OctopusOctopus/Docs/Privacy Policy
Legal

Privacy Policy

Last updated: March 2026

1. Introduction

Octopus ("we", "our", "us") is an open source, AI-powered code review platform. This Privacy Policy explains how we collect, use, and protect your information when you use our cloud-hosted service. If you self-host Octopus, your own privacy policies apply.

2. Information We Collect

Account Information

When you sign up, we collect your name, email address, and profile picture through your OAuth provider (GitHub or Google). We do not store passwords.

Repository Data

When you connect a repository, we access its contents through the GitHub or Bitbucket API to create code embeddings and perform reviews. We process pull request diffs, file contents, and repository metadata.

Usage Data

We collect anonymous usage analytics (page views, feature usage) through Google Analytics to improve the product. We also track AI token consumption per organization for billing purposes.

3. How We Use Your Information

  • To provide AI-powered code reviews on your pull requests
  • To create and maintain code embeddings for context-aware reviews
  • To authenticate you and manage your organization membership
  • To track usage and enforce spend limits
  • To improve the product based on aggregated, anonymized usage patterns

4. Code and Data Storage

Code embeddings (vector representations of your code) are stored in Qdrant. These embeddings cannot be reverse-engineered back into source code. We do not permanently store your raw source code. Pull request diffs are processed in memory and discarded after review.

Review results, findings, and AI-generated summaries are stored in our PostgreSQL database and associated with your organization.

5. Third-Party Services

We use the following third-party services to operate Octopus:

  • OpenAI for generating code embeddings (text-embedding-3-large)
  • Anthropic (Claude) and/or OpenAI for AI-powered code reviews
  • GitHub / Bitbucket for repository access and webhook events
  • Stripe for payment processing (if applicable)
  • Google Analytics for anonymous usage analytics

Code snippets sent to AI providers are subject to their respective privacy policies. We recommend reviewing their data handling practices.

6. Data Retention

We retain your data for as long as your account is active. When you delete your account or remove a repository, associated data (embeddings, reviews, analytics) is soft-deleted and permanently purged within 30 days.

7. Data Security

We use industry-standard security measures including encrypted connections (TLS), secure authentication (OAuth 2.0), and access controls. API keys and tokens are encrypted at rest.

8. Your Rights

You have the right to:

  • Access and export your data
  • Request deletion of your account and associated data
  • Disconnect repositories at any time
  • Opt out of analytics tracking

For any privacy-related requests, open an issue on our GitHub repository or contact us directly.

9. Self-Hosting

Octopus is fully open source. If you self-host Octopus on your own infrastructure, your code never touches our servers. You are responsible for your own data handling and privacy compliance.

10. Changes to This Policy

We may update this policy from time to time. Changes will be posted on this page with an updated revision date. Continued use of the service after changes constitutes acceptance of the updated policy.