh Ventures Ltd, trading as Scryable
Email: privacy@scryable.ai
If you remain dissatisfied, you have the right to lodge a complaint with the UK's data protection supervisory authority: